loader image
Endeavor-Retirement_Logo_white
Endeavor-Retirement_Logo_white

SEC Regulatory Update and Analysis for 2026

See More Insights + Events

Over the past year, the Securities and Exchange Commission (SEC) has taken several regulatory actions that materially affect RIAs. This year has been unique in that the regulatory environment has not seen major rulemaking waves, and instead has been focused on implementation of existing rules, exam-driven enforcement priorities, and the withdrawal of several proposed rules that would have significantly broadened advisor obligations. 

For compliance departments, the takeaway is relatively straightforward in that the regulatory landscape has not become simpler, it has shifted toward operational readiness and regulatory expectations focused on cybersecurity, privacy and governance.  

Below is a summary of some of the more important developments and what they mean for your advisory firm.  

Reg S-P Amendments: Privacy and Cybersecurity Focus 

The most significant change for RIAs come from the amendments the SEC made to Regulation S-P. These amendments help modernize an outdated policy and focus on safeguarding client information. The amendments require advisors to implement stronger protections surrounding non-public client information, including incident response procedures, vendor oversight and breach notification obligations. 

Key Requirements: 

  • Written incident response programs designed to detect and respond to unauthorized access to customer information 
  • Client breach notification obligations in certain circumstances, generally within 30 days of determining unauthorized access has occurred 
  • Expanded oversight of service providers that receive or maintain client information  
  • New recordkeeping requirements that document compliance decisions and breach investigations 

The deadlines for compliance were staggered based on firm size. Large RIAs, generally over $1.5 billion in AUM, were required to comply as of December 2025.  Smaller RIAs were given extra time to comply by June 2026. For many firms, these amendments will require coordination between compliance, IT and vendor management functions, particularly with regards to third-party service providers that handle sensitive client information.  

Withdrawal of Several Major Rule Proposals 

In June of last year, the SEC formally withdrew multiple proposed rules issued during the prior administration, including several that would have significantly expanded regulatory obligations for RIAs. 

Notable withdrawn proposals affecting advisors include: 

  • Outsourcing by investment advisors 
  • Predictive data analytics and conflicts of interest “AI Rule” 
  • Cybersecurity risk management for advisors 
  • Expansion of Custody Rule to include all client assets, including crypto 
  • Expanded due diligence and monitoring on outsourcing key functions to third-party service providers 
  • ESG disclosure standardization 

By withdrawing these proposals, the SEC effectively confirmed that any future rulemaking in these areas would restart the process from the beginning. However, firms should not interpret this as a relaxation of expectations. The underlying issues, cyber security controls, vendor oversight, and technology conflicts all remain areas of active regulatory examination.  

What This Means for You 

Although fewer new rules have been finalized recently, compliance expectations for RIAs remain elevated. In practice, firms should expect regulatory focus on the following:  

  • Cybersecurity and data privacy 
  • Vendor oversight and outsourcing controls 
  • Documentation supporting regulatory compliance 
  • Marketing and disclosure practices 
  • Operational readiness for incident response 

The updated Regulation S-P framework, in particular, indicates that the SEC expects RIAs to treat client data protection as a core fiduciary obligation, not simply a technical IT function.  

Final Thoughts 

For RIAs, the past year’s regulatory developments represent less of a shift in rulemaking and more of a shift in compliance execution. The SEC has made clear that while some rule proposals have been paused or withdrawn, the agency continues to prioritize investor protection through operational oversight, particularly around cybersecurity, privacy, and governance practices. Firms that treat these areas as strategic compliance priorities, rather than simply policy updates, will be best positioned for upcoming regulatory examinations.   

As a friendly reminder, submit your annual ADV updates quickly!