Every fall, the SEC’s Division of Examinations publishes its priorities for the coming fiscal year. Most RIA operators read it for the compliance angles: fiduciary standards, conflicts of interest, Form ADV disclosures. That approach is no longer sufficient.
The 2026 priorities, published in November 2025, dedicate substantial attention to information security and operational resiliency, and they do so with a specificity that signals examiner intent. This is not boilerplate. Cybersecurity governance, identity theft prevention programs, Regulation S-P incident response requirements, and AI policy oversight all appear by name. If your RIA’s IT program does not reflect what is written in those pages, you have a documented gap. Examiners will find it.
This post translates the relevant sections into operational terms for RIA principals, COOs, and compliance officers. Here is what will draw attention, what documentation you need in place, and where the most common gaps are showing up.
The IT-Related Priorities, Section by Section
Cybersecurity Governance
The Division’s 2026 priorities state that examiners will focus on “governance practices, data loss prevention, access controls, account management, and responses and recovery to cyber-related incidents, including those related to ransomware attacks.”
Translated, that means four things need to be documented and defensible:
A written cybersecurity policy that reflects how your firm actually operates. Not a template downloaded five years ago and never updated.
Access control logs showing who has access to what, including how access is provisioned, reviewed, and revoked for departing employees.
A data loss prevention posture, whether through technical controls, vendor configuration, or both.
An incident response plan with named owners, defined escalation paths, and evidence that staff have been trained on it.
The 2026 document also calls out “training and security controls that firms are employing to identify and mitigate new risks associated with artificial intelligence (AI) and polymorphic malware attacks.” Polymorphic malware rewrites itself continuously to evade signature-based detection and is increasingly common in financially motivated attacks. If your endpoint security relies solely on traditional antivirus, that conversation belongs on your next agenda with your IT and cybersecurity partner.
Regulation S-P: Incident Response Is Now Required
The 2024 amendments to Regulation S-P formalized what many larger institutions had been doing and extended those requirements to smaller SEC-registered investment advisers. The compliance deadline for smaller advisers was June 3, 2026. This examination cycle, examiners will be checking for compliance.
What the amended rule requires:
A written incident response program reasonably designed to detect, respond to, and recover from unauthorized access to customer information.
Timely notification procedures for affected individuals when a breach occurs.
Administrative, technical, and physical safeguards for the protection of customer information.
The Division will examine whether firms have “developed, implemented, and maintained policies and procedures” in accordance with the rule’s new provisions. Having a policy document is necessary but not sufficient. Examiners will want evidence that the program has been implemented and that vendor relationships are covered.
Third-party vendor oversight is an explicit focus. If you use a portfolio management platform, a CRM, or any cloud-based service that touches client data, your incident response program needs to address how you handle a breach that originates at that vendor.
Regulation S-ID: The Written Identity Theft Prevention Program
Regulation S-ID requires covered financial institutions to maintain a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with covered accounts. Examiners will assess whether the program:
Is reasonably designed to identify and detect red flags, particularly around account takeovers and fraudulent transfers.
Includes staff training on identity theft prevention.
Account takeover fraud targeting high-net-worth clients is a growing threat vector. RIAs that hold custody or facilitate transfers are particularly exposed. If your firm does not have a documented red flag detection process covering things like address changes followed by wire requests or login anomalies from unfamiliar devices, treat this as a near-term priority.
AI and Emerging Financial Technology
This section of the 2026 priorities deserves close attention because it signals where examiner scrutiny is heading.
The Division will assess whether firms have implemented adequate policies and procedures to monitor and supervise their use of AI technologies. It will also review the accuracy of representations firms are making about their AI capabilities in disclosures, marketing materials, and client communications.
In practical terms, if your firm is using any AI-assisted tool, whether that is a meeting notes tool, a proposal generator, a client communication assistant, or an AI-enhanced research platform, three things need to be in place.
First, a written AI acceptable use policy that defines what tools are permitted, what is prohibited, and what requires supervisory approval. If advisors are using AI tools in client-facing workflows without a documented governance framework, that is a gap.
Second, any vendor platform with embedded AI creates vendor oversight obligations. Your Reg S-P incident response program should address AI-assisted processes specifically, including what happens if an AI-enabled vendor experiences a breach or a model failure.
Third, disclosures need to match reality. If your Form ADV or marketing materials describe how technology supports client service, those descriptions must accurately reflect the tools in use and their limitations. The Division has stated it will review the accuracy of registrant representations regarding AI capabilities.
If your firm is evaluating managed AI services, this framework applies equally to how you govern those capabilities.
Where the Gaps Will Show Up
Based on the 2026 priorities and patterns from prior exam cycles, the most common documentation failures tend to cluster in four areas.
Policies that are not current. Cybersecurity policies written before your firm moved to cloud infrastructure, adopted remote work, or added AI tools to your workflow do not describe your actual operating environment. Examiners compare the document to the environment they observe.
Vendor oversight that is underdocumented. Relying on a vendor’s SOC 2 report is not the same as having a documented vendor oversight process. The 2026 priorities call out third-party vendor oversight under cybersecurity, Reg S-P, and Reg S-ID. Each section requires you to document what you assessed, when, and what you found.
Incident response plans without training evidence. A policy sitting on a shared drive with no record of staff training is a liability, not a safeguard. Examiners will ask about training cadence and documentation.
Annual compliance reviews that skip IT. Rule 206(4)-7 requires advisers to review the adequacy and effectiveness of their compliance program annually. If that review does not include a formal evaluation of your cybersecurity posture, access controls, and vendor risk, the 2026 priorities suggest that gap will receive attention.
Steps to Take Before an Examiner Arrives
None of what the SEC describes in the 2026 priorities is unreasonable. The challenge for most smaller RIAs is bandwidth. Running an investment advisory practice leaves little time for the documentation and governance work that an IT compliance review demands. A few concrete steps:
Review your cybersecurity policy against your current environment. If it does not reflect how your firm stores, accesses, and transmits client data today, update it.
Confirm your Reg S-P incident response program is in place and covers your vendors. If the June 2026 compliance date passed without a formal program, address this immediately.
Document your vendor oversight process. For every vendor that touches client data, maintain a record of what oversight activities you have performed and when.
Build training documentation. For cybersecurity and identity theft prevention, maintain records of who was trained, on what, and when.
If your firm is using AI tools, draft an acceptable use policy and verify that your Form ADV disclosures accurately describe your use of technology in client-facing workflows.
Techvera Works with RIAs on This
Techvera’s Compliance Readiness practice helps financial services firms close the gap between regulatory requirements and actual IT operations. We work with registered investment advisers on cybersecurity policy development, vendor risk assessments, Reg S-P incident response program buildout, and the ongoing documentation practices that hold up under examiner scrutiny.
If your firm is heading into an exam cycle and you want an independent view of where your IT program stands, schedule a conversation with our team. No obligation. We will tell you where you are exposed and what it takes to close the gap.
About the Author
Team Techvera
Techvera Team
Articles written collaboratively by the Techvera team, combining expertise across cybersecurity, managed services, and digital transformation.
