RIA Vendor Management: What SEC and NYDFS Actually Require

Why vendor management matters for RIAs

A typical RIA uses 10 to 30 third party service providers: custodians, portfolio management software, CRM, email, cloud storage, financial planning tools, compliance platforms, IT managed service providers, and probably a few more that nobody remembers signing up for. A lot of these vendors have direct access to customer PII and non-public personal information.

When a vendor gets breached, it is still your client's data. Regulators hold the RIA responsible for the vendors it chooses. The SEC has brought enforcement actions against firms whose vendor relationships lacked basic oversight. The NYDFS has done the same when a third party turned out to be the way attackers got in.

Reg S-P vendor requirements (17 CFR 248.30)

The 2024 amendments to Reg S-P expanded the vendor oversight requirements for SEC-registered investment advisers. Here are the provisions that matter:

• Written policies for service provider oversight. Rule 248.30(a)(3) requires covered institutions to adopt written policies and procedures for the "oversight of service providers," including "taking steps to select and retain service providers that are capable of maintaining appropriate safeguards."
• 72-hour notification requirement. Under Rule 248.30(b)(3), service providers must notify you of any incident involving unauthorized access to customer information as soon as possible, and no later than 72 hours after becoming aware. Your contracts must include this provision.
• Contractual requirements. Agreements with service providers must require them to maintain safeguards for customer information. While Reg S-P does not dictate exact contract language, you need enforceable provisions for data protection, notification, and cooperation during incidents.
• Reasonable selection. You must take steps to select service providers that can maintain appropriate safeguards. This means due diligence before onboarding, not just signing a contract and hoping for the best.

NYDFS third-party service provider rules (23 NYCRR 500.11)

For firms subject to NYDFS, Section 500.11 requires a written policy for third-party service provider security. The 2023 amendments added more specific requirements:

• Written policies and procedures designed to ensure the security of information systems and NPI accessible to or held by third-party service providers
• Risk-based due diligence processes to evaluate the adequacy of third-party cybersecurity practices
• Minimum cybersecurity practices required of third-party service providers, including MFA for any third party with access to your NPI
• Due diligence processes to evaluate the cybersecurity practices of third parties
• Periodic assessment of third-party cybersecurity practices based on risk
• Written contract provisions requiring the third party to notify you of cybersecurity events

Building your vendor inventory

You need to know who your vendors are. That sounds obvious, but a lot of RIAs cannot produce a complete vendor list when examiners ask for one. Your inventory should include:

Categorize vendors by risk tier. A custodian with full access to client accounts is high risk. A marketing agency with no access to client data is low risk. Focus your due diligence efforts accordingly.

Vendor due diligence checklist

For high and medium-risk vendors (those with access to NPI or your systems), conduct due diligence that covers:

• Security certifications. Does the vendor have a current SOC 2 Type II report? If so, review it. Pay attention to any qualified opinions or exceptions noted.
• Data handling practices. Where is your data stored? How is it encrypted? Who at the vendor has access? What happens to your data if you terminate the relationship?
• Incident response capabilities. Does the vendor have a documented incident response plan? What are their notification timelines? Will they meet the 72-hour requirement?
• Business continuity. What happens if the vendor has an outage? What are their recovery capabilities?
• Sub-processors. Does the vendor use sub-processors who will also access your data? If so, the same due diligence standards should apply.
• Insurance. Does the vendor carry cyber liability insurance?
• Regulatory compliance. Is the vendor subject to its own regulatory requirements (banking regulations, HIPAA, etc.)? Are they in compliance?

What your contracts need to include

Every contract with a vendor that accesses customer information should include these provisions:

• 72-hour incident notification. Required by Reg S-P. The vendor must notify you within 72 hours of discovering unauthorized access to customer information in their custody.
• Data protection standards. The vendor must maintain safeguards at least as protective as those required by your WISP and applicable regulations.
• Data use limitations. The vendor may only use customer data for the purposes specified in the agreement.
• Audit and assessment rights. You retain the right to assess the vendor's security practices and request evidence of compliance (SOC 2 reports, penetration test summaries, etc.).
• Data return and destruction. Upon termination, the vendor must return or securely destroy all customer data and certify the destruction.
• Cooperation during incidents. The vendor must cooperate with your incident response efforts, including providing information needed to notify affected individuals.
• Sub-processor controls. If the vendor uses sub-processors, they must ensure those parties meet the same security standards.

How many vendors is too many?

There is no regulatory cap, but more vendors means more risk surface. Every vendor with access to NPI is another way a breach can start. A few things to keep in mind:

• Consolidate where possible. If two vendors provide overlapping services, consider whether you need both.
• Eliminate unused vendor access. If you stopped using a service but the vendor still has credentials or API access, revoke it.
• Classify vendors by data access, not by contract value. A free tool that has access to client email addresses is a higher risk than an expensive service that handles no customer data.

Ongoing monitoring workflow

Due diligence is not something you do once at onboarding and forget about. Both the SEC and NYDFS expect ongoing monitoring. Here is an annual workflow that keeps it manageable:

Common exam findings on vendor management

Based on SEC examination results and NYDFS enforcement actions, here are the vendor management issues examiners flag most often:

• No centralized vendor inventory (vendors tracked informally or not at all)
• No due diligence documentation for high-risk vendors
• Contracts that do not include notification requirements or data protection provisions
• No evidence of ongoing vendor monitoring or periodic reassessment
• Former vendors that still have active access to firm systems
• No process for assessing vendor sub-processors

If a few of those bullet points describe your firm, you are not alone. Vendor management is one of the widest compliance gaps across the industry. The good news is it is also one of the easiest to fix once you have a system for tracking it.

If you want a platform that manages your vendor inventory, tracks due diligence, and monitors contract provisions automatically, BlackSheep starts at $249/month.