IT Governance
Every November, the SEC’s Division of Examinations publishes its priorities for the year ahead. Every November, most VC and PE firms glance at the headline, forward it to outside counsel, and move on.
This year is different. The 2026 priorities put cybersecurity, AI governance, and operational resiliency at the center of virtually every examination category. If your firm is a registered investment and wealth adviser (and most VC/PE firms managing outside capital are), these priorities are now part of what examiners will evaluate when they walk in the door.
If your firm is an Exempt Reporting Adviser rather than a full RIA, much of this still applies. ERAs are subject to Reg S-P, anti-fraud provisions, and the Custody Rule, and the SEC has signaled increasing exam attention to ERAs in recent cycles. Even unregistered firms face the same questions from LPs, auditors, and their own risk teams.
We work with VC and PE firms every day. Aaron as the co-founder of an IT managed services firm that’s been serving financial services clients in San Francisco since 2009, and Sarah as an IT security and compliance advisor with 30+ years in the field. Between us, we’ve seen what examiners actually look for and where firms tend to have gaps they don’t know about.
Here are five questions every VC/PE operations leader should be able to answer before their next exam cycle.
1. Do you have a written incident response program?
The amended Regulation S-P applies to covered institutions including RIAs and broker-dealers. For larger entities (over $1.5B AUM), the deadline was December 3, 2025. For smaller covered institutions, June 3, 2026. Note: ERAs are also subject to certain Reg S-P provisions, particularly around safeguarding customer information.
This isn’t a suggestion. It’s a regulatory requirement with a hard date. Yet many firms we talk to don’t have a formal incident response plan. They have a general sense of what they’d do (“call our IT guy”), but nothing written, tested, or documented.
An examiner will ask to see the document. If it doesn’t exist, or if it doesn’t address how you’d respond to an AI-related incident (whether from your tools or a cloud provider’s), that’s a finding.
2. Who has admin access to your systems right now, and when was the last time you checked?
The 2026 priorities explicitly call out access controls and account management. Examiners want to see that you know who has privileged access, including providers and AI agents, to your systems and that you review it regularly.
At a 30-person VC firm, this is often a mess. A former employee still has an active Google / M365 account. The office manager has global admin rights because they set up the tenant three years ago. A consultant who helped with a one-time project still has access to your file share. Nobody has reviewed these permissions since they were granted.
The fix isn’t complicated. A quarterly access review, documented, with a clear process for revoking access when someone leaves or something changes. But someone has to own it and perform it.
3. What happens if your IT vendor gets breached?
The Reg S-P amendments include a new requirement for vendor oversight. If a service provider who handles your client data experiences a breach, they must notify you within 72 hours. Your contracts need to reflect this. Your policies need to account for it. And you need to be prepared to notify affected individuals within 30 days.
Most VC/PE firms outsource significant portions of their operations: fund administration, cloud hosting, IT support, payroll, document management. Each of these vendors potentially touches client information. How many of your vendor contracts include breach notification clauses? How many of those vendors have you actually assessed for security practices?
Examiners will ask about your vendor oversight program. “We trust them” is not an assessment or a program.
4. Do you have an AI usage policy?
This is the new addition for 2026. The SEC has integrated AI oversight into multiple examination categories: cybersecurity, emerging technology, automated investment tools, and operational resiliency. Examiners will evaluate whether your firm’s actual AI usage matches what you’ve represented to clients and regulators.
For most VC/PE firms, the immediate concern isn’t AI-driven investment tools. It’s employees using ChatGPT, Copilot, or other AI assistants with sensitive data: LP information, deal terms, financial models, investor communications. If your team is using AI tools and you don’t have a policy governing what data can and can’t be entered, you have an unmanaged risk.
A basic AI acceptable use policy doesn’t need to be long. It needs to exist, and your team needs to know about it and follow it.
5. Could your firm operate if your primary systems went down for 48 hours?
Operational resiliency is now a standalone examination category, separate from cybersecurity. The SEC wants to know that firms can continue operating through disruptions, whether that’s a cyberattack, a cloud outage, or a natural disaster.
For a 30-person VC firm that runs on Google, Slack, and a handful of SaaS tools, the question is straightforward: if those systems went offline tomorrow morning, what’s your plan? Do you have documented backup and recovery procedures? Have you tested them? Do your employees know what to do?
Most firms we work with have some form of backup running, but very few have tested a full recovery. The gap between “we have backups” and “we’ve confirmed we can actually restore from them” is where examiners will focus.
And it’s not just your own systems. If a critical vendor had a multi-day outage, your fund administrator, your cloud provider, your file sync service, would your firm be able to continue operating? Operational resiliency includes the resilience of the providers you depend on.
The Bottom Line
None of these five items require massive budgets or enterprise-grade security teams. They require someone to own them, document them, and maintain them. For most VC and PE firms in the 15 to 100 person range, that someone is either an outsourced IT partner or a very busy CFO who already has a full plate.
The SEC’s 2026 priorities aren’t a surprise. They’re a continuation of a trend that’s been building for years: regulators expect investment advisers to take cybersecurity and operational readiness seriously, regardless of firm size. The firms that treat this as a checkbox exercise will be caught flat-footed. The firms that build these practices into how they operate will find that compliance is a byproduct of good IT management, not a separate workstream.
If you can’t confidently answer all five questions above, now is a good time to start.
If any of the five questions above raised a concern, schedule a 30-minute call. We’ll walk through what a practical answer looks like for your firm. No commitment.
About the Authors
Aaron Burris is co-founder and SVP of Business Development at Xterra Solutions, an IT managed services firm in San Francisco’s Financial District serving VC, PE, and financial services clients since 2009. With 25+ years of experience as a network architect and security advisor, Aaron has helped Bay Area firms design, secure, and operate the IT infrastructure that supports their investment and operations teams. Xterra’s XBITOS framework, built on NIST CSF and ITIL principles, anchors the firm’s security-first approach to managed services.
Sarah A. Lynn is an IT security and compliance advisor with 30+ years of experience across financial services, technology, and healthcare. She serves on the Astia & NorCal Venture Forum Advisory Boards and has guided firms through SEC examinations, SOC2, ISO, HIPAA, CMMC and FedRAMP compliance.