Originally published by Align on February 25, 2025
A New Era for Cybersecurity in Financial Services. Is your Firm Ready?
The Securities and Exchange Commission’s (SEC) formation of the Cyber and Emerging Technologies Unit (CETU) signals a heightened regulatory focus on cyber-related misconduct, fraud, and compliance. As digital threats evolve, financial services firms—especially in the alternative investment space—must be prepared for increased scrutiny and enforcement.
At Align Managed Services, we recognize that navigating these regulatory shifts requires more than just best-in-class security solutions—it demands industry-wide collaboration. That’s why we’ve partnered with some of the alternative space’s greatest resources to share their perspectives in our latest Align Insights article. From legal experts and cybersecurity leaders to industry veterans, top executives, and key stakeholders in the alternative investment space, we’ve gathered diverse insights on how firms can proactively fortify their security posture while driving innovation in an increasingly complex regulatory landscape. With the SEC prioritizing issues like AI-driven fraud, hacking, and cybersecurity compliance, staying ahead of these challenges is critical. Organizations can meet this challenge by investing in the right processes, people, tools, and technology, ensuring they stay ahead of regulatory expectations while strengthening market integrity and investor confidence.
In our latest Align Insights article, we’ve gathered perspectives from top industry leaders who share their expert take on how these regulatory changes will shape the future of cybersecurity and alternative investments. Read on for their insights.
Vinod Paul, President, Align Managed Services
Insights into the Announcement of the Cyber and Emerging Technologies Unit by the SEC
From Alex Bazay, Chief Information Security Officer, Align
A significant step toward enhancing risk oversight in cyberspace has been taken with the announcement by the SEC of the creation of the Cyber and Emerging Technologies Unit (CETU). This new entity will replace the existing Crypto Assets and Cyber Unit created by the previous SEC Chairman Gary Gensler.
The former Crypto Assets and Cyber Unit had already established a cybersecurity enforcement foundation, but its scope was primarily focused on crypto-related misconduct. Also, the earlier SEC actions, such as 2023 cybersecurity guidance for public companies and enforcement against weak cyber disclosures, were more reactive in nature. The hope is that with the creation of a new unit, the regulator will adopt a more proactive and balanced approach to cyber risk, integrating the lessons learned from the past.
The newly created unit will have a broader mandate, shifting its primary focus from cryptocurrency to a wider technology landscape and specifically on emerging technologies like artificial intelligence, machine learning, and blockchain. Additional areas of interest for the CETU include the use of social media, the dark web, hacking, and takeovers of retail brokerage accounts. For the investment community, the specific interest will be the new unit’s focus on the “regulated entities’ compliance with cybersecurity rules and regulations” and “fraudulent disclosure relating to cybersecurity.”
In summarizing the implications of this news for financial institutions, it appears that regulatory scrutiny and oversight will only increase rather than decrease. Practically speaking, investment firms of all sizes should anticipate a rise in enforcement actions and stricter compliance requirements. This only highlights the necessity of adopting strong risk management and cybersecurity as well as adequate technology controls.
From Gary Berger, Partner and Financial Services Industry Leader, Northeast, CohnReznick
The SEC's Cyber and Emerging Technologies Unit (CETU) could offer substantial benefits to the financial services community. By protecting investors from cyber-related misconduct, the CETU enhances trust and confidence in the market. Ensuring a safer investment environment will facilitate additional capital formation and attract more investors. Efforts to combat fraud and misuse of emerging technologies should contribute to overall market efficiency, promoting fair and transparent financial practices. These measures collectively support a robust and resilient financial ecosystem, benefiting all stakeholders.
From Jeff Boyd, CEO, Northern Trust Hedge Fund Services, North America
The SEC’s Cyber and Emerging Technologies Unit will serve an important role in protecting investors as financial markets continue to innovate and integrate AI, blockchain and other evolving capabilities. For Alternatives Asset Managers trading across Private and Public markets, this development presents both challenges and opportunities. Firms must ensure they remain compliant with evolving cybersecurity regulations, particularly as the SEC increases scrutiny on third-party vendor security and incident response protocols. However, this heightened regulatory focus presents an opportunity for firms to differentiate themselves by demonstrating market leading cybersecurity practices. Best practices in this evolving landscape include conducting regular cybersecurity assessments, implementing multi-layered security controls, and fostering a culture of cyber awareness across all levels of an organization.
