The SEC’s amended Reg S-P is changing how Registered Investment Advisers manage cybersecurity incidents that involve third parties. Under the new rule, service providers must notify your firm within 72 hours of discovering a breach in security that results in unauthorized access to a customer information system.

That timeline is already tight when your internal systems are affected. It becomes even more challenging when a vendor controls the affected environment, and you rely on them to report quickly and accurately.

If a breach occurs on a vendor’s systems, your RIA is still responsible for responding quickly and meeting your regulatory obligations. Delays or incomplete reporting from a vendor can increase the risk of non-compliance, penalties, and reputational harm.

To reduce these risks, RIAs need a proactive vendor oversight strategy. In this post, we will outline practical steps to ensure your vendors can meet the Reg S-P 72-hour notification requirement. 

Understanding the Reg S-P 72-Hour Notification Requirement

The Securities and Exchange Commission’s amended Regulation S-P is designed to accelerate breach detection and reporting across the financial services industry.

The 72-hour notification requirement applies when there is a breach in security resulting in unauthorized access to a customer information system maintained by the service provider. The clock starts from the moment the incident is discovered, not when it is resolved.

The Risks of Vendor Non-Compliance

If a third-party vendor experiences a breach affecting systems that store or process your clients’ information, the responsibility to report still falls on your firm. That means you must receive timely and accurate details from the vendor so you can assess the incident, determine the impact, and file the necessary reports with the SEC.

In practice, this is where many RIAs encounter challenges. RIAs must be confident that every third-party provider with access to client data has the capability and commitment to meet their due diligence process. Even one slow or unprepared vendor can create a compliance gap that puts your firm at legal and financial risk.

Strategy 1: Build Notification Requirements into Vendor Contracts

Your contracts should clearly outline a vendor’s obligation to meet the Reg S-P 72-hour notification requirement. Include specific language about when the clock starts, what constitutes a breach, and the exact information they must provide in their initial report.

Defining these expectations up front creates a binding commitment and reduces the risk of misunderstandings. Work with legal counsel to ensure the contract language is enforceable and aligns with SEC requirements.

Much has been discussed in the industry about the challenges with some larger vendors who will be unwilling to modify their agreements (or modify them prior to compliance deadlines).  While the new Reg S-P doesn’t require you to have contractual language to enforce the 72 hour notice requirement, where possible that should be your goal.  For larger vendors, they can often point you to existing security policies or practices on their website that address breach notification.

Strategy 2: Require Vendors to Maintain a Documented Incident Response Plan

A vendor without a mature incident response plan is unlikely to meet the 72-hour standard. Require each vendor to provide a copy of their plan during onboarding and review it for compatibility with your own procedures.  Even if they won’t disclose their plan at the very minimum they should be willing to discuss specifics which would impact their ability to provide notification of an incident.

Confirm that their plan includes designated points of contact, clear escalation steps, and processes for secure data sharing. If gaps are identified, address them before granting access to sensitive customer information or systems.

Strategy 3: Conduct Regular Vendor Security Audits

Security audits are essential for verifying that vendors are prepared to act quickly when an incident occurs. These audits should evaluate their breach detection capabilities, reporting timelines, and history of prior incidents.

Schedule reviews at least annually, and more often if the vendor’s risk profile changes. Use these security assessments to ensure they can deliver timely, accurate information in line with the Reg S-P 72-hour notification rule.

Strategy 4: Establish a Clear Internal Escalation Path

Even when a vendor notifies you quickly, delays can occur if your internal teams are unclear about next steps. Designate who will receive vendor alerts, how the information will be verified, and who is responsible for initiating your firm’s SEC reporting process.  This should invoke your incident response plan which should address response to this specific scenario.

This internal alignment ensures there is no wasted time between the vendor’s notice and your regulatory response. Document these procedures in your own incident response plan so all stakeholders are on the same page.

Strategy 5: Provide Joint Training and Simulations

Running joint tabletop exercises with vendors helps identify breakdowns before a real incident occurs. These sessions test not only your vendor’s readiness but also your firm’s ability to process and act on the information received.

Simulations can uncover bottlenecks in communication, clarify expectations, and strengthen relationships with vendors. Repeat these exercises regularly so processes remain sharp and effective.

Strategy 6: Maintain Ongoing Communication and Monitoring

Staying connected with vendors is key to maintaining compliance readiness. Hold quarterly or semi-annual check-ins to review any changes in their security posture or incident response process.

In addition, consider implementing monitoring tools that can detect suspicious activity in vendor-managed systems. This creates an additional layer of assurance that no incident will go unnoticed until it is too late.

Ready to Strengthen Your Vendor Oversight?

At itSynergy, we help RIAs prepare for and respond to incidents that involve third-party vendors. Our team can assist with developing tailored incident response procedures, establishing vendor communication protocols, and ensuring your breach reporting process is fast and accurate.

Contact us today to discuss how we can strengthen your vendor oversight and keep your firm ready to respond when it matters most.