Understanding Vendor Liability For Investment Advisors: What Regulation S-P Means For Third-Party Risk
✨ AI Summary
🔊 جاري الاستماع
InnovationUnderstanding Vendor Liability For Investment Advisors: What Regulation S-P Means For Third-Party RiskByBen Tercha,Forbes Councils Member.for Forbes Technology CouncilCOUNCIL POSTExpertise from Forbes Councils members, operated under license. Opinions expressed are those of the author. | Membership (fee-based)May 28, 2026, 10:45am EDTBen Tercha is COO at Omega Systems, an award-winning managed IT services provider (MSP) and managed security service provider (MSSP). gettyPicture this: Your firm spent the better part of last year preparing for Regulation S-P. You updated your incident response plan, trained your staff and tightened your policies. You felt ready. Then one of your software vendors suffered a breach, and client data was compromised.You didn’t cause it. You didn’t even know it was happening. But under the amended rule, the responsibility (and liability) is yours.This is the compliance blind spot I’m seeing across RIAs and wealth management firms right now. Most are focused on shoring up internal processes and controls before the June 3, 2026, deadline for smaller firms managing under $1.5 billion in assets. (S-P amendments went into effect for larger RIAs back in December 2025). But Regulation S-P’s third-party provisions mean your vendors’ security practices are now your regulatory problem, too.Thus, the firms that may struggle in SEC examinations won’t be the ones who ignored the rule—they’ll be the ones who failed to look beyond their own front door.What Regulation S-P Actually RequiresThe SEC’s May 2024 amendments to Reg S-P go well beyond internal policy updates. Among the most significant—and least discussed—changes is a formal requirement to implement written policies and procedures for overseeing service providers, conducting due diligence and ensuring those providers protect against unauthorized access to customer information. Vendors must notify firms within 72 hours of detecting a breach, after which the covered institution must i...
