Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Recently Added Articles as of June 4
Wealth manager's third-party cloud breach hits 9,000 clients. A wealth management firm disclosed a November 2025 incident affecting nearly 9,000 people. A cybercriminal accessed third-party cloud application accounts and downloaded files containing clients' names, dates of birth, Social Security numbers, and account numbers. This is separate from an earlier incident involving an affiliated entity that impacted over 9,300 people.
Smaller RIAs hit Reg S-P deadline. Yesterday marked the compliance deadline for smaller SEC-registered investment advisers under the amended Regulation S-P. Firms with less than $1.5 billion in regulatory assets under management must now have written incident response programs, 30-day customer notification procedures, expanded vendor oversight obligations, and updated recordkeeping practices — requirements that didn't exist under the original rule. The SEC has signaled that Reg S-P compliance will be a priority in examinations conducted later this year. Firms with over $1.5 billion in managed assets already had their December 2025 compliance date.
Carnival breach exposes nearly 6 million customers. The world's largest cruise operator confirmed that hackers stole personal data from nearly 6 million customers in an April cyberattack. The attack was a phishing attempt against a third-party account, giving attackers access to names, dates of birth, passport and driver's license numbers, and loyalty program data.
The missing measure in third-party risk. Despite widespread TPRM programs, most organizations still lack a standardized way to convert vendor evidence — questionnaires, certifications, audits, contracts, and insurance — into a comparable measure of residual risk. Without that common unit of measure, threshold decisions drift toward reviewer experience and business urgency rather than consistent governance. Some experts suggest a universal, assured measurement methodology that supports vendor decisions, exception management, portfolio aggregation, benchmarking, and risk transfer across the full vendor ecosystem.
AI governance lands on CFO desks. As financial institutions embed AI across credit decisioning, fraud detection, AML monitoring, and trading, compliance obligations are multiplying. US regulators expect fair lending compliance for AI-driven decisions, transparent credit outcome explanations, and full application of model risk management frameworks — and FIs remain accountable for third-party models they use even when sourced externally. CFOs are advised to build comprehensive AI model inventories, strengthen vendor oversight for AI tools, and treat compliance as a strategic capability rather than a cost center.
