SEC FY2026 Exam Priorities | AI, Cybersecurity & Reg S-P

SEC FY2026 Examination Priorities Overview and Strategic Direction

The SEC Division of Examinations has published its Fiscal Year 2026 examination priorities, outlining a comprehensive regulatory framework that places artificial intelligence oversight, cybersecurity resilience, and Regulation S-P compliance at the center of its supervisory agenda. Under the leadership of Acting Director Keith Cassidy and Chairman Atkins, the Division is recalibrating its approach to emphasize growth, innovation, and operational effectiveness while operating with acknowledged resource constraints.

The FY2026 priorities document reflects a strategic shift toward empowering registrants and investors through transparency rather than enforcement alone. The Division has advanced an operational effectiveness framework designed to bring consistency across examinations, and it plans to publish Risk Alerts highlighting observed compliance approaches — not just deficiencies. This marks a notable departure from previous examination cycles that focused primarily on identifying violations.

The Division operates on four foundational pillars: promoting compliance, preventing fraud, informing policy, and monitoring risk. These pillars guide examination activities across seven major areas: investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, other market participants, and cross-cutting risk areas. For financial institutions navigating this landscape, understanding these priorities is essential for proactive compliance preparation. To explore how regulatory frameworks are evolving alongside technology, see our analysis of AI regulation in financial services.

Investment Adviser Fiduciary Standards and Compliance Programs

Investment advisers remain a central focus of the SEC Division of Examinations for FY2026, with particular emphasis on adherence to fiduciary standards of conduct under the Investment Advisers Act of 1940. The Division will scrutinize how advisers fulfill their duty of care and duty of loyalty obligations, including best execution requirements, fee-related conflict disclosures, and the overall effectiveness of compliance programs.

The examination priorities single out several high-risk areas for investment advisers. These include alternative investments such as private credit and private funds with extended lock-up periods, complex investment products including ETF wrappers on less liquid strategies and option-based ETFs, and high-cost products with elevated commissions and investment expenses. Advisers making recommendations to older investors and those saving for retirement will face particularly close scrutiny.

Never-examined advisers and recently registered advisers represent a priority category. The Division recognizes that new market entrants may lack the compliance infrastructure of established firms, making initial examinations critical for identifying gaps before they become systemic issues. Advisers that have merged, consolidated, or been acquired also face heightened attention, as organizational transitions frequently introduce regulatory compliance challenges.

Dually registered adviser-broker-dealers with dually licensed representatives present unique conflict-of-interest scenarios that the Division plans to examine closely. The focus extends to advisers using third parties to access client accounts and those transitioning into private fund advisory services for the first time, where regulatory awareness around liquidity management, valuation practices, fees, and differential treatment of investors demands careful oversight. For deeper insights into compliance technology solutions, explore our guide to RegTech and compliance automation.

AI and Emerging Financial Technology Under SEC Scrutiny

Artificial intelligence and emerging financial technology constitute one of the most significant expansion areas in the SEC FY2026 examination priorities. The Division will examine firms that engage in automated investment advisory services, use AI technologies for recommendations, deploy trading algorithms, and leverage alternative data sources. This represents the most detailed AI examination framework the SEC has articulated to date.

The Division has established a four-part assessment framework for AI-related examinations. First, examiners will evaluate whether firms’ representations about AI capabilities are fair and accurate — a direct response to concerns about AI washing in the financial services industry. Second, they will assess whether operations and controls are consistent with investor disclosures. Third, they will verify whether algorithms produce advice and recommendations consistent with investors’ investment profiles or stated strategies. Fourth, they will confirm that controls validate recommendations from automated tools against regulatory obligations, with particular attention to retail and older investors.

Beyond client-facing applications, the SEC will examine AI use in back-office operations, fraud prevention and detection, anti-money laundering programs, and trading functions. The Division is also reviewing how firms integrate regulatory technology to automate internal processes and optimize efficiencies. This comprehensive approach signals that AI governance is no longer optional for financial institutions — it is a regulatory expectation that will be tested through examinations.

The cybersecurity dimension of AI also features prominently, with the Division examining training and security controls specifically designed to identify and mitigate risks arising from artificial intelligence. As AI systems become more integral to financial operations, the attack surface expands, creating new vectors for polymorphic malware and sophisticated social engineering attacks that traditional cybersecurity frameworks may not adequately address. Industry leaders like the National Institute of Standards and Technology (NIST) continue to develop AI risk management frameworks that complement SEC examination expectations.

Cybersecurity Examination Focus Areas for FY2026

Cybersecurity remains a perennial examination priority for the SEC Division of Examinations, but the FY2026 priorities introduce new specificity around evolving threats and defensive expectations. The Division identifies operational disruption risks as elevated due to the proliferation of cybersecurity attacks, firms’ dispersed operations, weather-related events, and geopolitical concerns. This risk assessment directly shapes the nine focus areas examiners will prioritize.

