The SEC is done playing around. This summer, particularly August, the SEC has demonstrated its resolve to bring the cyber house to order, first by actions against public companies for alleged poor cyber disclosures and the governance around such disclosures, and then by actions against SEC registrants (e.g., broker-dealers and investment advisers) alleging failures to implement basic cybersecurity controls even when internal policies called for such controls. The later actions, as noted, were aimed at broker-dealers and investment advisers, but the ramifications are much broader. 

Please read our analysis in this DigiLinks post