As a middle office and fund administration provider to some of the most sophisticated global Alts Managers, there is nothing more important to us, our clients, their investors, and our entire community of stakeholders as the need to manage against cyber and data risk. Effective data management and operational processes such as real time trade matching, digitally enforced cash management processes, and independent trade reconciliation, are essential for Alternative Asset Managers and their investors to maintain security, efficiency, compliance and operational resilience at scale.
From Jacob Cane, Managing Director, Head of Cybersecurity Risk Services, Salus GRC
The newly announced Cyber and Emerging Technologies Unit (CETU) is expected to have a significant impact on investment managers. The key takeaway is a continued shift toward a more structured crypto regulatory environment, aimed at promoting capital formation through clearer rules and increased confidence in digital assets and emerging technologies.
CETU’s mandate also carries significant implications for traditional investment managers. Among its seven listed priorities are combating “[h]acking to obtain material nonpublic information” and ensuring “[r]egulated entities’ compliance with cybersecurity rules and regulations.” These priorities underscore the administration’s commitment to strengthening cybersecurity—both in mitigating real-world risks and ensuring compliance among registered investment advisors (RIAs).
Perhaps the most promising yet uncertain impact of CETU for traditional managers is the potential for greater regulatory clarity around cybersecurity. CETU reinforces the administration’s stance that regulatory uncertainty hinders market confidence in crypto growth and aims to provide clearer guidelines as a business-friendly measure. Similarly, cybersecurity regulations remain evolving, and many managers and investors welcome increased clarity. If CETU views regulatory clarity as essential to fostering capital formation in crypto, it may take a similar approach to broader cybersecurity regulations.
From Ryan Castle, Founder & CEO, Conduit Security
It is great to see the SEC deploying resources to protect these emerging technologies. While there is a huge opportunity for asset managers in these spaces, there is an even larger opportunity for criminals. Not only can criminals defraud investors and managers, their activity erodes trust in these newer markets.
As always, a challenge for managers will be compliance with regulations, both existing and proposed. Given CETU's mission, I suspect there will be additional emphasis on reporting of cybersecurity events. To effectively deploy resources, the SEC will require accurate and timely reporting of events. However, this puts a burden on managers. Of note, wire fraud and social engineering losses are not generally reported today but will likely be of interest to CETU's mission.
For all organizations, it's going to be critical to have technical controls to enforce any policies, especially around cybersecurity. For every policy and procedure, especially around cash controls, is your organization able to prove the policy was followed? Is there a control in place that prevents human error or missteps if it's not?
From John Coursen, Founding Partner & Chief Information Security Officer, Fortify Cyber
As a cybersecurity advisor in the Alternative Investment space, I view the SEC’s Cyber and Emerging Technologies Unit (“CETU”), announced February 20, 2025, as a defining moment. For firms using AI, blockchain, and/or proprietary data (i.e. everyone) the challenge is clear: expect to see intensified focus on cyber risks.
The newer risks from threat actors leveraging AI to attack faster, more effectively, and with more stealth, not only require sound policies, but also sound practice with rock-solid defenses for protecting client assets.
Best practices are now table stakes. We believe good cybersecurity drives good compliance. Firms will need to stress-test security with real breach scenarios as well as leverage the good AI tools to fight the bad AI targeting them. They must patch vulnerabilities faster than ever before and keep incident response and breach notification plans sharp. This new “normal” will ensure firms align with CETU’s expectations, turning compliance into a byproduct of strong cyber habits.
Looking ahead, the SEC’s CETU has the opportunity to reshape the approach to data protection in financial services. We’re very early days here, but we hope it points to a future where cybersecurity is as vital as alpha generation. Firms that embed resilience through advanced threat detection, response, remediation, and regulatory alignment will not only meet CETU’s standards, but transform scrutiny into strength. After all isn’t that what it’s all about?
