The SEC supervises brokers and investment advisers and people in those professions know that periodic compliance visits can get very granular.  We all also know that the SEC is deeply interested in protecting the investing public.

Latest SEC move: at end of August, the Commission levied hundreds of thousands of dollars of fines against brokerages and advisory firms based on failure to maintain cyber security over customer data. Client emails were hacked though on the cloud.  The Commission also has complained against at least one firm where there was no hack but a failure to maintain robust data security.

Although rules covering cyber for brokers and advisers are old and general, they do require written policies (SEC) and periodic review (Advisers Act).  Clearly the SEC has broad general supervisory powers, so it is clear that they do not think there is a need for more rule-making as part of its enforcement tool kit.