On November 17, the SEC’s Division of Examinations released its 2026 examination priorities –a document that, as always, serves as both a roadmap for registrants and a clear statement of where the agency believes the biggest risks to investors and markets now lie. While the list is not exhaustive, it provides an unusually sharp look at how the SEC is recalibrating its approach heading into the next regulatory cycle. This year, that recalibration is significant.
Keith Cassidy, acting director of the Division of Examinations said that 2026 marks‘an important time for the division to build on our strengths, advance our mission with renewed focus and ensure that our examination program continues to protect the investing public and support fair and orderly capital markets’.
Two shifts stand out: a heightened emphasis on data protection and privacy as well as the quiet, but unmistakable, disappearance of cryptocurrency from the priority list for the first time in years.
A renewed focus on Regulation S-P
Front and center in the 2026 agenda is compliance with the SEC’s 2024 amendments to Regulation S-P, the rulebook governing how firms protect customer information. The message is clear: data governance is no longer a peripheral compliance item, but a core supervisory priority.
Examiners will be looking closely at whether broker-dealers, advisers, funds and other registrants have adopted written policies and procedures consistent with the enhanced rule. That includes the newly required incident-response programs: documented frameworks that can detect, contain and recover from unauthorized access and notify affected customers promptly and appropriately.
The division will also scrutinize the administrative, technical and physical safeguards firms have put in place. Importantly, this extends well beyond internal controls. Third-party risk management, particularly where vendors have access to sensitive data, is now a major examination theme. Firms must be able to demonstrate they know who holds their data, how those providers are being monitored and how they will respond if a vendor suffers a breach.
Record-keeping, always a staple of SEC exams, takes on added importance. The agency expects firms to show their work: documented training, documented decisions and documented governance frameworks around cybersecurity and resilience.
Broader cyber hygiene also remains firmly in view. Examiners will assess access controls, governance structures, business continuity planning and identity-theft programs under Regulation S-ID – all amid a threat environment reshaped by AI-driven attacks and increasingly complex threat actors.
Taken together, the 2026 priorities send a simple message: if data protection is not already embedded throughout your risk framework, it needs to be and soon.
The crypto omission
Equally noteworthy is what the priorities do not say. For the first time in several years, the SEC has removed any explicit reference to cryptocurrency or digital assets. No ‘crypto assets,’ no ‘virtual currencies,’ no blockchain-related risks – a notable departure from past cycles, where digital assets routinely featured as a discrete examination area.
This omission is widely interpreted as a policy shift. Under the SEC’s current leadership, the agency has taken a more engagement-oriented, less adversarial posture toward the industry. Removing crypto from the priority list aligns with that broader pivot, signalling a move away from framing digital-asset markets as an inherent risk category.
That does not mean crypto firms are out of the SEC’s orbit. Examiners may still evaluate digital-asset businesses, but under broader themes such as custody, cybersecurity or anti-money laundering – rather than as an emerging threat requiring its own spotlight.
What this all means
For most registrants, the path forward is clear: tighten data-protection frameworks, modernize incident-response capabilities and treat vendor oversight as a strategic risk management function, not a back-office afterthought. The 2024 S-P amendments will require substantial work for many firms, particularly smaller entities approaching their June 2026 compliance deadline.
For crypto-exposed businesses, the absence of a dedicated exam focus may feel like a welcome easing of pressure. While oversight will continue, the shift toward integrating digital assets into mainstream supervisory categories could mark the beginning of a more stable, less adversarial regulatory environment.
Judging by these updated priorities, 2026 will be defined by data, resilience and a quieter recalibration in how the SEC approaches innovation.