From Keith R. Diamond, Managing Partner, TrustServe LP
The establishment of the Cyber and Emerging Technology Unit (CETU) is a positive step forward, especially given the rapid expansion of less-regulated financial products, the rise of emerging technologies, and the increasing prevalence of cybercrime, phishing, and other technology-driven threats in the financial sector.
While this new unit has the potential to drive meaningful improvements, investment advisers and investors should remain vigilant and committed to best practices for protecting sensitive data and operations. For investment advisers, this means implementing robust security frameworks, adopting a zero-trust approach, deploying secure cloud-native solutions with continuous monitoring, and conducting independent audits to validate security measures. Additionally, using Multi-Factor Authentication (MFA) and traditional verification methods, such as callback procedures, can provide essential safeguards against cyber threats.
Given the ever-evolving nature of cyber risks, organizations should also engage trusted cybersecurity experts, like Align, to continuously assess and enhance their security posture.
From Ed Fasano, Co-Founder, EAC LLC
The introduction of the Cyber and Emerging Technologies Unit (CETU) presents both challenges and opportunities for managers in the alternative investment space.
The challenges include the costs and expertise needed for the new requirements to ensure that managers are in compliance with the new regulations. Many of the managers that we work with utilize outsourced compliance and technology providers, and we anticipate new costs and requirements with this new regime. The increase in compliance and technology costs could impact profitability and investor sentiment in a tough capital raising environment. Cybersecurity, compliance, and operational workflow are and will always be key aspects of the Institutional infrastructure that we set up at EAC, and that will not change with this new development.
While there are challenges, there are also opportunities with the CETU. We anticipate changes in the due diligence process and the questions that investors are asking managers in how they utilize cyber and fin-tech in their strategies. These new questions are likely to bring innovation into the discussions that investors and managers are having with one another, and internally. At EAC we will be here to advise our clients on how to best set themselves up for the new regulatory environment brought on by the CETU. We will work with our partners in the industry, like Align, and our other compliance partners on how best to handle this new environment, from a cost, efficiency, and best practice standpoint.
From Ronan Guilfoyle, Co-Founder, Calderwood
It is not really a great surprise that the new administration at the SEC is squarely focused on protecting retail investors in the crypto space. There have been significant industry discussions recently regarding a likely shift in priorities towards uncovering fraud and there has been no slowdown in the number of bad actors looking to take advantage of retail investors through scams using social media and other emerging technologies. It also follows a similar announcement from the CFTC targeting frauds that exploit retail market participants.
From an alternative investment fund perspective, crypto asset regulation is an area that demands fiduciary attention, especially amid uncertainty still surrounding the jurisdiction of regulators and where digital assets may be deemed a security. Clearly there will be further developments to come, but one area where I expect to see more clarity is guidance on how industry participants can comply with the various rules, which from my discussions is something that would be very welcome.
Mohammad Hayat, Partner, Asset Management, Grant Thornton
The launch of SEC’s Cyber and Emerging Technologies Unit (CETU) represents a significant step in addressing the evolving landscape of cybercrime and emerging technologies like AI, blockchain, and crypto assets. I believe a key challenge for CETU will be ensuring that enforcement doesn’t suppress technological innovation, especially in fintech and crypto, where retail investor participation is growing. Given emerging tech is a double-edged sword (e.g. AI can enhance both fraud detection and deepfake attacks), CETU’s success will depend on its ability to strike a balance between enforcement and innovation. On a positive note, CETU’s creation allows for partnerships with fintech firms, cybersecurity experts and other service providers, leveraging their expertise to refine regulatory approaches to bring more certainty to the crypto capital markets.
From a global perspective, SEC’s initiatives generally have a ripple effect across other financial jurisdictions and CETU’s focus on cybersecurity and crypto could inspire regulators in other parts of the world to implement similar measures.
As an auditor in the financial services sector, I recommend all industry participants to adopt comprehensive cybersecurity policies, aligned with standards like NIST or ISO 27001, which provide a strong foundation for technological innovation. Another way organizations can position themselves for success is by engaging quality service providers, especially cybersecurity experts.
