The Securities and Exchange Commission (SEC) is setting the tone after several moves last year making clear information security would no longer be optional, including a $1 million data-breach settlement by Voya. The Financial Industry Regulatory Authority and state regulators have also been looking harder at cybersecurity.