SEC Reg S-P Vendor Management: What Your Firm Must Document

The amended Regulation S-P does not just require you to protect client data inside your own firm. It requires you to ensure that every third party touching that data protects it too. For most small RIAs, this is the compliance gap that catches them off guard.

Your firm probably uses a dozen or more vendors: a custodian, a portfolio management system, a CRM, a cloud backup service, an email platform, maybe an outsourced IT provider. Under the original Reg S-P, the SEC expected "reasonable" safeguards but gave little guidance on vendor oversight. The amended rule changes that significantly.

This article covers exactly what the SEC now requires for service provider oversight, what examiners actually look for during examinations, and how to build a vendor management program that works for a small firm without consuming your entire week.

What Changed in the Amended Rule

The original Regulation S-P (adopted in 2000) included a general requirement to protect customer information through administrative, technical, and physical safeguards. Vendor oversight was implied but not spelled out.

The 2024 amendments made service provider oversight an explicit, standalone requirement. Under the amended rule, your written policies and procedures must address how you:

• Select service providers with appropriate security capabilities
• Require contractual safeguards for customer information
• Monitor service providers on an ongoing basis
• Respond when a service provider reports an incident

This is not a suggestion. It is a formal component of the rule that SEC examiners will evaluate independently from your other compliance documents.

The SEC's Definition of "Service Provider"

Before building your program, you need to know who counts. The SEC defines a service provider broadly: any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services to your firm.

For a typical small RIA, this includes:

Obvious vendors:

• Custodians (Schwab, Fidelity, Pershing)
• Portfolio management platforms (Orion, Black Diamond, Tamarac)
• Financial planning software (MoneyGuidePro, eMoney, RightCapital)
• CRM systems (Redtail, Wealthbox, Salesforce)

Often overlooked vendors:

• Cloud storage (Google Workspace, Microsoft 365, Dropbox)
• Email marketing tools (Mailchimp, Constant Contact)
• IT support and managed service providers
• Document signing platforms (DocuSign, Adobe Sign)
• Video conferencing (Zoom, Teams)
• Cybersecurity tools and monitoring services
• Website hosting providers
• Backup and disaster recovery services

If a vendor can access, store, or transmit client names, account numbers, Social Security numbers, financial data, or contact information, they fall under your oversight obligation.

Building Your Vendor Inventory

The first step is documentation. You cannot oversee what you have not identified. Your vendor inventory should capture:

For each vendor:

• Company name and primary contact
• Services provided to your firm
• Types of customer information accessed
• Data transmission methods (API, file transfer, direct access)
• Contract effective date and renewal date
• Last due diligence review date
• Risk tier (high, medium, low)

Risk Tiering

Not every vendor requires the same level of scrutiny. The SEC recognizes that oversight should be proportional to risk. A vendor holding thousands of client Social Security numbers warrants deeper review than a vendor that only accesses client email addresses for newsletter distribution.

High risk: Direct access to sensitive customer information (SSNs, account numbers, financial records). Examples: custodians, portfolio management platforms, CRM systems with full client records.

Medium risk: Limited access to customer information or access to less sensitive data. Examples: email platforms, document signing tools, financial planning software.

Low risk: Minimal or no direct access to identifiable customer information. Examples: website hosting (if no client portal), general office software, accounting tools without client data.

Your oversight intensity should match the risk tier. High-risk vendors get the full treatment: detailed questionnaires, contract review, annual assessments. Low-risk vendors may only need basic due diligence and periodic confirmation that their services have not changed in scope.

Initial Due Diligence: What to Assess

Before engaging a new vendor (or formalizing oversight of an existing one), document your evaluation of their security posture. The SEC does not prescribe a specific format, but examiners look for evidence that you asked the right questions.

Security Assessment Areas

Information security program: Does the vendor have a written information security program? Who is responsible for it? Has it been independently assessed?

Data handling: How does the vendor store, transmit, and dispose of your client data? Is data encrypted in transit and at rest? Where are their data centers located?

Access controls: How does the vendor restrict access to your client data? Do they use multi-factor authentication? How do they handle employee onboarding and termination?

Incident response: Does the vendor have a documented incident response plan? What are their notification timeframes if a breach occurs? Will they cooperate with your investigation?

Business continuity: What happens if the vendor experiences a prolonged outage? Do they maintain backups? What is their disaster recovery timeframe?

Compliance certifications: Do they hold SOC 2 Type II, ISO 27001, or other relevant certifications? When was the last audit completed?

Documentation Requirements

For each vendor assessment, retain:

• The questionnaire or assessment tool you used
• The vendor's responses (written, not verbal)
• Your firm's evaluation and risk determination
• Any remediation items identified and their resolution
• The date of assessment and who conducted it

This documentation is what proves to SEC examiners that your oversight is real, not performative. A checklist that says "vendor reviewed: yes" is insufficient. The SEC wants to see what you reviewed and what conclusions you drew.

Contractual Safeguards

The amended rule expects your vendor contracts to include specific provisions related to information security. If your existing agreements lack these clauses, you need to either amend them or document why amendments were not feasible (with compensating controls).

Required Contractual Elements

Confidentiality obligations: The vendor must agree to protect client information and restrict its use to providing contracted services.