From Taylor Ingraham, Partner, ASC Advisors
As adoption of A.I. and other emerging technologies continues to expand across the alternative investing universe, it is critical that managers remain aware of how their firm is portrayed in the public sphere and to be prepared to respond quickly in case of any imposter or fraudulent activity. The formation of the CETU brings further light to many of the security issues managers and investors are facing and should be paying close attention to, including in crypto, as the market and use of these technologies continues to rapidly shift and evolve. As communications advisors working exclusively in the alternative investment space, we engage closely with managers around preparing for, including conducting audits, developing and executing response strategies to help mitigate reputation and business risk associated with inaccurate, misleading or fraudulent information being disseminated to LPs, prospects, regulators or other key third parties. Having a current grasp over your public profile, cyber security systems in place and an understanding of how technology solutions interact across platforms are critical first steps that allow managers to communicate accurately and effectively with LPs and regulators if a breach or other situation does arise.
From Robert Johnston, CEO, Adlumin (Acquired by N-able)
The Securities and Exchange Commission’s (SEC) Cyber and Emerging Technologies Unit (CETU) represents a significant regulatory advancement aimed at addressing the increasing complexity and risks associated with emerging technologies in the alternative investment industry. By broadening its focus beyond cryptocurrencies to include artificial intelligence (AI), blockchain, social media fraud, and cybersecurity compliance, the CETU is poised to reshape the landscape of alternative investments.
Challenges and Opportunities for the Alternative Investment Space
The CETU introduces both challenges and opportunities for the alternative investment industry. Among the key challenges is the heightened regulatory scrutiny that fund managers, private equity firms, and hedge funds must now navigate. Given that alternative investment strategies often incorporate AI-driven algorithms, machine learning models, and blockchain-based assets, firms must ensure their technology usage aligns with SEC compliance standards. Additionally, cybersecurity risks—such as hacking incidents targeting material nonpublic information or unauthorized takeovers of brokerage accounts—pose a growing threat to firms and investors alike.
On the other hand, CETU’s establishment also presents opportunities for firms that prioritize regulatory compliance and robust cybersecurity measures. Investors are increasingly concerned about digital security, and firms that proactively address these risks can differentiate themselves in the market. Furthermore, CETU’s mandate to foster innovation rather than stifle it suggests that firms engaging with emerging technologies responsibly can gain regulatory clarity and potential SEC support for innovative investment structures.
Best Practices for Cybersecurity, Compliance, and Data Protection
In light of the CETU’s focus areas, alternative investment firms should adopt best practices to ensure compliance and data security. Key recommendations include:
Enhanced AI and Algorithmic Transparency – Firms leveraging AI for trading, risk analysis, or investment decision-making should document their models’ decision-making processes and establish mechanisms for detecting biases, ensuring compliance with SEC fraud prevention guidelines.
Social Media and Dark Web Monitoring – Given the SEC’s concern over misinformation and fraud via social media and false websites, firms should implement tools to monitor online narratives about their investments and promptly address any fraudulent claims.
Cybersecurity Risk Assessments – Regular penetration testing, vulnerability assessments, and employee training programs can help mitigate risks related to hacking, phishing attacks, and unauthorized account takeovers.
Blockchain and Crypto Compliance Frameworks – Firms engaged with digital assets should establish clear regulatory compliance procedures, including Know Your Customer (KYC) and Anti-Money Laundering (AML) protocols, in alignment with evolving SEC expectations.
Regulatory Reporting and Disclosure Standards – Public issuers and alternative investment funds should enhance their cybersecurity disclosure practices, ensuring transparency about potential cyber risks and incidents.
Future Impact of the CETU on Alternative Investments
Looking ahead, the CETU is expected to drive increased regulatory enforcement actions, particularly in AI-driven fraud, crypto asset compliance, and cyber-related disclosures. As AI-generated misinformation becomes more sophisticated, firms will need to implement advanced verification methods to distinguish reliable data from fraudulent information. Additionally, the unit’s focus on fostering innovation suggests that regulatory clarity may lead to the development of more secure and compliant investment products leveraging AI and blockchain.
