Ben Tercha is COO at Omega Systems, an award-winning managed IT services provider (MSP) and managed security service provider (MSSP).
Picture this: Your firm spent the better part of last year preparing for Regulation S-P. You updated your incident response plan, trained your staff and tightened your policies. You felt ready. Then one of your software vendors suffered a breach, and client data was compromised.
You didn’t cause it. You didn’t even know it was happening. But under the amended rule, the responsibility (and liability) is yours.
This is the compliance blind spot I’m seeing across RIAs and wealth management firms right now. Most are focused on shoring up internal processes and controls before the June 3, 2026, deadline for smaller firms managing under $1.5 billion in assets. (S-P amendments went into effect for larger RIAs back in December 2025). But Regulation S-P’s third-party provisions mean your vendors’ security practices are now your regulatory problem, too.
Thus, the firms that may struggle in SEC examinations won’t be the ones who ignored the rule—they’ll be the ones who failed to look beyond their own front door.
What Regulation S-P Actually Requires
The SEC’s May 2024 amendments to Reg S-P go well beyond internal policy updates. Among the most significant—and least discussed—changes is a formal requirement to implement written policies and procedures for overseeing service providers, conducting due diligence and ensuring those providers protect against unauthorized access to customer information. Vendors must notify firms within 72 hours of detecting a breach, after which the covered institution must initiate its incident response program and potentially notify affected clients within 30 days.
The definition of “service provider” is broader than most firms realize. Any third party permitted access to customer information qualifies, including your CRM platform, portfolio management software, custodians, legal counsel and managed IT partner. If they can see your clients’ data, they’re in scope. And the SEC won’t just ask to see your own policies during examinations. They’ll likely want documentation of your vendor oversight activities: due diligence records, service provider agreements and evidence of ongoing monitoring. With these new changes, a policy on paper won’t be enough.
Where Most RIAs Are Falling Short
We see consistent gaps across the investment industry. For one: inventory. Many firms can’t produce a complete list of every third party with access to client data—a prerequisite for meaningful oversight. According to Omega Systems’ 2025 Financial Services IT and Cybersecurity Survey, 54% of financial firms still rely on spreadsheets or internally built tools to manage security control benchmarking. If you can’t systematically track your own controls, tracking third-party data access is even less likely.
Another gap is with contract language. Legacy vendor agreements frequently lack incident notification requirements, security standards clauses or audit rights. In the wake of S-P amendments, contracts will need to be revisited to ensure alignment with new expectations.
Escalation is another area of concern. RIAs often have incident response plans for internal events, but few have thought through what happens when a breach originates with a vendor. Who gets called? What triggers the 30-day notification clock? Our survey found more than a third of financial services firms say it would take a week or longer to detect and contain a breach—a timeline that becomes a serious liability when the clock starts at vendor notification, not at your convenience.
What Good Vendor Oversight Actually Looks Like
A few things I consider nonnegotiable for any firm operating in today’s modern compliance world:
• Maintain a living inventory of all service providers with data access, updated as relationships change.
• Review and update contracts to include security requirements, breach notification timelines and audit rights (if a vendor won’t commit to 72-hour notification, take note).
• Conduct and document periodic due diligence, not just at onboarding (a SOC 2 certification from three years ago doesn’t qualify as ongoing oversight).
• Build vendor risk into your incident response plan as an integrated component, not an afterthought (your IRP should specify exactly what happens when a vendor notifies you of a breach).
A Word On Your IT Partner
For most RIAs, the managed IT or cybersecurity partner has broader access to client data than almost any other vendor, often with administrative access across systems. Yet they’re frequently the least scrutinized from a compliance standpoint. The right partner should demonstrate familiarity with Regulation S-P, provide contractual commitments around breach notification and produce documentation that supports your oversight program.
Omega’s data shows MSSP-supported firms conduct continuous or monthly vulnerability testing at 56%, versus 38% for firms managing IT internally—and they contain breaches faster. That gap matters when you’re racing a 30-day clock. If your current IT partner can’t speak to their own S-P posture, that’s a conversation to have before an SEC examiner prompts it.
Why Compliance Is An Ecosystem, Not A Checklist
The June 3 deadline for small RIAs is a starting line, not a finish line. SEC examiners will evaluate the strength of ongoing programs, not just whether boxes were checked. The enforcement record is clear: In 2024 alone, the SEC settled multiple cybersecurity-related enforcement actions with penalties ranging from $990,000 to $4 million. Control failures and disclosure gaps were at the center of every one of them—exactly the kind of program weaknesses that third-party risk exposure tends to create.
Firms that treat service provider risk as a genuine operational discipline will be better positioned in examinations and better protected when something inevitably goes wrong. Start here: If you can’t answer “who has access to my clients’ data, and what happens if that vendor is breached,” then that’s a gap you can bet the SEC will zero in on.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
