Small RIAs Face SEC Scrutiny for Failing to Control Vendor Risk

Compliance Nightmare Lurking in the Shadows of RIAs

Picture this: Your firm spent the better part of last year preparing for Regulation S-P. You updated your incident response plan, trained your staff, and tightened your policies. You felt ready. Then one of your software vendors suffered a breach, and client data was compromised. You didn't cause it; you didn't even know it was happening. Under the amended rule, the responsibility and liability are yours.

Ben Tercha, COO at Omega Systems, an award-winning managed IT services provider, warns that compliance is no longer just about internal processes and controls – it's about third-party risk.

### Ignorance is Not Bliss

For most RIAs, the managed IT or cybersecurity partner has broader access to client data than almost any other vendor, often with administrative access across systems. Yet they're frequently the least scrutinized from a compliance standpoint. Omega's data shows that MSSP-supported firms conduct continuous or monthly vulnerability testing at 56%, versus 38% for firms managing IT internally – and they contain breaches faster. This gap matters when you're racing a 30-day clock. If your current IT partner can't speak to their own S-P posture, that's a conversation to have before an SEC examiner prompts it.

### What Happens When a Vendor Notifies You of a Breach?

Regulation S-P's third-party provisions mean your vendors' security practices are now your regulatory problem, too. The SEC's May 2024 amendments to Reg S-P go well beyond internal policy updates. One of the most significant – and least discussed – changes is a formal requirement to implement written policies and procedures for overseeing service providers, conducting due diligence, and ensuring those providers protect against unauthorized access to customer information. Vendors must notify firms within 72 hours of detecting a breach, after which the covered institution must initiate its incident response program and potentially notify affected clients within 30 days.

### The Consequences of Ignoring Third-Party Risk

The June 3 deadline for small RIAs is a starting line, not a finish line. SEC examiners will evaluate the strength of ongoing programs, not just whether boxes were checked. In 2024 alone, the SEC settled multiple cybersecurity-related enforcement actions with penalties ranging from $990,000 to $4 million. Control failures and disclosure gaps were at the center of every one of them – exactly the kind of program weaknesses that third-party risk exposure tends to create.

Ben Tercha explains that enforcement of security protocols requires ongoing vigilance. In fact, in 2024, the SEC settled multiple cybersecurity-related enforcement actions with penalties ranging from $990,000 to $4 million. Control failures and disclosure gaps were at the center of every one of them – exactly the kind of program weaknesses that third-party risk exposure tends to create.

### So What Now?

Experts warn that a gap in vendor oversight is a serious liability when the clock starts at vendor notification, not at your convenience. Ben Tercha advises that for most RIAs, the solution lies in maintaining a living inventory of all service providers with data access, updated as relationships change. You must review and update contracts to include security requirements, breach notification timelines, and audit rights. Conducting and documenting periodic due diligence, not just at onboarding, and building vendor risk into your incident response plan as an integrated component are equally crucial. If you can't answer "who has access to my clients' data and what happens if that vendor is breached," then that's a gap you can bet the SEC will zero in on.