Understanding the SEC’s Regulation S-P Vendor and Incident Response Requirements

New amended SEC Regulation S-P requirements for broker-dealers, investment companies, and advisers are already in effect for larger firms (December 3, 2025) and will extend to smaller firms in 2026 (June 3, 2026).  

While broker-dealers, investment companies, and registered investment advisers (RIAs) have always been responsible for protecting consumers' private information, Reg S-P extends that responsibility to third-party service providers, requiring financial firms to increase oversight of vendors with access to protected information.  

Covered firms must establish an incident response plan addressing unauthorized access or use of customer information. If a breach occurs, firms must notify affected customers within 30 days of discovering the incident. This notification requirement applies regardless of whether the unauthorized access originates from the financial firm itself or from any of its third-party vendors handling sensitive customer information.  

If your firm is falling behind on compliance requirements or is unsure where to start, now is the time to take steps to protect your clients' information by strengthening your third-party risk management program and ensuring your vendors implement proper controls and report data misuse.  

After all, your vendors’ risk is your firm’s risk, too.

Related: What is Vendor Management? Processes, Best Practices, and Challenges 

Why vendor oversight is now an SEC examination priority

TPRM has become increasingly important to regulators, and it’s a central theme in the SEC’s 2026 Examination Priorities. Vendor oversight appears across many regulatory focus areas, highlighting a broader shift in how the SEC views third-party risk. Rather than a narrow compliance obligation, vendor management is increasingly treated as critical infrastructure that supports firms’ core operations — and presents major operational risk.  

The Division of Examinations is evaluating vendor oversight in several ways:  

• Regulation S-P and Regulation S-ID: Governance, controls, and oversight of third parties involved in safeguarding customer information and preventing identity theft, including documented vendor oversight activities and, by extension, visibility into vendors’ use of artificial intelligence (AI). 
• Broker-dealer supervision: How firms oversee vendor-provided services that support financial reporting records, change management, and other core operational and compliance functions. 
• Emerging financial technology: Oversight of outsourced providers offering AI tools, algorithmic services, and other automated or advanced technology solutions.

The message from regulators is clear: it’s no longer enough to have vendor contracts on file. Examiners are looking for evidence of ongoing oversight, documented governance, and effective controls that demonstrate firms are actively managing third-party risk — not simply checking compliance boxes. 

Related: 5 Ways to Strengthen Your FI’s Vendor Management Program  

What are Regulation S-P's vendor management requirements?

So what do the Regulation S-P updates mean for your financial firm? Here’s where to focus your attention:  

• Due diligence and monitoring: Firms must conduct thorough due diligence when selecting third-party service providers (aka vendors) to ensure they comply with the Reg S-P requirements. To do this, firms must collect and review vendor documents that demonstrate how third parties are protecting data. This can include policies and procedures, penetration test results, and SOC-2 reports, among other documents. They must then analyze the documents to determine whether the vendor is in compliance.
• Written policies and procedures: Covered firms must establish, maintain, and enforce written vendor management policies and procedures that ensure service providers are appropriately overseeing and safeguarding customer information. These policies should be designed to ensure that service providers implement adequate safeguards and are backed by sufficient resources to adequately vet and monitor vendors. 
• Notification requirements: Service providers must be able to notify the covered firms promptly (no later than 72 hours) if there is a confirmed or suspected breach involving customer information.  Firms, in turn, must ensure that affected individuals are notified within 30 days in accordance with the regulatory requirements. The firm remains responsible for compliance even if notification duties are delegated to a service provider.
• Contractual obligations: Firms will likely need to revise their contracts with third-party service providers to include specific provisions about incident response, notification requirements, and the protection of customer information. These contracts should clearly define the responsibilities of the service providers and ensure compliance with Regulation S-P.
• Ongoing oversight: Firms must continuously monitor their service providers to ensure they maintain compliance with the safeguarding and notification requirements. This includes regular audits, reviews, and updates to ensure that the service provider's security measures remain effective. Basically, it’s revisiting earlier due diligence and determining if anything has changed that would make the vendor relationship riskier than previously thought.
• Recordkeeping requirements: Firms must keep detailed records documenting their compliance with the regulation, including the steps taken to oversee service providers. This documentation is crucial for demonstrating regulatory compliance and for use in the event of an audit or regulatory inquiry. Firms must maintain documentation supporting compliance with the Safeguards and Disposal Rules for at least five years (registered investment advisers) or three years (broker-dealers), including records of incidents, investigations, and notifications.

Related: Is Your Firm Ready for Amended Regulation S-P? 

Regulation S-P and the vendor management lifecycle

Regulation S-P places a strong emphasis on ensuring that firms not only protect customer information within their own operations but also extend these protections through robust vendor management practices. This means that firms will need to be more diligent in their selection, contracting, and oversight of third-party service providers to ensure full compliance with the rule. 

This is best accomplished with a formal vendor management program. An effective vendor management program follows best practices to address each of the five steps of the vendor management lifecycle:  

• Planning. Consider why you’re outsourcing an activity, the potential risks, and what you need from a service provider or vendor.
• Due diligence and vendor selection. Review information about potential vendor(s) to determine whether it’s capable of safely and effectively serving your firm and if you’ll be comfortable moving forward.
• Contract negotiation. Include provisions that ensure data is protected and that your firm will have access to the documentation it needs to verify that data is protected. For Reg S-P, contracts should clearly define vendor responsibilities for incident response, 72-hour breach notification, and compliance.
• Ongoing monitoring. Verify the vendor is delivering on contract provisions and that data is safe. If there are issues, escalate them to ensure they are resolved promptly and effectively.
• Termination. When the relationship ends, the contract is your guide to termination. Make sure you include provisions for what happens to your data and whether you have to pay to have it transferred elsewhere. 

Related: How to Break Up with Your Vendor

What tools can help firms comply with Reg S-P vendor requirements?

Managing third-party risk and adhering to new requirements can be complex, but vendor management software and services make compliance more manageable, helping firms stay compliant and competitive as they grow.

The right solution helps financial firms meet Regulation S-P requirements, as well as broader SEC and FINRA expectations, by providing tools to oversee every phase of the vendor lifecycle and ensuring third-party service providers adhere to data protection and compliance standards. Vendor management software streamlines processes and delivers consistent oversight, while compliance management software ensures firms stay ahead on the latest regulatory news and updates. 

Beyond compliance, these solutions strengthen competitive positioning by allowing firms to outsource confidently while effectively managing third-party risks. They also support business continuity during disruptions — critical for protecting reputation and client relationships — while reducing dependence on costly external legal or compliance resources through built-in expertise and regulatory intelligence. 

Are you ready to comply with Reg S-P requirements? Spot risks and ensure your compliance and vendor management programs are exam-ready with our free checklist.