Every few months, the SEC's Division of Examinations publishes a document that most investment advisers never read. Called a risk alert, it describes compliance weaknesses that examiners found during recent firm reviews and signals where examination focus will increase next. For investment advisers paying attention, a risk alert is advance notice of exactly what an examiner will be looking for at your firm.
This article explains how risk alerts work, why they matter for Regulation S-P compliance specifically, and how to turn each new risk alert into a concrete action item inside your annual compliance review.
What Is an SEC Risk Alert
The SEC's Division of Examinations, known as EXAMS (formerly the Office of Compliance Inspections and Examinations, or OCIE), issues risk alerts to communicate examination findings to the broader investment management industry. A typical risk alert describes a compliance area EXAMS has been examining, lists specific deficiencies found across multiple firms, cites the applicable rules, and describes what examiners will look for in future reviews.
Risk alerts are supervisory communications, not enforcement actions. No firm is named. No penalty is attached. The purpose is to give the entire industry visibility into patterns that examiners are finding, so firms can self-correct before the next round of examinations begins.
The practical effect is straightforward: if EXAMS publishes a risk alert on cybersecurity vendor management today, examiners arriving at your firm in three months will have that risk alert in their file and will specifically test for the weaknesses it describes. Ignoring a risk alert is choosing to be caught by deficiencies that examiners told you in advance they would be testing for.
How Risk Alerts Fit Into the SEC Examination Framework
EXAMS uses several tools to communicate compliance expectations to investment advisers. Understanding how they fit together helps you prioritize responses.
Annual examination priorities letter. Published each January or February, this letter identifies broad examination focus areas for the upcoming fiscal year. Regulation S-P is a named FY2026 examination priority. The annual priorities letter sets the thematic agenda.
Risk alerts. Published throughout the year, risk alerts go one level deeper than the priorities letter. Where the priorities letter names Reg S-P cybersecurity as a focus, a risk alert on cybersecurity describes exactly which policies were missing, which vendor contract provisions were absent, and which documentation gaps triggered deficiency findings. Risk alerts operationalize the priorities letter.
Deficiency letters. After an examination, firms with compliance weaknesses receive a deficiency letter citing specific rule violations. Deficiency letters are the output of examinations where risk alert warnings were not heeded. If you read the risk alert, remediated the gaps, and documented the remediation, the deficiency letter is less likely.
Enforcement actions. Enforcement follows a formal investigation and is a separate process from the examination program. Most investment advisers who receive deficiency letters resolve them without escalation to enforcement. Risk alerts are designed to interrupt the deficiency letter cycle before it starts.
The sequence from risk alert to deficiency letter to enforcement action is not inevitable. Each stage is an opportunity to correct deficiencies. Risk alerts are the earliest and most favorable opportunity.
The History of SEC Cybersecurity Risk Alerts
Cybersecurity is one of the areas where EXAMS has issued risk alerts repeatedly over more than a decade. This history is worth knowing because it shows how risk alerts escalate over time into binding requirements.
EXAMS issued its first comprehensive cybersecurity risk alert in 2014, identifying that many investment advisers lacked written cybersecurity policies. A follow-up alert in 2015 described penetration testing and access management gaps. By 2019, EXAMS was issuing alerts specific to cybersecurity in financial firms, covering areas including vendor management, data integrity, and incident response. Additional alerts in 2020 and 2023 described ransomware, business continuity, and third-party data access risks.
The pattern across these alerts was consistent. EXAMS would identify a deficiency area, publish a risk alert describing what it found, give firms time to remediate, and then test for the same issues during subsequent examinations. Firms that read the alerts and acted avoided the deficiency findings. Firms that did not read them kept showing up with the same gaps.
The amended Regulation S-P, which took effect in late 2025 and reached full compliance for all investment advisers by June 2026, codifies many of the cybersecurity standards that EXAMS had been signaling for years through risk alerts. The five required program elements of Reg S-P, including the incident response program, service provider oversight policy, information safeguards, customer breach notification procedures, and recordkeeping requirements, all appear in some form in prior EXAMS cybersecurity risk alerts.
Risk alerts were not just advance notice. They were a decade-long preview of what Reg S-P would eventually require.
What Current Cybersecurity Risk Alerts Mean for Reg S-P Compliance
Reg S-P is now in force for all SEC-registered investment advisers. The compliance date for smaller advisers passed on June 3, 2026. Reg S-P is also a named FY2026 examination priority. In this environment, any EXAMS risk alert touching cybersecurity, data security, vendor management, or client privacy should be treated as a direct signal about what Reg S-P reviewers will test.
When a new cybersecurity or privacy risk alert publishes, check it against each of the five Reg S-P program elements:
Incident response program. Does the risk alert describe firms lacking written incident response plans, or plans that do not specify response timelines? That is the gap examiners will test in your program.
Service provider oversight policy. Does the risk alert describe vendor contracts lacking cybersecurity provisions, or firms with no ongoing vendor monitoring process? That maps directly to your service provider oversight documentation.
