Regulation S-P Vendor Oversight: How to Document Service Provider Compliance Before June 3

Published March 2026  ·  Continuity Strength  ·  10 min read

When a vendor that handles your customer information gets breached, the compliance failure belongs to you. Under the SEC's amended Regulation S-P, financial firms are now responsible for documenting vendor oversight. Not just conducting it. Smaller entities have until June 3, 2026 to have written policies in place for due diligence, contractual breach notification within 72 hours, and ongoing monitoring of every service provider with access to customer information.

This is not a general best practice recommendation. It is a regulatory requirement that SEC examiners will test. The Division of Examinations has listed Regulation S-P in its FY 2026 priorities and has explicitly flagged vendor oversight as a focus area. Third-party risk management now appears across multiple examination categories, including cybersecurity, broker-dealer supervision, and investment adviser compliance.

For firms that rely on administrators, custodians, fund accounting platforms, cloud providers, or any other vendor that touches customer data, this guide covers the three components of the service provider oversight obligation, what documentation examiners expect, and how to build a vendor compliance program that satisfies the requirements before the deadline.

Why Vendor Oversight Became a Regulation

Financial firms have always outsourced critical functions. Custodians hold assets. Administrators process transactions. Cloud providers host systems. Transfer agents manage shareholder records. The 2024 amendments to Regulation S-P recognize that this dependence on service providers creates a data protection chain where any weak link exposes customer information.

Before the amendments, Regulation S-P required firms to safeguard customer information within their own operations. The amended regulation extends that obligation outward: firms must now ensure that every service provider with access to customer information maintains adequate safeguards and can notify the firm within 72 hours of a breach.

The practical implication is that your firm's compliance posture is only as strong as your least-prepared vendor. If a service provider is breached and cannot notify you within 72 hours, your ability to meet the 30-day customer notification window is compromised. If you have no documentation showing you assessed that provider's security practices before engagement, the gap in your oversight record becomes the examiner's finding.

The Three Components of Service Provider Oversight

The amended Regulation S-P requires covered institutions to establish, maintain, and enforce written policies and procedures for oversight of service providers. This breaks into three documented obligations.

Component 1: Due Diligence Before Engagement

Before contracting with any service provider that will access customer information, your firm must assess the provider's ability to safeguard that information. This is not limited to technology vendors. It applies to any entity that receives, maintains, processes, or otherwise has access to customer information on your behalf, including fund administrators, accounting firms, legal service providers with access to client records, and cloud infrastructure providers.

The due diligence documentation should address:

• Security posture assessment: What administrative, technical, and physical safeguards does the provider maintain? Do they have a SOC 2 report, ISO 27001 certification, or equivalent attestation?
• Incident response capability: Does the provider have a written incident response program? Can they detect, assess, and contain a breach independently? Can they notify you within 72 hours?
• Data handling practices: What customer information will the provider access? How is it stored, transmitted, and eventually disposed of?
• Sub-service provider risk: Does the vendor rely on its own third parties that may also access your customer information? How is that chain managed?

Component 2: Contractual Requirements

Your service provider agreements must include specific provisions that reflect the amended Regulation S-P requirements. This is where many firms will need to take immediate action, because existing contracts were typically written before the 2024 amendments and may lack the required language.

At minimum, contracts with service providers that access customer information should include:

• 72-hour breach notification: The provider must notify your firm as soon as possible, but no later than 72 hours after becoming aware that a breach has occurred resulting in unauthorized access to a customer information system. This 72-hour window is explicitly stated in the regulation and is not negotiable.
• Safeguard obligations: The provider must implement and maintain measures to protect against unauthorized access to or use of customer information.
• Incident cooperation: The provider must cooperate with your firm's incident response process, including providing information needed to assess the scope and impact of a breach.
• Notification delegation (optional): If you want the service provider to notify affected customers directly in the event of a breach at their systems, the contract must explicitly state this delegation. However, your firm retains ultimate responsibility for ensuring notification happens and complies with the regulatory requirements.
• Audit and inspection rights: The ability to verify the provider's compliance with their safeguard and notification obligations.

Component 3: Ongoing Monitoring

Due diligence at onboarding is necessary but not sufficient. The regulation requires ongoing oversight to ensure service providers continue to maintain adequate safeguards. This means your vendor oversight program must include a documented monitoring cadence.

