The SEC brought a settled action against M Holdings Securities, Inc., a dually registered investment adviser/broker-dealer, for failing to maintain reasonably designed policies and procedures concerning cybersecurity, the protection of customer information, and identity theft prevention. The SEC noted that the firm, which operated nationwide out of 120 branch offices, failed to adopt written information security policies and procedures until September 2020, and that such procedures were not properly designed to address known security weaknesses that had resulted in multiple email account takeovers across such offices that exposed personal information of approximately 8,500 individuals. The SEC highlighted the firm's failure to require multifactor authentication (MFA) by its representatives, conduct annual security awareness training, or establish a written incident response plan until March 2024. Moreover, the SEC alleged that the firm failed to implement an adequate identity theft prevention program because it did not periodically determine whether the firm offered or maintained covered accounts, as identified under Regulation S-ID, and did not periodically update policies and procedures to reflect changes in risks related to ongoing cybersecurity incidents. The SEC charged the firm with failures under Regulation S-P and Regulation S-ID, and the firm agreed to pay a $325,000 penalty to settle the charges. As investment advisers and brokers focus their efforts on complying with recent amendments to Regulation S-P, it is important that they reevaluate and confirm that their information security policies are informed by security incidents that they have experienced, effectively identify and address risks based on their business models, and incorporate industry best practices such as MFA and robust training programs. While we do not expect the SEC to quickly begin bringing enforcement sweeps based on its examinations for compliance with amended Reg S-P, this case demonstrates that firms will nevertheless be held responsible for flagrant deficiencies in their cybersecurity programs and failure to promptly and effectively respond to security breaches.