Information safeguards. Does the risk alert describe access control gaps, unencrypted data, or inadequate patch management? These are the technical controls your written safeguards policy should address.
Customer breach notification. Does the risk alert describe firms missing the 30-day notification requirement, or notification procedures that do not specify recipient classes? Your breach notification procedures need to address both.
Recordkeeping. Does the risk alert describe inadequate documentation of vendor assessments, incident logs, or training records? Your recordkeeping policy should define what gets retained and for how long.
Using a new risk alert as a structured Reg S-P gap review takes less time than most firms expect. The risk alert tells you exactly what to look for. Your written policies tell you whether you have addressed it.
Five Steps When a New SEC Risk Alert Publishes
Investment advisers should treat each new EXAMS risk alert as a trigger for a structured compliance response, not a publication to bookmark and forget.
Step one: Identify the applicable rules. Every risk alert cites the specific rules under examination. Confirm whether those rules apply to your firm based on your registration status and business activities. If the risk alert covers rules that apply to you, continue to the next step. If not, note that you reviewed the alert and why it does not apply.
Step two: Compare the described deficiencies against your written policies. Risk alerts describe specific compliance weaknesses in plain language. Work through each deficiency type described and compare it against your existing written policies. If the risk alert says many firms lacked documented vendor cybersecurity assessments, pull your vendor oversight policy and verify it includes an assessment requirement.
Step three: Document gaps and remediation steps. If you find gaps, document what the gap is, when you found it, what you will do to remediate it, and when remediation was completed. This documentation serves two purposes: it demonstrates good-faith compliance effort if an examiner asks, and it creates an audit trail showing your compliance program is responsive to regulatory signals.
Step four: Update your annual compliance review calendar. The annual Rule 206(4)-7 compliance review is the natural home for risk alert follow-up. When a new risk alert publishes, add the risk alert topic as a standing agenda item in your next annual review. This ensures that risk alert findings do not get reviewed once and forgotten, but instead become part of your ongoing compliance monitoring.
Step five: Brief relevant staff. If the risk alert covers an area where your operations staff, technology team, or outside vendors play a role, brief them on what the risk alert describes and what changes, if any, are needed. Reg S-P specifically requires that your incident response and breach notification procedures be communicated to relevant staff, not just maintained as written documents.
How to Monitor for New SEC Risk Alerts
EXAMS publishes risk alerts on the SEC's website at sec.gov/exams under the Publications and Reports section. There is no guaranteed publication schedule. Risk alerts publish when EXAMS completes a review cycle or identifies a timely issue.
The most reliable monitoring approach is to subscribe to SEC press releases via the SEC's email alert service at sec.gov/cgi-bin/browse-edgar. EXAMS risk alerts are typically accompanied by a press release. Legal and compliance newsletters from major law firms and compliance consultants also routinely cover new risk alerts within days of publication.
For investment advisers using outside compliance consultants or legal counsel, risk alert monitoring is often included in ongoing retainer services. If it is not, requesting a quarterly review of new risk alerts is a reasonable addition to any compliance engagement.
Building risk alert monitoring into your annual 206(4)-7 compliance review cycle, rather than treating it as an ad hoc task, ensures that every new EXAMS signal gets a structured response.
Risk Alerts and Your SEC Examination Readiness
The most common finding examiners describe after conducting a Reg S-P review is that written policies exist but are generic, outdated, or not tailored to the firm's actual systems and vendors. Risk alerts are one of the best inputs for keeping your policies specific and current.
A generic incident response plan that does not reference your actual cloud providers, custodians, or data systems will not satisfy an examiner who has read the relevant risk alert and knows exactly what specificity looks like. A service provider oversight policy that lists vendor categories but contains no actual vendor names or assessment records will draw the same finding.
Risk alerts give you the template for what "adequate" looks like in examiner terms. An investment adviser who reads each relevant risk alert and updates their Reg S-P documentation accordingly is building exactly the kind of responsive compliance program that examiners report finding less often than they should.
For investment advisers who have completed their initial Reg S-P documentation, risk alert monitoring is the most efficient ongoing compliance tool available. It translates regulatory signals into specific document review tasks, keeps your policies current with examiner expectations, and creates a documented record of your compliance program responding to new guidance.
For advisers who have not yet completed their initial Reg S-P documentation, that is the starting point. RegShield generates the four core Reg S-P documents, including the incident response program, service provider oversight policy, breach notification procedures, and recordkeeping procedures, tailored to your firm in approximately fifteen minutes.
Need the four core Reg S-P documents for your firm? RegShield generates them in about 15 minutes, tailored to your firm's specifics for a one-time fee. Not a subscription.
Frequently Asked Questions
Rees Calder
Rees is the founder of RegShield and CEO of Levity Leads Ltd. He works with small registered investment advisers to simplify SEC compliance, with a focus on making Regulation S-P requirements accessible and actionable for firms that lack dedicated compliance departments.