Top 5 Takeaways from the SEC’s 2026 Exam Priorities

The SEC’s 2026 Examination Priorities are here. Legacy obligations, including fiduciary standards of conduct, still matter. But 2025 surfaced new requirements and opportunities that demand attention. From vendor management to cybersecurity preparedness to AI governance, examiners are zeroing in on how wealth management firms and registered investment advisers (RIAs) implement and document their compliance programs — not just whether policies exist on paper.

Below are five critical takeaways to help your firm strengthen its compliance and vendor management programs and ensure you’re prepared for future exams.

Related: Amended Regulation S-P Guide

1. Make vendor oversight a priority

Third-party risk management (TPRM) is a prominent topic in this year’s SEC exam priorities. While not a new focus — FINRA addressed vendor risk for the first time in its Annual Regulatory Oversight Report last year — vendor management now appears explicitly across multiple regulatory priority areas. This breadth signals a fundamental shift: the SEC is moving beyond treating vendor management as a narrow oversight function and increasingly recognizing it as critical infrastructure that underpins firms’ core operations and business functions.

TPRM will be a priority when the SEC examines areas such as:

• Regulations S-P and S-ID: The Division will assess internal controls, governance, and oversight of third-party vendors and practices related to safeguarding customer information and preventing identity theft. This includes ensuring vendors report breaches within 72 hours and maintaining documentation of vendor oversight activities — including artificial intelligence (AI) usage.
• Broker-dealers: The Division will assess the supervision of vendor-provided services that contribute to records used for financial reporting and change management. This goes beyond traditional vendor oversight to examine how vendors support core operational and compliance functions.
• Emerging financial technology: The priorities address oversight of outsourced providers, particularly those providing AI tools, algorithmic services, or other automated technology solutions.
  

Takeaway: The SEC is looking beyond whether you have vendor contracts in place. Maintain ongoing oversight, documented governance, and functioning controls that prove your firm is actively managing vendor risk. Ensure your firm’s data collection, storage, and usage practices meet the updated S-P requirements! 

Related: 2025 Wealth Management Enforcement Actions Roundup

2. Prepare cybersecurity and incident response plans

As cyberattacks evolve and become more advanced, wreaking havoc on financial institutions’ operations, the SEC wants to know that firms are reasonably mitigating and managing the risks while protecting their clients’ information.

The priorities call out a few key areas that examiners will scrutinize: 

• Incident response preparedness: Do you have procedures for detecting, responding to, and recovering from cyber incidents? These should include vendor-supported systems and protocols for handling sophisticated attacks, such as those involving artificial intelligence (AI) and polymorphic malware.
• Operational resilience: Can your firm continue operating if a critical system or vendor experiences a disruption? Examiners want to see business continuity plans (BCPs) that outline how your firm (and your vendors) will continue serving clients. 
• Threat intelligence operationalization: How does your firm stay current on emerging threats and translate that intelligence into actionable security measures? Are you prepared for advanced attacks beyond traditional ransomware? 
• Vendor-supported systems: Review whether vendor-supported systems are included in your incident response plans. Ensure your policies cover vendor incident notifications and test your incident response procedures regularly.

Takeaway: Don't just maintain policies — be prepared to demonstrate your firm is actively carrying them out. Stuck in policy development? Consider customizing a sample policy to meet your organization's cyber, BCP, and incident response needs. 

Download the Template: BCP Tabletop Exercise Example: Cyber Event 

3. Document, document, document

Ncontracts' 2026 Future of Compliance Survey Report revealed a striking reality: nearly 4 in 10 financial institutions operate with just 1 or 2 compliance professionals. Many firms are feeling this staffing squeeze, as well.

The 2026 priorities make clear that documentation isn't just a compliance formality — it's the primary way firms prove execution. It's not enough to have reasonably designed policies and procedures — examiners want evidence of periodic review, testing, and actual implementation.

Here are some areas that require careful recordkeeping:

• Vendor oversight: Keep records showing vendors are monitored, reviewed, and escalated when issues arise. Documentation should show outreach to vendors, even if they do not respond.
• Change management: For broker-dealers, document how vendor systems support financial reporting and records, and how changes are reviewed, approved, and tracked.
• Incident response: Maintain logs of security incidents, actions taken, and periodic testing of response procedures.
• Risk assessments: Regularly assess and document cybersecurity, privacy, vendor, and operational risks, updating them as the business, technology, and new risks (including AI) evolve.
• Training and testing: Keep records showing employees are trained and able to follow compliance, data protection, and incident response policies.

Takeaway: The compliance professional motto holds true: “If it isn’t documented, it didn’t happen.” 

Related: Ghosted by a Vendor? Here’s How to Get Due Diligence Documents

4. Ensure AI and emerging technology oversight

The SEC’s focus on AI has evolved following an agency-hosted roundtable on AI risks and governance, as well as continued discussion of its role in financial services. 

While the 2025 priorities touched on the growing use of AI in investment practices, this year the SEC identified “Emerging Financial Technology” as a key risk area. But the focus is not on regulating the technologies themselves — it’s how firms use them, disclose them, and control their risks. 

Examiners want:

• Assurance that AI use or representation is fair and accurate
• Policies and procedures to oversee AI and emerging technology use for anti-money laundering (AML), fraud prevention, and other tasks
• Evidence that technology outputs are accurate and suitable for clients and consistent with disclosures and regulatory obligations
• Documentation of controls to mitigate operational risk

It’s also important to note that examiners will look at how firms integrate technology to “automate internal processes and optimize efficiencies.” For firms that have relied on manual processes, such as spreadsheets and email, to maintain compliance standards, this is your wake-up call to consider how automated technology can help you streamline tasks, from keeping up with regulatory updates to vendor due diligence.  

Takeaway: Risk management isn’t just about mitigating risks — it’s also about using the right emerging technology to improve your processes. 

Related: How to Manage Third-Party AI Risk: 10 Tips for Financial Institutions

5. Is your firm in transition? Prepare accordingly

The 2026 priorities make clear that firms undergoing changes, such as offering new asset services or undergoing an acquisition, face heightened scrutiny.  If your firm falls into any of these categories, your exam risk profile has jumped significantly:

• Mergers and acquisitions: RIAs that have merged, consolidated with, or been acquired by existing practices — particularly where operational and compliance complexities or new conflicts of interest arise — are on examiners’ radar. 
• Newly registered and never-examined advisers: The Division will prioritize examinations of advisers that have never been examined, with particular emphasis on recently registered advisers. 
• Changes in business lines or models: Examinations may focus on compliance practices when advisers change their business models or are new to advising particular types of assets, clients, or services. 
• Private fund advisers and alternative investments: Advisers to private funds that also advise separately managed accounts or newly registered funds, as well as advisers to newly launched private funds, may be under the compliance microscope. Investment products with alternative strategies — such as private credit and funds with extended lock-up periods — may be subject to focused examination, as well. 

Takeaway: If your business has grown or changed in any significant way, examiners will notice. Prepare for closer regulatory scrutiny. 

With amended Regulation S-P requirements in effect for large firms and coming for others in June 2026, now is the time to reassess vendor oversight.

Uncover your firm's strengths and gaps and determine what needs attention ahead of your next exam with our self-assessment.