Third-Party Risk Management for RIAs: What Reg S-P Requires and How to Automate It

What Reg S-P requires for vendor oversight

The Reg S-P amendments added explicit requirements for how RIAs manage third-party service providers. Three obligations stand out:

• Written policies ensuring service providers protect customer information.You need documented procedures for vetting vendors before you engage them and monitoring them after. "We trust our MSP" is not a policy.
• 72-hour breach notification clauses in all service provider contracts. If a vendor experiences a security incident affecting your client data, they must notify you within 72 hours. This is not optional. It must be written into the contract.
• Annual assessment of each vendor's security posture. A one-time due diligence check at onboarding is not enough. You need to reassess annually whether each vendor still meets your security requirements.

The SEC holds the RIA responsible for vendor failures. If your CRM vendor gets breached and you never assessed their security or required breach notification in the contract, that is your problem in the exam room.

Who counts as a "service provider"

More vendors than you think. If a company has access to, stores, or processes any of your client information, they are a service provider under Reg S-P. For a typical RIA, this includes:

• Managed service providers (MSPs) — they have admin access to your entire network
• Cloud providers — AWS, Azure, Microsoft 365, Google Workspace
• CRM platforms — Salesforce, Wealthbox, Redtail, Junxure
• Custodians — Schwab, Fidelity, Pershing
• Email providers — Microsoft Exchange, Google Workspace, any email archiving service
• Client portal vendors — any platform where clients log in to view documents or account information
• Financial planning software — eMoney, MoneyGuidePro, RightCapital
• Accounting and billing software — QuickBooks, Orion, Black Diamond
• Phone and communication systems — VoIP providers, Zoom, Teams, any platform that records calls or stores voicemails
• Document management — ShareFile, Citrix, Dropbox, Box

When firms actually sit down and inventory their vendors, the number is almost always between 15 and 30. Most have never done the exercise. They could not produce a complete vendor list if an examiner asked for one tomorrow.

The 72-hour clause gap

This is the most immediate compliance risk for most RIAs. The 72-hour breach notification requirement is new with the Reg S-P amendments, but the majority of vendor contracts were signed before these amendments existed. That means:

• Your MSP contract probably does not include a 72-hour notification clause. It might say "reasonable efforts to notify" or nothing at all.
• Your CRM vendor's terms of service almost certainly do not include a specific notification window tied to your regulatory obligations.
• Your custodian may have their own notification timeline that does not align with the 72-hour requirement you are now subject to.

Unless you explicitly update these contracts, your vendors have no obligation to tell you about a breach within 72 hours. If your MSP discovers a breach on Friday and tells you the following Thursday, you have already blown past the notification window. The SEC does not care that your vendor was slow. They care that you did not have the contractual mechanism to prevent it.

What a compliant vendor oversight program looks like

A vendor oversight program that would satisfy an SEC examiner has five components:

1. Vendor inventory

A complete, current list of every service provider that has access to or processes client information. For each vendor: what data they access, how they access it, and when the relationship was last reviewed. This is your foundation. You cannot manage risk you have not identified.

2. Risk tiering

Not every vendor carries the same risk. Your MSP, who has admin credentials to your entire environment, is a different risk than your phone system. Tier your vendors into categories — critical, high, medium, low — based on the sensitivity and volume of data they access, whether they have direct system access, and the impact of a breach at that vendor.

3. Due diligence documentation

For each vendor, documented evidence that you assessed their security posture. This might include reviewing their SOC 2 report, confirming they have cybersecurity insurance, verifying their incident response procedures, or sending a security questionnaire. The depth should match the risk tier — a critical vendor like your MSP needs more scrutiny than a low-risk vendor like your office supply company.

4. Contract review for breach notification clauses

Every contract with a service provider that touches client data needs a 72-hour breach notification clause. Review each contract. Flag the ones that are missing the clause. Negotiate amendments. Track which contracts have been updated and which are still outstanding. If you want to know what else to ask your MSP, start with the notification timeline.

5. Annual reassessment

Vendor risk is not static. Your CRM vendor that passed your assessment last year may have been acquired, changed their security practices, or experienced an incident. Set a calendar for annual reviews. For critical-tier vendors, consider semi-annual reviews or continuous monitoring.

Why most RIAs do not have one

If vendor oversight is a regulatory requirement, why do so few RIAs have a formal program? A few reasons:

• It is tedious. Inventorying 20+ vendors, reviewing contracts, sending questionnaires, documenting results, and tracking remediation is real work. It is not the work most advisors signed up for.
• Nobody taught them how. The SEC says you need vendor oversight. It does not hand you a template. Advisors know they need to do something but are not sure what, specifically, to produce.
• Their compliance consultant did not include it. Many RIA compliance consultants focus on Form ADV, code of ethics, and trading policies. Cybersecurity vendor oversight is newer and not every consultant has built it into their service.
• Their MSP is not going to build oversight over themselves. Your IT provider has a structural conflict of interest in assessing their own security. They are not going to hand you a report card on their own performance. And they are typically not equipped to assess your other 20 vendors either.

How BlackSheep automates vendor risk management

BlackSheep's RIA compliance platform includes a vendor risk management module built specifically for the Reg S-P requirements. It handles the parts that make this program tedious to maintain manually:

• Vendor inventory tracking. Catalog every service provider, what data they access, their risk tier, and their assessment status in one place.
• Contract clause monitoring. Track which vendor contracts include the 72-hour breach notification clause and which still need updates. Get reminders when contracts are up for renewal so you can negotiate the clause in.
• Risk scoring. Automated risk tiering based on data access, system permissions, and vendor type. Adjust as vendors change.
• Documentation generation. Produce the due diligence records, assessment summaries, and audit trail an SEC examiner expects to see.
• Reg S-P mapped evidence. Every assessment, review, and remediation action maps directly to the specific Reg S-P requirement it satisfies. When an examiner asks how you comply with the vendor oversight provisions, you hand them the report.

You can run a free security scan to see where your firm stands before committing to anything.