Effective ongoing monitoring includes:

• Periodic reassessment: Review the service provider's security posture at regular intervals. Annually is the minimum standard; higher-risk vendors warrant more frequent review.
• Incident history review: Has the provider experienced any breaches or security incidents since your last assessment? How were they handled?
• Attestation updates: If the provider maintains SOC 2 or other security certifications, confirm that reports are current and review any exceptions or findings.
• Contractual compliance verification: Confirm that the provider continues to meet the notification and safeguard obligations specified in your agreement.
• Change monitoring: Has the provider undergone significant changes (acquisitions, infrastructure migrations, leadership changes) that could affect their security posture?

Document every monitoring activity. When an SEC examiner asks how you oversee your service providers, the answer must be supported by records, not a verbal description of your process.

The Vendor Gap: Why This Is Harder Than It Sounds

The challenge is compounded for smaller firms. A large RIA with a dedicated compliance team and legal department can negotiate contract amendments, conduct security assessments, and maintain monitoring records across dozens of vendors. A smaller firm with a handful of employees is often using the same vendors (custodians, portfolio management systems, cloud storage) but lacks the internal resources to conduct and document the required oversight.

This is where standardized assessment frameworks become essential. Rather than building a custom review process from scratch for each vendor, firms need a repeatable, documented approach that asks the right questions, records the answers, and produces evidence that satisfies examiner expectations. A structured vendor resilience assessment does exactly this.

What SEC Examiners Will Request

When an SEC examiner evaluates your Regulation S-P compliance, the vendor oversight review will focus on documentation. Based on the SEC's examination priorities and the amended regulation's recordkeeping requirements, expect requests for:

1. Written vendor oversight policies and procedures. The document that describes your firm's approach to due diligence, contracting, and monitoring of service providers with access to customer information.
2. Inventory of service providers. A list of every vendor that accesses customer information, what information they access, and how they are categorized by risk.
3. Due diligence records. The assessments conducted before engaging each service provider, including what was evaluated and the conclusions reached.
4. Contracts with notification provisions. Copies of service provider agreements showing the 72-hour breach notification clause and safeguard obligations.
5. Monitoring records. Evidence of ongoing oversight activities including periodic reassessments, attestation reviews, and any findings or remediation actions.
6. Incident records. If any service provider experienced a breach, documentation of the notification received, the firm's investigation, and any customer notification decisions.

Investment advisers must retain these records for at least five years. Broker-dealers must retain them for at least three years.

A Practical Path to Vendor Oversight Compliance

For firms approaching the June 3 deadline, here is the practical sequence for building a compliant vendor oversight program:

1. Build your vendor inventory. List every service provider that receives, maintains, processes, or otherwise has access to customer information. Include custodians, fund administrators, portfolio management systems, cloud providers, IT managed service providers, accounting firms, and any other entity with access to nonpublic personal information.
2. Tier vendors by risk. Not every vendor requires the same level of oversight. A custodian holding client assets and SSNs presents higher risk than a marketing analytics tool with no access to sensitive data. Assign risk tiers based on the sensitivity of information accessed and the criticality of the service provided.
3. Conduct due diligence assessments. For each vendor, document the assessment of their security posture, incident response capability, and data handling practices. Use a standardized questionnaire to ensure consistency. Continuity Strength's compliance evidence packages produce vendor oversight documentation and review-ready records for audits and customer requests.
4. Review and amend contracts. Confirm that every agreement includes the 72-hour breach notification requirement and safeguard obligations. Where it does not, contact the vendor to execute an addendum. Prioritize contracts with high-risk vendors.
5. Establish a monitoring schedule. Define the frequency and scope of ongoing monitoring for each risk tier. Document the monitoring activities as they are conducted.
6. Write your vendor oversight policy. This is the overarching document that describes your firm's approach. It should reference the due diligence process, contractual requirements, monitoring cadence, and recordkeeping obligations. This policy is the first thing an examiner requests.

The entire process can be compressed into weeks if you work with a structured framework. The goal is not to produce a perfect program. It is to produce a documented, reasonable program that demonstrates your firm takes service provider oversight seriously and can show examiners the records to prove it.

How This Connects to Your Incident Response Program

Vendor oversight does not exist in isolation. It is a component of your broader incident response program under Regulation S-P. When a service provider notifies you of a breach within the 72-hour window, your incident response program must activate. The assessment, containment, notification determination, and customer communication procedures all apply. The only difference is that the breach originated externally rather than internally.

This means your incident response plan must include a specific scenario for vendor-originated breaches: who receives the 72-hour notification from the vendor, how the investigation proceeds when your firm does not control the compromised systems, and how customer notification is coordinated when the breach occurred at a third party's infrastructure.

If you have not yet built your incident response program, the vendor oversight documentation fits within it as a component. Building both simultaneously is more efficient than building them sequentially.