Broker-dealers, investment companies, and registered investment advisers (RIAs) have always been responsible for protecting consumers' private information. Now, an update to the SEC’s Regulation S-P extends that responsibility to their third-party service providers – requiring financial firms to increase oversight of vendors with access to protected information.
Under the final amended rule of Regulation S-P, effective August 2, 2024, covered institutions must have an incident response plan in the event of unauthorized access or use of customer information. This includes a requirement to provide customers with clear notification within 30 days of the incident or discovery.
This notification is required whether the unauthorized access occurs through the financial firm or one of its vendors with access to sensitive customer information. That means covered institutions need to implement strong third-party risk (aka vendor management) programs to ensure vendors with access to protected information have adequate systems and processes in place to secure that data and disclose any misuse.
Understanding Regulations S-P’s Vendor Management Requirements
What does this change to Regulations S-P mean for your financial firm? Here is where you need to focus your attention.
Due diligence and monitoring: Financial institutions must conduct thorough due diligence when selecting third-party service providers (aka vendors) to ensure they comply with the requirements of Regulations S-P. To do this, firms must collect and review vendor documents that demonstrate how they are protecting data. This can include policies and procedures, penetration test results, or a SOC-2 report, among other documents. They must then analyze the documents to determine whether the vendor is in compliance.
Related: Costly Service Provider Mistakes for Investment Advisors
Written policies and procedures: Covered institutions are required to establish, maintain, and enforce written vendor management policies and procedures that ensure service providers are appropriately overseeing and safeguarding customer information. These policies should be designed to ensure that service providers implement adequate safeguards and should be backed by sufficient resources to adequately vet and monitor vendors.
Related: Policies as a Power Tool: Creating Policies that Get the Job Done
Notification requirements: Service providers must be able to notify the covered institutions promptly (no later than 72 hours) if there is a breach involving customer information. The institution, in turn, retains the obligation to ensure that affected individuals are notified in accordance with the regulatory requirements.
Contractual Obligations: Financial institutions will likely need to revise their contracts with third-party service providers to include specific provisions about incident response, notification requirements, and the protection of customer information. These contracts should clearly define the responsibilities of the service providers and ensure compliance with Regulation S-P.
Related: How to Negotiate Cost-Saving Vendor Contracts Whitepaper
Ongoing Oversight: Institutions must continuously monitor their service providers to ensure they maintain compliance with the safeguarding and notification requirements. This includes regular audits, reviews, and updates to ensure that the service provider's security measures remain effective. Basically, it’s revisiting earlier due diligence and determining if anything has changed that would make the vendor relationship riskier than previously thought.
Recordkeeping: Institutions must keep detailed records documenting their compliance with the regulation, including the steps taken to oversee service providers. This documentation is crucial for demonstrating regulatory compliance and for use in the event of an audit or regulatory inquiry.
Regulations S-P and the Vendor Management Lifecycle
Regulation S-P places a strong emphasis on ensuring that financial institutions not only protect customer information within their own operations but also extend these protections through robust vendor management practices. This means that institutions will need to be more diligent in their selection, contracting, and oversight of third-party service providers to ensure full compliance with the rule.
This is best accomplished with a formal vendor management program. An effective vendor management program follows best practices to address each of the five steps of the vendor management lifecycle (planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination).
- Planning. Considering why you’re outsourcing an activity, the potential risks, and what you need from a service provider or vendor.
- Due diligence and vendor selection. Review information about potential vendor(s) to determine whether it’s capable of safely and effectively serving your firm and if you’ll be comfortable moving forward.
- Contract negotiation. Include provisions that ensure data is protected and that your firm will have access to the documentation it needs to verify data is protected.
- Ongoing monitoring. Verify the vendor is delivering on contract provisions and that data is safe. If there are issues, escalate them to ensure they are resolved promptly and effectively.
- Termination. When the relationship ends, the contract is your guide to termination. Make sure you include provisions for what happens to your data and whether you have to pay to have it transferred elsewhere.
Help Managing SEC Vendor Requirements
While compliance with third-party risk management requirements feels like an overwhelming task and a significant burden, vendor management software solutions and services make these tasks much more manageable.
Nvendor is a comprehensive vendor management solution designed to help financial firms comply with regulatory requirements, such as those outlined in the SEC’s updated Regulation S-P. Nvendor provides vendor oversight tools covering all five phases of the vendor management lifecycle to help ensure third-party service providers are complying with data protection standards.
By using Nvendor, financial firms can streamline their vendor management processes, ensuring robust oversight and compliance. Add-on services can also streamline due diligence, with Ncontracts’ team of experts collecting and reviewing due diligence documents and summarizing a vendor’s strengths and weaknesses.
This not only helps in maintaining regulatory compliance but also enhances the overall security posture of the institution by ensuring that all vendors consistently follow best practices for data protection and incident response.
Want to see how Nvendor can help your firm comply with Regulations S-P?
Subscribe to the Nsight Blog
Share this
Costly Service Provider Mistakes for Investment Advisors
Regulating the Future: What Financial Institutions Need to Know About AI and Regulatory Risks