Governance practices lead the cybersecurity examination agenda. Firms must demonstrate board-level engagement with cybersecurity risk, clearly defined roles and responsibilities, and documented risk assessment processes. Data loss prevention capabilities, access controls, and account management practices form the next tier of examination targets, reflecting the Division’s focus on preventive controls that limit the blast radius of successful attacks.

Incident response and recovery capabilities receive heightened scrutiny, with ransomware attacks explicitly called out as a specific examination focus. The Division will assess whether firms can effectively respond to and recover from ransomware incidents, including whether they maintain offline backups, have tested recovery procedures, and can restore mission-critical services within acceptable timeframes. This reflects the dramatic increase in ransomware targeting financial services firms in recent years.

Two emerging threat categories appear for the first time in SEC examination priorities: AI-related security risks and polymorphic malware attacks. The inclusion of polymorphic malware — which mutates its code to evade traditional signature-based detection — signals the Division’s awareness that financial institutions face increasingly sophisticated adversaries. Firms must demonstrate that their security controls can detect and mitigate threats that adapt and evolve in real time. The Division will also evaluate how firms operationalize information from threat intelligence sources, moving beyond simple intelligence consumption to active defensive integration. The Cybersecurity and Infrastructure Security Agency (CISA) provides complementary guidance that aligns with SEC cybersecurity expectations.

Regulation S-P Amendments and Data Privacy Requirements

The 2024 amendments to Regulation S-P represent one of the most consequential regulatory changes covered in the FY2026 examination priorities. Adopted on May 16, 2024, through Exchange Act Release No. 100155 and Advisers Act Release No. 6604, these amendments impose three core requirements on covered institutions including broker-dealers, funding portals, investment companies, SEC-registered investment advisers, and transfer agents.

First, covered institutions must develop, implement, and maintain written policies and procedures for an incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. This goes beyond the previous Regulation S-P framework, which focused primarily on safeguarding rather than active incident management. The incident response program must address administrative, technical, and physical safeguards for customer information protection.

Second, firms must establish procedures for timely notification to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. This breach notification requirement aligns Regulation S-P more closely with state-level data breach notification laws and the European Union’s General Data Protection Regulation, creating a more unified privacy protection framework for the securities industry.

Third, the amendments broaden the scope of information covered by Regulation S-P’s requirements, expanding the definition of what constitutes protected customer information. The Division will engage firms about their compliance progress before the applicable compliance dates and will examine for full compliance after those dates. Larger entities face an approximately 18-month compliance window from the May 2024 adoption, while smaller entities receive 24 months, placing compliance deadlines at approximately November 2025 and May 2026 respectively.

The Division also emphasizes Regulation S-ID compliance, focusing on written Identity Theft Prevention Programs designed to detect, prevent, and mitigate identity theft for covered accounts. Examiners will assess whether these programs can identify red flags during customer account takeovers and fraudulent transfers, and whether firms provide adequate training on identity theft prevention.

Broker-Dealer Compliance and Regulation Best Interest

Broker-dealer examinations in FY2026 span three critical areas: financial responsibility, trading practices, and retail sales practice compliance with Regulation Best Interest. The financial responsibility examination focus encompasses net capital rule compliance, customer protection rule adherence, and the timeliness of financial notifications and required filings. The Division will also evaluate operational resiliency programs, supervision of third-party vendor services, and change management processes.

Credit, market, and liquidity risk management controls face increased scrutiny, particularly for firms with significant prime brokerage activities. The Division specifically identifies concentration risk, liquidity risk, and counterparty credit risk as examination targets within prime brokerage operations. Cash sweep programs also appear as a new priority area, reflecting regulatory concern about how broker-dealers manage client cash across different interest rate environments.

Trading practices examinations will cover equity and fixed income trading, extended hours trading practices, and municipal securities operations including rate reset processes on variable rate demand obligations. Best execution obligations remain central, along with pricing and valuation of illiquid instruments such as VRDOs, municipal securities, and non-traded REITs. Rule 605 under Regulation NMS will receive attention for order routing and execution disclosures, while Regulation SHO compliance — particularly the bona fide market making exception — remains on the examination agenda.

Investment Company and Fund Compliance Priorities

Registered investment companies face a broad examination agenda in FY2026, with the Division prioritizing compliance programs, disclosure accuracy, filing requirements, and governance practices. Fund fees and expenses receive particular attention, including the adequacy of fee waivers and reimbursements. Portfolio management practices must demonstrate consistency with stated strategies, and the Division will verify that fund disclosures accurately reflect actual investment approaches.

The amended Names Rule under the Investment Company Act of 1940 represents a major compliance milestone. Rule 35d-1, as modified by Release No. IC-35000 adopted September 20, 2023, requires funds to invest at least 80 percent of their assets in accordance with the investment focus their name suggests. Following the compliance date extension granted via Release No. IC-35500 on March 14, 2025, larger fund groups must comply by June 11, 2026, while smaller fund groups have until December 11, 2026.

The Division will also examine investment companies involved in mergers or similar transactions, funds using complex strategies or holding less liquid and illiquid investments — particularly closed-end funds — and funds with novel strategies that may introduce leverage vulnerabilities. Never-before-examined registered investment companies will be prioritized for initial examination, ensuring that newer market participants receive early regulatory engagement. For related analysis on how financial institutions are adapting to evolving regulations, see our coverage of digital transformation in financial compliance.

Clearing Agencies, SROs, and Market Infrastructure Oversight

Clearing agencies designated as systemically important under Title VIII of the Dodd-Frank Act must receive at least one annual examination from the Division. FY2026 examinations will focus on Standards for Covered Clearing Agencies, including policies and procedures for core risk management, maintenance of sufficient financial resources, protection against credit risks, and management of member defaults. Operational risk mitigation, liquidity management, default management, recovery and wind-down planning, and collateral management all feature as specific examination targets.

Self-regulatory organizations face tiered examination approaches. National securities exchanges will be examined for compliance with SRO rules and federal securities laws, as well as their participation in National Market System Plans. FINRA oversight examinations will focus on risk-based regulatory program execution, implementation of Regulation Best Interest and Form CRS requirements, and oversight of FINRA’s own examinations of certain broker-dealers and municipal advisors. The Municipal Securities Rulemaking Board faces a similar risk assessment process.

Two relatively new market participant categories receive significant attention in FY2026. Security-Based Swap Dealers must comply with Regulation SBSR for accurate transaction reporting, along with risk management, capital, margin, and segregation requirements. Security-Based Swap Execution Facilities represent an even newer category, with the Division noting it expects to begin conducting examinations of these entities during FY2026, focusing on trade monitoring, processing, participation rules, and programs of risk analysis and oversight. Entities operating under Section 17A(b)(1) exemption orders and security-based swap data repositories also face examination attention. Additional context on market infrastructure regulation is available from the Bank for International Settlements.

Anti-Money Laundering and Cross-Cutting Risk Areas

Anti-money laundering compliance remains a foundational examination priority that cuts across all regulated entity types. The Division will assess whether firms maintain adequate AML programs, conduct appropriate customer due diligence, file suspicious activity reports in a timely manner, and keep pace with evolving money laundering typologies. The intersection of AML and AI is particularly relevant, as the Division examines how firms deploy artificial intelligence for fraud prevention and detection within their AML programs.

Regulation Systems Compliance and Integrity represents another cross-cutting risk area. SCI examinations will focus on incident response policies and procedures, the effectiveness of those responses, and third-party vendor risk management. The Division will assess whether firms properly identify vendor systems that qualify as SCI systems or indirect SCI systems, recognizing that vendor dependencies introduce regulatory obligations that many firms may underestimate.

Municipal advisors and transfer agents round out the other market participants receiving FY2026 examination attention. Municipal advisors must demonstrate compliance with their fiduciary duty to municipal entity clients under MSRB Rule G-42, including conflict of interest disclosures, documentation of advisory relationships, and professional qualification requirements. Transfer agents face examinations on processing accuracy, recordkeeping, fund and securities safeguarding, and compliance with the 2024 Regulation S-P amendments. Funding portals similarly face Regulation S-P compliance requirements alongside their existing obligations around investor fund maintenance, record preservation, and written compliance procedures. The Financial Crimes Enforcement Network (FinCEN) publishes complementary AML guidance that supports SEC examination readiness.

Practical Compliance Roadmap for Financial Institutions

Financial institutions preparing for SEC FY2026 examinations should prioritize several immediate actions. First, conduct a comprehensive AI governance assessment. If your firm uses any form of automated investment advice, trading algorithms, or AI-assisted operations, document the specific AI systems in use, verify that all public representations about AI capabilities are accurate and substantiated, and ensure that algorithmic outputs align with stated investment profiles and regulatory obligations.

Second, update cybersecurity programs to address the nine specific focus areas identified in the FY2026 priorities. This means conducting a governance review at the board level, testing data loss prevention capabilities, auditing access controls and account management practices, validating ransomware response and recovery procedures, and implementing training specifically designed to mitigate AI-related cybersecurity threats. Polymorphic malware defense should be assessed through red team exercises that test whether current detection capabilities can identify mutating threats.

Third, ensure Regulation S-P compliance by the applicable deadline. This requires developing and testing a written incident response program, establishing breach notification procedures that meet the timeliness requirements, and expanding the scope of protected customer information in accordance with the broadened definition. Firms should conduct tabletop exercises to validate their incident response capabilities before the compliance date.

Fourth, broker-dealers should review Regulation Best Interest compliance with particular attention to recommendations involving complex products, rollovers, and limited product menus. The Care Obligation requires demonstrable analysis of reasonably available alternatives, and Form CRS content should be reviewed for accuracy regarding relationships, fees, conflicts, and disciplinary history.

Fifth, investment companies approaching Names Rule compliance deadlines should verify that their portfolios meet the 80 percent investment alignment requirement and that prospectus disclosures accurately reflect investment strategies. Larger fund groups face a June 11, 2026, deadline, while smaller groups have until December 11, 2026. Given the scale of portfolio adjustments that may be required, beginning compliance efforts well before these deadlines is critical.