Third-Party Cyber Risk Management: How to Meet Regulation S-P Requirements

Cybersecurity risk within financial institutions increasingly extends beyond internal systems and employees. Investment advisers, broker-dealers, and private fund managers now rely heavily on third-party vendors for core operational functions, including portfolio management systems, cloud infrastructure, communications platforms, data storage, and investor reporting. While this reliance has improved efficiency and scalability, it has also expanded the cyber risk landscape in ways that regulators are increasingly scrutinizing.

As a result, third-party cyber resilience has become a central component of cybersecurity governance. Firms are expected not only to safeguard their own systems, but also to understand and manage the risks introduced by vendors and service providers that access or store sensitive client and investor information.

The Expanding Scope of Cyber Responsibility

Modern financial services operate through interconnected systems and the more interconnected those systems become, the greater the potential for cascading risk. Vendors often play critical roles in daily operations, and in many cases maintain direct or indirect access to nonpublic personal information. This creates a shared operational environment, but not shared regulatory responsibility.

Regulators have consistently emphasized that outsourcing functions does not outsource accountability. Firms remain responsible for protecting client information and maintaining operational resilience, regardless of whether systems are internally managed or vendor-supported.

This principle is reflected directly in Regulation S-P, which requires financial institutions to adopt written policies and procedures reasonably designed to safeguard customer information and protect against unauthorized access or use. As cybersecurity expectations evolve, this obligation increasingly extends to how firms evaluate and oversee third-party service providers.

Regulation S-P and Third-Party Risk

Recent amendments to Regulation S-P reinforce the importance of incident response, customer notification, and operational readiness in the event of a breach involving customer information. While vendors may operate critical infrastructure, regulators expect firms to understand:

• What customer information vendors access or store
• How that information is protected
• How incidents involving vendors are identified and escalated
• Whether contractual arrangements support timely notification and response

In practice, this means vendor oversight is no longer limited to onboarding due diligence. Ongoing monitoring and clearly defined response expectations have become essential components of compliance programs.

Where Third-Party Cyber Risk Often Emerges

Cyber incidents involving third parties frequently arise from gaps in governance rather than technical failures. Common challenges include:

• Limited visibility into vendor security controls after onboarding
• Unclear escalation procedures when incidents occur
• Inconsistent review of vendor access to sensitive data
• Reliance on vendor representations without ongoing validation

As firms add new technology providers or expand integrations between systems, these risks can compound over time if not revisited periodically.

Balancing Efficiency and Resilience

Third-party relationships are essential to modern financial operations. Cloud providers, administrators, and technology vendors enable firms to operate more efficiently and provide enhanced client access and reporting capabilities. However, efficiency and risk evolve together.

Each new integration creates additional dependencies. Operational resilience becomes tied not only to internal controls, but to the ability of external providers to respond effectively to cyber incidents. From a client and investor perspective, the distinction between firm and vendor is largely invisible; responsibility remains with the financial institution.

A risk-based approach recognizes that not all vendors present the same level of exposure. Firms increasingly prioritize oversight based on the sensitivity of data involved, system criticality, and the potential impact of disruption.

Building a Practical Third-Party Cyber Resilience Framework

Effective third-party cyber resilience programs typically include:

• Risk-based vendor classification tied to data access and operational importance
• Periodic reassessment of vendor cybersecurity practices
• Contractual requirements for incident notification and cooperation
• Integration of vendor scenarios into incident response planning
• Coordination between compliance, information security, and operational teams

Importantly, third-party cyber resilience is most effective when treated as an ongoing governance process rather than a one-time due diligence exercise.

Looking Ahead

As technology ecosystems continue to expand, regulators are expected to maintain focus on how financial institutions manage vendor-related cyber risk under Regulation S-P and related supervisory frameworks. Firms that approach third-party cybersecurity as part of their broader fiduciary and compliance responsibilities, rather than as an isolated IT concern, are better positioned to manage evolving threats while maintaining client trust.

Firms navigating third-party cybersecurity obligations under Regulation S-P and FINRA's supervisory framework often need outside expertise to translate regulatory expectations into operational reality. CRC-Oyster is a full-service financial services compliance partner that specializes in helping RIAs, broker-dealers, and financial institutions design vendor oversight programs, incident response procedures, and enterprise compliance frameworks aligned with current SEC and FINRA guidance.

Learn more at compliance-risk.com. Cyber resilience increasingly depends not only on internal safeguards, but on the strength of the relationships, oversight, and governance structures that support the broader operational environment.