Ultimately, the CETU’s role in shaping the alternative investment landscape will depend on firms’ ability to integrate strong cybersecurity and compliance frameworks while embracing technological advancements responsibly. Those that do will not only meet regulatory expectations but also position themselves as trusted players in an evolving digital investment ecosystem.
From James Mignacca, CEO, Cavelo
The SEC’s newly announced Cyber and Emerging Technologies Unit marks a significant shift in regulatory oversight for financial institutions. This initiative impacts the entire investment sector, from small funds to large firms, reinforcing that cybersecurity is no longer optional—it’s a necessity. However, despite the latest amendments, key areas remain unclear, leaving firms uncertain about specific compliance requirements. From a best practices standpoint, understanding data hygiene—where data resides, who has access to it, and how it’s managed—is critical to meeting compliance standards. To stay ahead, alternative investment firms should adopt proactive cybersecurity measures, such as continuous data discovery, real-time risk assessment, and robust incident response protocols. Automation and AI-driven tools can also help streamline compliance efforts and mitigate risks associated with third-party exposure. Looking ahead, we anticipate the SEC will intensify audits to verify adherence to cybersecurity frameworks, likely focusing on best-effort compliance rather than rigid enforcement. Ultimately, firms that have not yet strengthened their cybersecurity posture will have no choice but to do so—an outcome that benefits the entire financial ecosystem. As data hygiene takes center stage, firms will need to rethink data retention policies, liability exposure, and breach response planning to align with evolving regulatory expectations.
From Frank Napolitani, Managing Partner, Cartesian FinOp Partners
The SEC’s creation of the Cyber and Emerging Technologies Unit (CETU) marks a significant shift in regulatory oversight, as it will focus on combating cyber-related misconduct and ensuring compliance with evolving cybersecurity regulations. For registered fund managers, this development underscores the need to prioritize robust cybersecurity measures and transparent disclosures to mitigate risks and avoid penalties.
As a provider of outsourced accounting/finance and investment operations services to alternative investment funds, we see this as an opportunity for these funds to strengthen their operational resilience. By outsourcing critical back-office functions, such as financial reporting and compliance monitoring, fund managers can ensure that their operations align with regulatory expectations while focusing on core investment strategies. Additionally, leveraging outsourced expertise can help funds implement advanced cybersecurity protocols efficiently, reducing both financial and reputational risks.
The CETU’s emphasis on areas like AI fraud, blockchain misuse, and cybersecurity compliance highlights the importance of integrating technology-driven solutions into fund operations. Partnering with specialized providers ensures that alternative investment fund managers remain agile in adapting to these regulatory changes while maintaining investor confidence.
From Chris Zadrima, Chief Operating Officer, Align
The SEC's reorganization and replacement of the Crypto Assets and Cyber Unit into the Cyber and Emerging Technologies Unit (CETU) signify the SEC's movement away from treating digital assets as securities and more towards protecting retail investors from cyber and technology-related misconduct in areas such as AI fraud, blockchain misuse, and cybersecurity compliance.
While this new department within the SEC appears to focus more on protecting retail investors from fraud rather than enforcing guidance or policies in the alternative investment industry, it reiterates the increasing importance of having robust cybersecurity controls and policies to safeguard organizations against the evolving technology threat landscape. The heightened regulatory focus on cybersecurity will remain crucial as it requires firms to implement tight cybersecurity controls and provide cybersecurity education and training to their employees. This ensures that firms are prepared to handle cyber threats and maintain compliance with regulatory standards.
Serving as a key service provider, Align Managed Services partners with our clients to address these challenges by going beyond mere compliance. We focus on integrating robust technology and cybersecurity frameworks that mitigate the risk of fraud, hacking, and other malicious activities. Our clients must make substantial investments in their security infrastructure, and we work alongside them to ensure their teams are equipped with the expertise needed to tackle evolving threats.
Ultimately, the SEC’s new unit serves as a reminder that innovation must go hand-in-hand with responsibility. The financial services industry must be prepared to adapt and ensure that new technologies are harnessed safely to protect investors and maintain trust.
