Cyber risk, vendor dependencies, AI use, and evolving supervisory expectations are changing how financial services firms approach compliance. Here’s how you should prioritize them.
Why Priorities Are Shifting
Financial services firms are operating in a more connected environment than they were just a few years ago. Core systems rely on vendors, employees use cloud-based platforms for daily work, and AI capabilities are appearing in tools that teams already depend on.
Keeping pace with these shifts, regulatory expectations have also increased. The SEC’s amended Regulation S-P raises incident response and notification requirements for covered institutions, and FINRA’s 2026 oversight materials call out cybersecurity, fraud, third-party risk, and AI governance as areas of active focus.
The practical effect is this: firms are paying closer attention to how their policies actually hold up — during cyber incidents and technology failures alike — and whether their written versions match what teams do in the moment.
Cybersecurity and Incident Response
Ransomware and related threats like identity-based attacks can hit operations, client data, and business continuity at the same time. When something goes wrong, teams need to assess impact quickly, coordinate a response, and figure out what obligations apply.
The amended Regulation S-P sets a clear bar. Covered firms are responsible for having an incident response program and defined procedures for customer notification whenever sensitive information has been accessed or used without authorization.
Compliance priorities for incident response: Strong compliance programs name owners and draft procedures, but they also spell out decision-making authority, communication paths, escalation steps, and documentation standards. Find and address gaps now, so that when an incident happens, your response is consistent and your ability to produce a usable record of actions taken is never in doubt.
Third-Party and Vendor Risk
Vendors support a significant share of the systems and services financial firms depend on every day. A disruption at a vendor can quickly ripple — affecting system access, data availability, and client-facing operations before internal teams have time to react.
Compliance priorities for third-party risk: Oversight should be ongoing. You need to know how your vendors protect data, how they handle incidents, what changes they’re making to their environments, and whether those changes affect your firm’s risk posture. Take time to review your vendor monitoring capabilities and periodic reassessment procedures, and ensure that contracts include clear expectations around subcontractor oversight and incident notification timing.
AI Use and Governance
AI tools are becoming part of routine workflows across financial services — for research, content drafting, data analysis, and customer support. For many firms, adoption has moved faster than governance, which is where the risk accumulates.
As adoption grows, so do questions about things like acceptable use, data handling, review standards, and oversight. Firms need to define which tools are approved, what information can be shared, and how outputs are evaluated before they are relied on.
Compliance priorities for AI use: You need to be able to answer questions like: Which tools are approved? What information can be shared with them? How are outputs reviewed before someone acts on them? FINRA and the SEC haven’t created a single universal AI rule, but their expectations around governance, supervision, and recordkeeping still apply. To make it easier to find holes in your policies, treat AI as a distinct area within your broader compliance framework.
Cloud, Monitoring, and Evidence
Cloud platforms now carry a lot of core business functions. However, these platforms offer flexibility – configuration, access control, and ownership requirements – that can easily veer off course with informal management.
Monitoring tools, including logging and alerting systems, provide visibility into activity across those environments. Their value, however, depends entirely on whether teams can interpret what they’re seeing and act on it in time. And underlying all of it: firms need reliable records of system activity, user access, changes, and key decisions.
Compliance priorities for cloud, monitoring, and evidence: Start by confirming ownership across configuration, alerting, and recordkeeping. Ensure that ownership is current and clearly assigned.
Then treat all three as ongoing maintenance tasks. Cloud environments change. Monitoring rules become outdated. Records lose value when teams cannot confirm what is captured or where it resides.
Schedule regular reviews. Validate that access controls reflect current roles and responsibilities. Confirm that alerts are tuned to meaningful activity. Ensure records are complete, accessible, and audit-ready.
Where Firms Fall Short
Most firms have invested in the right places. Policy documentation. Tool deployment. Processes exist on paper.
The harder problem shows up when multiple issues happen at once. Responsibility shifts between teams with no clear handoff. Escalation hinges on individual judgment instead of a shared process. And when it’s time to reconstruct what happened — for an audit or incident post-mortem — documentation is scattered across systems without any threads to connect events.
Written procedures add another wrinkle. They tend to get drafted once and revisited rarely, while actual workflows keep moving. By the time something goes wrong, the holes in policies and practices can be wide enough to cause real problems.
Bringing It Together
Cybersecurity, vendor risk, AI use, and cloud activity are often treated as separate workstreams. In reality, they intersect constantly.
An issue that starts in one area pulls in the others quickly — which is why coordination across teams, systems, and external partners carries so much weight.
Defined ownership keeps decisions moving. Established communication paths get information to the right people. Consistent documentation produces records that hold up.
Together, these elements support both resilience and credible compliance.
What to Focus on Now
These compliance areas are more useful to review together than in isolation. A practical starting point is examining how they connect in your firm:
- How is responsibility assigned across teams and vendors?
- How are issues escalated and communicated?
- How are actions documented — and those records retained?
- How closely do daily workflows align with written policies?
Firms with good answers to these questions are better prepared to manage risk — and to respond credibly when regulators come looking.