The SEC’s M Holdings Enforcement Highlights the Importance of IT Fundamentals

Keyboard with a compliance button, representing SEC cybersecurity enforcement and IT controls for RIAs.
TL;DR
– The SEC’s action against M Holdings wasn’t simply about multi-factor authentication (MFA).
– The case highlights the importance of implementing and maintaining basic security controls and not just documenting them in policy.
– For most RIAs with 5–25 employees, those controls are standard enterprise IT practices that are relatively straightforward to put in place with the right partner.

When the SEC announced its enforcement action against M Holdings, most discussions focused on multi-factor authentication (MFA).

While MFA is one of the most effective ways to help prevent unauthorized access, the order was not just about whether one setting was turned on. It was about whether required controls were implemented across the organization and checked over time.

The case is a reminder that written security policies are only part of the equation. Regulators also expect firms to put those policies into practice and maintain them over time.

What Happened?

In November, the SEC announced settled charges against M Holdings related to alleged violations of Regulation S-P’s Safeguards Rule and Regulation S-ID.

According to the SEC’s order, M Holdings had written cybersecurity policies that required controls such as multi-factor authentication, security awareness training, and incident response planning. The SEC found those controls were not implemented consistently across affiliated firms, despite the organization being aware that gaps existed.

While much of the attention has centered on MFA, the SEC’s findings point to something broader: documenting security expectations isn’t enough if those expectations aren’t consistently carried out.

Security Is About Consistency

Regulatory cybersecurity actions don’t just stem from highly sophisticated attacks or advanced technical failures.  In this order, the security controls discussed are widely recognized best practices. They aren’t unique to large financial institutions, nor do they require highly specialized technology. They form the foundation of what most organizations would consider a mature IT environment – regardless of the size of firm.

Effective cybersecurity isn’t built around a single product or setting like MFA. It’s the result of a collection of security practices that work together and continue to be monitored as the business changes.

Those practices commonly include:

  • Multi-factor authentication for every user
  • Managed and regularly updated devices
  • Ongoing security awareness training
  • A documented incident response plan
  • Regular reviews to confirm security controls remain in place

Individually, none of these measures is particularly remarkable. Together, they create the kind of layered security approach that regulators increasingly expect firms to have.

Enterprise Security Isn’t Reserved for Large Firms

A common misconception is that enterprise-level security requires enterprise-level budgets.  In reality, many of the controls discussed in the SEC’s order are standard capabilities available through platforms such as Microsoft 365 when they’re properly configured and managed.

If you’re a smaller RIAs, purchasing additional technology often isn’t required to meet your SEC IT requirements. 

Want to Know Where Your Firm Stands?

If you’re unsure whether your firm’s IT environment reflects today’s security expectations, RIA WorkSpace can help.

We work exclusively with RIAs, helping firms implement, manage, and monitor the security controls that support both day-to-day operations and regulatory requirements.

Whether you’re evaluating your current environment or considering a change in IT providers, we’d be happy to discuss your firm’s security posture and identify opportunities for improvement.  Book a Discovery Call to get started. 

Share: