Every year, the SEC's Division of Examinations publishes a priorities letter. It tells registered investment advisers exactly what examiners will be looking at. FY2026 is the first full examination year where Regulation S-P compliance is named explicitly as a priority, and that matters for every investment adviser, whether your firm was examined last year or not.
This article explains what the FY2026 priorities mean for investment advisers, specifically how Reg S-P fits into the examination framework, and what you should have ready before an exam notice arrives.
What the FY2026 Examination Priorities Document Covers
The Division of Examinations (EXAMS) releases its annual priorities letter to signal where examination resources will be concentrated and what specific areas will be tested during routine examinations. The FY2026 letter identifies five broad priority areas for investment advisers:
Fiduciary duty and suitability. Examiners will review how advisers fulfill their duty to act in clients' best interests, including conflicts of interest disclosure, fee transparency, and how recommendations are made.
Cybersecurity and information security (Regulation S-P). Reg S-P is the named standard. The FY2026 priorities specifically reference the amended Reg S-P requirements covering incident response programs, service provider oversight, customer breach notification, and recordkeeping.
Emerging technology. Advisers using or recommending crypto assets, AI-driven investment tools, or automated trading systems will face specific inquiries about how these technologies are disclosed to clients and supervised.
ESG investing. Advisers marketing environmental, social, or governance investment strategies face scrutiny on whether marketing claims match actual investment practices.
Senior and retail investor protection. Examiners continue to flag unsuitable recommendations, complex products, and fee structures that may disadvantage retail clients.
Of these five areas, Reg S-P is the one with the most operationally specific examination framework. Every other priority requires judgement calls by examiners. Reg S-P compliance reduces to a document request: you either have the required written policies or you do not.
Why Reg S-P Is a Named FY2026 Priority
The SEC's Division of Examinations named Reg S-P cybersecurity and privacy compliance as a FY2026 priority for two concrete reasons.
First, the amended Regulation S-P compliance dates have passed. Larger entities were required to comply by December 3, 2025. Smaller investment advisers had until June 3, 2026. FY2026 is therefore the first year when all SEC-registered investment advisers, regardless of size, are required to have written Reg S-P policies in place. Named examination priority status is how EXAMS signals it intends to verify compliance.
Second, cybersecurity incidents involving investment advisers' client data have increased. The SEC's FY2025 examination reports documented significant deficiency rates in cybersecurity policy completeness across examined firms. FY2026 examinations are structured to test whether the amended Reg S-P requirements reduced those deficiency rates or whether firms remain non-compliant.
The practical implication: when an SEC examiner arrives at your firm, whether for a routine examination or a cause examination, your Reg S-P documentation will be on the request list.
What "Named Examination Priority" Means in Practice
Being a named examination priority changes how examinations work in three ways.
Structured document requests. Examinations for priority areas include specific pre-structured document request lists. For Reg S-P, this means the initial request letter (which typically arrives 10 to 14 business days before the examination begins) will ask for your incident response program, your service provider oversight policy, your cybersecurity risk assessment, your vendor contracts, your breach notification procedures, and your recordkeeping policies. These requests are not improvised. They follow the five Reg S-P program elements.
Deficiency benchmarking. Named priority areas have documented deficiency benchmarks from prior examination cycles. Examiners know what percentage of examined firms have missing or inadequate policies. Firms with documentation gaps receive deficiency letters. Repeat deficiency findings escalate to enforcement referrals.
Risk-based examination selection. The SEC cannot examine all registered investment advisers every year. Examinations are risk-selected. Named priority areas are one of the factors that increase an adviser's risk score for examination selection. Newly registered firms, firms that have not been examined in three or more years, and firms in higher-risk practice areas are examined more frequently during years when their practice area is a named priority.
None of this means every investment adviser will be examined in FY2026. It means that if your firm is examined, Reg S-P will be tested, and the examination framework will be specific about what documentation it expects to find.
The Reg S-P Examination Document Request List
When EXAMS staff conduct a FY2026 examination with a Reg S-P component, the initial document request typically includes the following nine categories.
1. Written incident response program. Your complete incident response policy, including how your firm detects unauthorized access, contains incidents, notifies affected customers, and remediates. Policies that are generic templates without firm-specific content are a common deficiency.
2. Service provider oversight policy. Your policy for onboarding, monitoring, and offboarding vendors with access to customer information, plus your current vendor register showing which vendors have access and what controls are in place.
3. Vendor contracts with cybersecurity provisions. The actual contracts with your material service providers (custodians, portfolio management systems, CRM providers, cloud platforms). Examiners look for breach notification obligations, security standards, right-to-audit provisions, and subcontractor controls.
4. Cybersecurity risk assessment. Documentation of your most recent risk assessment, identifying what data you hold, where it sits, what systems access it, and what controls protect it. Most deficiency letters cite this as missing or undated.
5. Customer breach notification procedures. Your documented process for detecting a qualifying incident, determining whether a 30-day notification is triggered, and delivering written notice to affected customers. Procedures without a specific 30-day timeline fail the exam.
6. Access control and encryption documentation. Evidence that your firm controls who can access customer data and how that data is protected in transit and at rest. May include multi-factor authentication records, encryption policies, and access review logs.
7. Recordkeeping procedures. Your policy for how customer data is retained, how long it is kept, and how it is disposed of when no longer needed. Disposal procedures are frequently missing from generic compliance templates.
8. Staff training records. Documentation of cybersecurity training provided to staff, including dates and topics covered. Examiners look for annual cadence.
9. Incident logs. Records of any cybersecurity incidents or potential incidents over the prior 24 months, including how each was assessed and resolved.
If any of these nine items are missing from your response, the examination will generate a deficiency finding. If multiple items are missing, the firm may receive a deficiency letter requesting a remediation timeline.
The Five Most Common Reg S-P Deficiency Findings in FY2026
Examination staff guidance and deficiency letter patterns from prior Reg S-P reviews identify five findings that appear consistently.
Generic policies not tailored to the firm. Downloaded compliance templates that have not been modified to reflect the firm's actual systems, vendors, or operations. A policy that references "our core banking system" at an investment advisory firm is an immediate red flag.
No documented risk assessment. Firms that have cybersecurity controls in place but no written risk assessment documenting what data they hold, where it resides, and what threats apply. Controls without a risk basis fail the framework.
Vendor contracts without required provisions. Agreements with custodians, portfolio systems, and cloud providers that predate the amended Reg S-P requirements and lack breach notification obligations, data security standards, or oversight rights.
Breach notification procedures without a timeline. Policies that describe what to do "in the event of a breach" without specifying the 30-day notification requirement or how the notification window is calculated.
Recordkeeping policies without disposal procedures. Policies that address retention periods but say nothing about how customer data is destroyed when it reaches end of retention. Data disposal is explicitly required under the amended rule.
Each of these five findings is correctable. All five require written documentation changes, not system changes.
How to Prepare Before Your Examination Notice Arrives
An SEC examination notice typically gives you 10 to 14 business days before document production begins. That window is not enough time to build Reg S-P policies from scratch. The preparation work happens now, during your annual Rule 206(4)-7 compliance review, not in response to an exam notice.
The annual Rule 206(4)-7 compliance review is the correct vehicle for Reg S-P maintenance. Each review cycle should include a gap assessment against the nine document categories above, a review of vendor contracts for Reg S-P provisions, a refresh of the cybersecurity risk assessment, and a tabletop test of the breach notification procedure.
Firms that treat Reg S-P as a one-time implementation project rather than an ongoing compliance obligation are the ones that generate deficiency letters. An examination that arrives three years after initial implementation will test whether the policies reflect the firm as it operates today, not the firm as it operated when the policies were first written. New vendors, new systems, and new staff members all create gaps if the policies are not updated.
A practical preparation framework breaks into three stages.
Days 1 to 30: Conduct a written gap assessment against all five Reg S-P program elements. Document what exists, what is missing, and what is outdated. Pull every vendor contract for a material service provider and review it against the breach notification, security standard, and oversight rights checklist.
Days 30 to 60: Build or update the missing documentation. Prioritize the cybersecurity risk assessment (most commonly missing), the vendor contracts (most commonly non-compliant), and the breach notification procedures (most commonly lacking the 30-day specification).
Days 60 to 90: Conduct a tabletop test of the breach notification procedure. Run annual staff training on cybersecurity awareness. Update the recordkeeping policy to include disposal procedures if absent. File all updated policies with dated version control so you can demonstrate they were current before your examination notice arrived.
The SEC Reg S-P compliance checklist covers each of these elements in detail. The vendor oversight policy template provides specific contract language.
Exam-Readiness Is an Ongoing Standard, Not a One-Time Achievement
The FY2026 examination priorities letter makes explicit what was already implied by the amended Reg S-P rule: cybersecurity and privacy compliance is not a box-checking exercise that ends at implementation. It is an ongoing examination standard that will appear on document request lists for as long as Reg S-P remains in force.
That means the relevant question for every investment adviser is not whether you completed your Reg S-P policies before the compliance date. It is whether your policies, as of the date of your examination, reflect how your firm actually operates.
For advisers who have policies in place, the FY2026 priorities are a signal to review and refresh. For advisers who do not yet have written policies, the FY2026 examination priority means the risk of a deficiency letter is not theoretical.
RegShield generates the four required Reg S-P documents -- Incident Response Program, Service Provider Oversight Policy, Breach Notification Templates, and Recordkeeping Procedures -- in approximately 15 minutes. You complete a short intake questionnaire about your firm, and RegShield produces examination-ready PDFs tailored to your operations. One-time $299.
Frequently Asked Questions
What are the SEC's FY2026 examination priorities for investment advisers?
The SEC's Division of Examinations identified five priority areas for FY2026: fiduciary duty, cybersecurity and Regulation S-P compliance, emerging technologies, ESG investing, and protection of senior and retail investors. Reg S-P is the most operationally specific priority, with a defined document request list that examiners follow during cybersecurity reviews.
Does the FY2026 examination priorities document mean my RIA will be examined this year?
Not necessarily. The SEC examines roughly 15 percent of registered investment advisers each year. A named examination priority means that when examiners do conduct your examination, they are instructed to test for that area. Firms in higher-risk categories -- new registrants, firms with prior deficiencies, firms not examined in several years -- are examined more frequently during priority years.
What documents will SEC examiners request for a Reg S-P review?
In a FY2026 Reg S-P examination, examiners typically request: your incident response program, service provider oversight policy with vendor register, vendor contracts with cybersecurity provisions, a current cybersecurity risk assessment, breach notification procedures with a 30-day timeline, access control documentation, recordkeeping procedures with disposal language, staff training records, and any incident logs from the prior 24 months.
What are the most common Reg S-P deficiency findings in FY2026 examinations?
The five most common findings are: generic policies not tailored to the firm, no documented cybersecurity risk assessment, vendor contracts without required cybersecurity provisions, breach notification procedures without a 30-day timeline, and recordkeeping policies without data disposal procedures. Each is correctable with written documentation updates.
How does Reg S-P relate to the SEC's broader FY2026 cybersecurity focus?
Reg S-P is the operative cybersecurity and privacy rule for SEC-registered investment advisers. The FY2026 priorities treat Reg S-P compliance as the specific implementation standard for the cybersecurity priority. The five required program elements -- incident response, service provider oversight, information safeguards, customer breach notification, and recordkeeping -- are what examiners test against. This is distinct from the SEC's public company cybersecurity disclosure rule, which does not apply to investment advisers.
When does the FY2026 examination priorities letter apply?
The FY2026 priorities apply to examinations conducted throughout the SEC's 2026 fiscal year (October 2025 through September 2026). Reg S-P compliance is a named priority for this period, which coincides with the full compliance date that passed for all investment advisers. All examinations conducted through September 2026 and into FY2027 will continue to test for Reg S-P under the ongoing examination mandate.
Frequently Asked Questions
Rees Calder
Rees is the founder of RegShield and CEO of Levity Leads Ltd. He works with small registered investment advisers to simplify SEC compliance, with a focus on making Regulation S-P requirements accessible and actionable for firms that lack dedicated compliance departments.