Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Three forces are escalating your third-party risk. Geopolitical conflict, AI-powered attacks, and cyber inequity across vendor ecosystems are converging to create an environment where well-defended organizations still suffer serious incidents. More than 35% of data breaches now originate from a compromised vendor or partner — not from any failure in internal controls. Organizations need to plan for incidents, assume a partner will eventually be compromised, and build coordinated response into their programs before disruption hits.
Smaller investment advisers face a June 3 deadline on Reg S-P. Registered investment advisers with less than $1.5 billion in assets under management must comply with the SEC's amended Regulation S-P requirements by June 3. The amendments require written incident response programs, 30-day customer breach notification, and formal oversight of service providers with access to customer data, including a 72-hour notification requirement if a provider experiences a breach. The SEC has named Reg S-P compliance a 2026 examination priority, so smaller firms should start preparing now.
Financial services firms need tested exit strategies. Static exit plans and generic documentation aren't enough when a critical supplier fails, underperforms, or no longer fits your strategy. Leading organizations are building scenario-specific strategies that distinguish between planned and stressed exits, continuously refreshing documentation as supplier models evolve, and embedding exit planning into business continuity and disaster recovery functions. Hidden sub-outsourcing chains and cloud dependencies remain a persistent blind spot. Without deeper dependency mapping, a rapid large-scale exit may not be as feasible as it looks on paper.
Investment advisers using AI face five key compliance considerations. As AI moves closer to investment decisions, regulators are shifting focus from conflicts of interest to fiduciary duty of care. The SEC's 2026 examination priorities specifically flag the use of automated investment tools and AI technologies. Advisers should be prepared to explain what their AI tools and vendors do and how they monitor them, document intended use cases and material changes, and assess how customer data flows through these systems under Regulation S-P, particularly as tools become more autonomous.
Service and support are the vendor criteria banks keep underweighting. Banks and credit unions under pressure to keep up with fast-moving technology often prioritize features over everything else when making vendor decisions — but that instinct can backfire. The ABA's most recent Core Platforms Survey puts average vendor satisfaction at just 3.19 out of 5, with core provider effectiveness scoring even lower at 2.78. When credit union leaders whose tech plans fell short were asked why, 53% cited insufficient vendor support. For community banks and credit unions already squeezed by competitive pressure, regulatory change, and AI deployment demands, evaluating vendors on service quality, client satisfaction data, case resolution times, and support team structure is critical.
Supply chain cyber resilience demands leadership, not just IT fixes. Supply chain attacks scale easily — compromise one vendor and you can reach hundreds of downstream networks. Yet only 16% of UK organizations brief their C-suite on cybersecurity monthly or more, leaving meaningful accountability gaps at the top. Building real resilience requires more than reactive patching: it means mapping root causes, maintaining clear supplier documentation, and embedding incident response coordination across the entire vendor ecosystem, including every supplier relationship.
Lloyds Banking Group data exposure hits nearly half a million customers. A software defect during an overnight update at Lloyds Banking Group allowed customers to briefly view transaction data belonging to other users, including account numbers and National Insurance numbers. Almost 450,000 customers were affected.