Experiencing a Cybersecurity Incident? Get Help Now. | Abacus Group and Medicus IT have merged. Learn more.
Experiencing a Cybersecurity Incident? Get Help Now.
Abacus Group and Medicus IT have merged. Learn more.
Experiencing a Cybersecurity Incident? Get Help Now. | Abacus Group and Medicus IT have merged. Learn more.
Experiencing a Cybersecurity Incident? Get Help Now.
Abacus Group and Medicus IT have merged. Learn more.
For 2026, the message across the Securities and Exchange Commission’s (SEC) priorities is consistent: regulators are looking for evidence that risk and compliance programs are operating in the real world, not just described in policies. For most firms, this is demonstrated most clearly when:
Depending on a firm’s business model, exam teams may also dig into areas such as identity theft prevention (Regulation S-ID), AML requirements, or other market infrastructure obligations. But the themes above are the most broadly operational for most organizations.
The SEC’s priorities can read like a list of topics. In practice, they function as a test of operational maturity. It is no longer enough to point to a policy and say, “we address this.” Exams increasingly probe whether controls are operating consistently, who owns them, and whether the firm can produce evidence quickly when asked.
This shift also maps to the business impact leaders are already seeing. When the global average cost of a data breach sits in the millions, “we have a policy” is not a reassuring answer. Firms need operating disciplines that both reduce the odds of disruption, in addition to reducing the cost of disruption if it happens.
Most firms have seen the SEC headlines by now. The difference between “we’re prepared” and “we’re scrambling” usually comes down to two questions: can we show that controls operate consistently and can we produce evidence quickly during an exam? These five moves translate the 2026 priorities into practical readiness.
1. Make Incident Response a Leadership-Owned Capability and Test It
Incident response is not just an IT plan, it is an operating capability. Decisions are made across leadership, legal and compliance, operations, and external partners. In today’s environment, that capability needs to be tested against realistic scenarios. Verizon’s 2025 DBIR found ransomware present in 44% of breaches analyzed. That reality is one reason exam teams must focus on response readiness and recovery capability, not just prevention.
What to have in place includes a tested incident response plan (including ransomware scenarios), named decision-makers, a clear escalation path, and an internal and external communications plan. Recovery objectives should be tied to business priorities, understanding the tolerable period of data loss and downtime in addition to how restoration of systems should be prioritized. Improvements should be documented after testing, not just the test itself.
2. Tighten Access and Account Management
Access is one of the clearest places to demonstrate that controls operate in practice. Strong access hygiene is less about complexity and more about consistency, especially in environments that rely on third-party administrators, consultants, or outsourced IT.
What good looks like includes multi-factor authentication enforced where it matters most, privileged access limited and approved, clean joiner, mover, leaver processes, and periodic access reviews that lead to real changes when access is no longer justified.
3. Treat Vendors as Part of Your Control Environment
Vendor oversight keeps showing up across SEC focus areas for a reason. Vendors can contribute to or reduce your risk posture, and outsourcing does not outsource accountability – especially when third parties handle client data, support core workflows, or become critical during incidents.
What to operationalize includes a vendor inventory with criticality tiers, recurring due diligence that continues after onboarding, contracts that clearly define security expectations (including access boundaries and incident notification requirements), and ongoing monitoring that is documented and repeatable.
4. Define Resiliency as Recovery and Prove You Can Restore
Resiliency is not just a documented continuity plan, it is the ability to prevent avoidable disruption where possible and quickly restore operations when something breaks. It is necessary to have evidence that recovery is tested, not assumed.
The SEC’s own framing is broader than cyber best practices alone. It highlights elevated disruption risk tied not only to cyberattacks, but also to dispersed operations, weather-related events, and geopolitical concerns. That broader disruption lens is exactly why recovery planning, vendor dependency mapping, and restore testing are becoming exam-visible capabilities.
What to have in place includes business continuity and disaster recovery plans mapped to real systems and vendors, backups designed for ransomware reality, restore testing that proves recoverability, clear monitoring and alerting ownership, and disciplined change management and patching.
5. Put Governance Around AI and Automation and Align It to Disclosures
The SEC’s focus on automated tools and AI is about guardrails. If a tool influences outcomes, it needs governance, oversight, and accountability. That includes advisory workflows, research support, client communications, operations, and, where applicable, trading and execution.
What to have in place includes an inventory of tools and approved use cases, clear data-handling rules (especially what cannot be entered into third-party platforms), supervision and monitoring with defined exception handling, and explicit accountability when tools influence decisions. Actual usage should align with what the firm represents to clients and regulators.
For firms with Registered Investment Advisor (RIA) obligations, while cyber and technology risks are getting more attention, exam teams still expect strong fundamentals around conflicts, best execution, and overall compliance program effectiveness.
For alternative investment firms, exam scope and real-world risk often extend beyond the management company itself. Operating models are frequently distributed across portfolio companies, shared service arrangements, fund administrators, and outsourced IT. In practice, that expands both the attack surface and the dependency chain, which means leadership needs a clearer view of who touches what than many firms maintain the day to day.
Two factors commonly drive this expanded scope. First, portfolio company exposure and shared services can widen the perimeter, especially when technology, finance, or operational functions are centralized across entities. Second, outsourced IT and administrators increase third-party dependency, and response and recovery can depend on external partners as much as internal teams.
What leaders should have ready needs to be explicit: a current map of vendors and access pathways, clear accountability across the management company and key partners, and recovery planning that accounts for vendor outages and cross-entity dependencies.
Ask yourself: if asked during an exam, could we produce the following quickly, without scrambling or chasing documentation across teams and vendors?
Abacus Group supports financial services firms in their efforts to operationalize controls and offers regulatory-focused defensive and offensive cybersecurity services to help firms maintain compliance. From documented restore testing to vendor oversight workflows and AI governance guardrails, we focus on making programs easier to run and easier to evidence when regulators ask. Contact us today to strengthen your operational readiness for 2026.
These Stories on Blog
.png)
Founded in 2008, Abacus Group is an innovative, award-winning IT and Cybersecurity managed service provider offering an enterprise integrated platform specifically designed for the unique needs of the financial services industry.