The Regulatory Shift You Need to Know About
If you’ve been waiting for the SEC to drop a sweeping new AI rulebook, you can stop refreshing the Federal Register. Under Chair Paul Atkins, the agency has shifted away from prescriptive rulemaking and toward a principles-based posture — and that shift is showing up in both its AI work and its cybersecurity agenda. Here’s where things actually stand as of spring 2026, and why it matters even if your business isn’t a public company.
The AI Picture: Less Rule, More Expectation
Earlier in 2025, the SEC withdrew the Biden-era proposed rules on AI, including the much-debated proposal targeting conflicts of interest in predictive data analytics for broker-dealers and investment advisers. That was a clear signal: the current Commission isn’t going to legislate AI through new dedicated rules.
What it is doing is leaning on the disclosure framework that already exists. At the December 2025 Investor Advisory Committee meeting, Chair Atkins reinforced that the SEC’s existing principles-based rules already require issuers to tell investors about material AI impacts — on financial results, risk factors, and business models. Translation: the SEC believes the tools to police AI disclosure are already in the toolbox.
A few moving pieces are worth tracking:
The Investor Advisory Committee Recommendation
On December 4, 2025, the IAC voted to recommend that the SEC issue guidance requiring issuers to define what they mean by “AI,” disclose board oversight mechanisms, and report separately on internal versus consumer-facing AI deployments. It’s a recommendation, not a rule, and the SEC has so far responded tepidly. But it’s a useful template for any company thinking about how to talk about AI in its filings or, frankly, in its annual report to a board.
The 2026 Examination Priorities
The Division of Examinations published its FY2026 priorities in late December 2025, and AI shows up prominently. Examiners will be looking at AI supervision, explainability, and recordkeeping for investment advisers and broker-dealers. The theme: if you’re deploying AI, you’d better be able to show how you supervise it and reconstruct what it did.
An Internal AI Task Force
The SEC stood up its own AI Task Force in 2025, led by a publicly named Chief AI Officer, to coordinate responsible AI use across the agency. It’s an internal-facing initiative, but it tells you the SEC is taking the technology seriously even as it declines to write new external rules about it.
The Cybersecurity Picture: One Live Rule, One Big Deadline
Cybersecurity is where the actionable stuff lives.
The 2023 Cyber Disclosure Rule Is Still the Headline
The cybersecurity disclosure rule adopted in July 2023 is now more than two years into enforcement, and the patterns are getting clearer. Public companies have to file a Form 8-K under Item 1.05 within four business days of determining that a cybersecurity incident is material — disclosing the nature, scope, timing, and impact. They also have to address cyber risk management, governance, and management’s role annually in their 10-K under Regulation S-K Item 106.
Two years in, most disclosed incidents have not ultimately been confirmed as having material financial impact. Companies are filing early out of caution, and the SEC has reportedly stood up a dedicated enforcement unit focused on this area. Expect more comment letters and staff statements pushing companies toward sharper, more decision-useful disclosures.
One notable footnote: in July 2024, a federal judge dismissed most of the SEC’s claims in the SolarWinds case, ruling that statutory internal accounting controls requirements apply to financial reporting controls — not to cybersecurity or operational controls. That decision has taken some wind out of the SEC’s more aggressive cyber enforcement theories, but it hasn’t slowed the disclosure rule itself.
Regulation S-P: The June 3, 2026 Deadline You Should Actually Care About
If there’s one date to circle on the calendar, it’s June 3, 2026.
The amendments to Regulation S-P, adopted in 2024, hit their full compliance deadline on that date. They apply to broker-dealers, registered investment advisers, investment companies, and transfer agents. The amendments expand customer information safeguards, tighten incident response requirements, and — importantly — elevate cybersecurity from an operational concern to a board-level accountability issue.
What this means in practice:
- Written incident response programs are no longer optional; they need to be documented, tested, and tied to clear customer notification workflows.
- Customer notification is now required, generally within 30 days, when sensitive customer information has been or is reasonably likely to have been accessed without authorization.
- Vendor and service provider oversight gets explicit treatment — firms have to ensure their providers are also taking appropriate measures.
- Board engagement is expected to be active, not passive. Documented oversight matters.
If you’re an MSP, vCISO, or compliance partner working with anyone in financial services, the next 60 days are the runway. After June, examiners will be looking for evidence that the program was already in place — not that it got assembled the week before.
So What Should You Actually Do?
For most small and midsize businesses, the SEC isn’t your direct regulator. But the SEC’s posture matters anyway, for two reasons.
First, SEC frameworks tend to set the tone for what “reasonable” looks like across the broader market. Cyber insurance underwriters, enterprise customers running vendor risk assessments, and state regulators all increasingly borrow from SEC language when they define expectations. If your incident response plan, board reporting cadence, and AI usage documentation would survive an SEC-style review, you’re in good shape for almost everything else.
Second, the principles-based shift cuts both ways. Less prescriptive rulemaking means more reliance on judgment, documentation, and demonstrated governance. That’s harder to fake. Firms that treat cybersecurity and AI as compliance disciplines — with written policies, evidence of oversight, and clear escalation paths — will be better positioned than firms that treat them as purely technical problems.
Practical To-Dos for the Next Quarter
- Inventory your AI usage. Even if you’re not a public filer, write down where AI shows up in your business — what tools, what data, who’s accountable. You’ll need this eventually for customer questionnaires if not regulators.
- Pressure-test your incident response plan. Tabletop it. If you can’t articulate who decides materiality, who notifies whom, and on what timeline, that’s the gap to close.
- Get cyber on the board (or owner) agenda. Quarterly is a reasonable cadence. Document it.
- If you serve SEC registrants, audit your own controls. Their Reg S-P obligations will flow downstream to you through vendor agreements. Be ready.
The Bottom Line
The big picture: the SEC isn’t writing new AI rules, but it’s making clear that the old rules already cover a lot of ground. And on cybersecurity, the rules that exist are getting sharper teeth — especially with the June 3, 2026 Reg S-P deadline closing in.
The firms that win the next few years will be the ones that built the muscle early. Documentation, governance, and demonstrated oversight aren’t optional anymore—they’re the baseline for operating in a regulated environment, even if you’re not directly regulated.
Need Help With Compliance and Risk Management?
Whether you’re preparing for Regulation S-P compliance, documenting AI governance, or building incident response capabilities that meet regulatory expectations, Castle Rock Sky helps businesses across the Denver metro and Front Range implement practical, defensible controls that satisfy regulators and auditors.
We understand what “reasonable” looks like to regulators, insurance underwriters, and enterprise customers—and we can help you get there without reinventing your entire operation.