Security standards: The contract should specify minimum security requirements, or reference an agreed-upon security framework (SOC 2 compliance, for example).

Incident notification: The vendor must agree to notify you within a specified timeframe (24 to 72 hours is standard) if they discover unauthorized access to your client data.

Right to audit: You should retain the right to assess or audit the vendor's security practices, either directly or through independent third parties.

Subcontractor restrictions: If the vendor uses subcontractors that may access client data, the contract should require equivalent security standards and your notification or approval.

Data return and destruction: Upon contract termination, the vendor must return or securely destroy all client information in their possession.

Practical Reality for Small RIAs

Large custodians and established fintech platforms will not negotiate custom contract terms with a $200M AUM advisory firm. This is a known reality, and the SEC understands it.

What examiners want to see is that you tried. Document your review of existing service agreements. Identify where standard terms address (or fail to address) the required elements. Where gaps exist, document compensating controls: perhaps the vendor publishes a SOC 2 report annually, or maintains a publicly available security whitepaper that addresses your concerns.

The point is demonstrable effort and documented reasoning, not perfect contractual language from every vendor.

Ongoing Monitoring

Initial due diligence is not enough. The amended rule requires ongoing oversight. Security postures change. Vendors get acquired. New vulnerabilities emerge. Your monitoring program must be continuous, not a one-time exercise.

Annual Review Components

At minimum, conduct a formal annual review of each high-risk vendor:

• Request updated SOC 2 reports or security certifications
• Review any security incidents the vendor disclosed during the year
• Confirm that the scope of services (and data access) has not expanded
• Verify that key security contacts and escalation procedures are current
• Assess whether the vendor's risk tier should change

Trigger-Based Reviews

Beyond annual reviews, certain events should trigger an immediate reassessment:

• The vendor discloses a security incident (even if your data was not affected)
• The vendor is acquired by or merges with another company
• You significantly expand the services or data shared with the vendor
• The vendor fails to renew a security certification
• You receive notification of material changes to the vendor's security program
• Negative news coverage about the vendor's security practices

Monitoring Tools for Small Firms

You do not need enterprise-grade vendor risk management software. For a firm with 10 to 30 vendors, a structured spreadsheet or simple database works fine. What matters is consistency and documentation, not the sophistication of the tool.

Track:

• Last review date for each vendor
• Next scheduled review date
• Open remediation items
• Incident history
• Contract renewal dates

Set calendar reminders. Build it into your compliance calendar. The firms that fail examinations are not the ones with imperfect programs. They are the ones with no program at all, or a program that existed on paper but was never actually executed.

Common Examination Findings

Understanding what triggers deficiency letters helps you build a program that avoids them. Based on SEC examination priorities and published risk alerts, the most common vendor management deficiencies are:

No vendor inventory. The firm cannot identify which vendors access client data. This is the most basic failure and almost guarantees a deficiency finding.

No written policies. The firm conducts some oversight informally but has no documented procedures. If it is not written down, it did not happen (from the SEC's perspective).

Stale assessments. Initial due diligence was conducted years ago with no subsequent review. The vendor's security posture may have changed dramatically since then.

Missing contractual provisions. Service agreements contain no language about information security, incident notification, or data handling. The firm made no attempt to address the gap.

No incident response integration. The vendor management program exists independently from the incident response program. There is no documented procedure for what happens when a vendor reports a breach.

Inconsistent application. Some vendors were assessed thoroughly while others (often the largest and most critical) received no review because "they are too big to fail." The SEC does not accept this reasoning.

Connecting Vendor Management to Your Other Documents

Your vendor oversight program does not stand alone. It connects to every other compliance document required under the amended rule:

Incident Response Program: Your IRP must include procedures for vendor-reported incidents. When a vendor notifies you of a breach, who at your firm receives the notification? What is your assessment process? How do you determine whether client notification is required?

Breach Notification Procedures: If a vendor breach exposes client data, your notification procedures must activate. The vendor's notification to you starts your own notification clock to affected clients.

Recordkeeping: Every vendor assessment, contract review, monitoring activity, and incident response must be documented and retained. Your recordkeeping procedures should specify retention periods and access controls for vendor oversight records.

This interconnection is exactly what the SEC evaluates. An isolated vendor checklist disconnected from your broader compliance framework signals that the program was built to check a box, not to actually manage risk.

Building This Without Enterprise Resources

For solo practitioners and small firms, the vendor management requirement can feel overwhelming. You are running a business, managing client relationships, and handling investment decisions. Adding a formal vendor risk program on top feels like a full-time job.

It does not have to be. The SEC expects a program that is "reasonably designed" for your firm's size and complexity. A five-person RIA is not held to the same standard as Goldman Sachs. What matters is:

1. You identified your vendors
2. You assessed their security posture
3. You have contractual provisions (or documented why you cannot)
4. You monitor them on an ongoing basis
5. You documented all of the above

RegShield generates a complete vendor management framework tailored to your firm's actual vendor relationships. You input your vendors, and the system produces assessment templates, monitoring schedules, contract review checklists, and integration points with your incident response program. The entire process takes about 15 minutes and costs $299.

The deadline is June 3, 2026. Your vendor management program should be in place, documented, and operational before that date. Start with the inventory. Everything else builds from there.