SEC Regulation S-P Is Now in Effect: What Financial Firms Must Know About Vendor Oversight in 2026

For years, protecting customer information was treated as an internal problem — something firms solved by hardening their own systems, training their own staff, and auditing their own controls. That assumption no longer holds.

The U.S. Securities and Exchange Commission (SEC) has made it unmistakably clear: if a vendor touches your customer data, your firm is responsible for what happens to it. The amended Regulation S-P, which took effect for larger firms on December 3, 2025 and extends to smaller firms on June 3, 2026, formally shifts vendor oversight from a best practice to a binding regulatory obligation.

For broker-dealers, registered investment advisers (RIAs), investment companies, and transfer agents, this is not a minor update. It is a structural directive — one that requires documented vendor management programs, renegotiated contracts, ongoing monitoring, and audit-ready evidence. And the SEC’s Division of Examinations has already signaled that vendor oversight is a top priority in its 2026 examination agenda.

This post breaks down exactly what Reg S-P requires from firms regarding their third-party vendors, where most firms currently fall short, and what a compliant vendor oversight program looks like in practice.

What Is SEC Regulation S-P — and What Changed?

Regulation S-P was originally adopted in 2000 under the Gramm-Leach-Bliley Act (GLBA) to govern how financial institutions protect the nonpublic personal information (NPI) of consumers. For over two decades it remained relatively unchanged — until the threat landscape did not.

In May 2024, the SEC adopted significant amendments to Regulation S-P, recognising that the proliferation of cloud services, outsourced platforms, and fintech partnerships had fundamentally changed where customer data lives and who handles it. The amendments modernise the rule to reflect that reality.

Who is covered? The amended rule applies to:

• SEC-registered investment advisers (including private fund advisers)
• Broker-dealers
• Investment companies
• Funding portals
• Transfer agents registered with the SEC

When do the new requirements take effect?

• Larger entities (RIAs with ≥$1.5B AUM; investment companies with ≥$1B net assets; non-small broker-dealers): December 3, 2025 — already in effect
• Smaller entities: June 3, 2026

The Four Core Vendor Obligations Under Amended Reg S-P

The amendments do not just tighten internal controls. They introduce specific, enforceable obligations around how firms manage, contract with, and monitor their third-party service providers. Here is what is now required.

1. Formal Vendor Oversight Policies and Procedures

Firms must now develop and maintain written policies and procedures that govern how they oversee service providers with access to customer information. This means risk-based vendor assessments at onboarding, periodic reviews of vendor security controls, and documented processes for how the firm identifies, categorises, and monitors its third-party relationships.

A verbal commitment or a shared spreadsheet is no longer sufficient. Examiners will look for documented frameworks that demonstrate active, ongoing governance — not a one-time diligence exercise.

2. Contractual Obligations: The 72-Hour Breach Notification Requirement

One of the most operationally demanding new requirements is the vendor breach notification obligation. Under the amended rule, firms must ensure that their service providers are contractually obligated to notify them no later than 72 hours after becoming aware of a confirmed or suspected security incident involving customer information.

This means firms need to revisit every existing vendor contract that involves customer data. Contracts up for renewal should be amended during the renewal window. For contracts not due for renewal, the SEC recommends documenting the vendor’s acknowledgment of the 72-hour requirement through a side letter or email confirmation in the interim.

Critically, even if a firm delegates breach notification duties to a vendor, the firm retains full regulatory responsibility. Delegation is not absolution.

3. Ongoing Due Diligence and Monitoring

Reg S-P does not treat vendor risk as a one-time assessment. Covered institutions must conduct ongoing due diligence and monitoring to verify that vendors continue to meet data protection standards throughout the relationship lifecycle. This includes:

• Periodic risk assessments of vendors with access to sensitive customer data
• Reviews of vendors’ security posture, incident history, and control effectiveness
• Evidence collection — SOC 2 reports, penetration test results, security certifications
• Tracking vendor-side changes that might affect data protection

The SEC’s 2026 examination priorities specifically highlight this continuous oversight expectation. Firms that conduct due diligence only at onboarding and then set and forget their vendor relationships will not meet the standard.

4. Recordkeeping for Audit Readiness

Firms must now maintain detailed records that document their compliance with the amended Safeguards and Disposal Rules. Retention periods differ by entity type:

• Registered investment advisers: at least 5 years
• Broker-dealers: at least 3 years

These records must include evidence of vendor oversight activities — due diligence outputs, contract terms, incident logs, investigation records, and breach notifications. The SEC expects firms to be able to produce these records quickly during an examination.

What SEC Examiners Are Looking For in 2026

The SEC’s Division of Examinations has been explicit about what it will scrutinise. Its 2026 Examination Priorities list Reg S-P compliance as a focal area across investment advisers, investment companies, and broker-dealers, with particular attention to:

• Whether firms have documented vendor oversight programs in place
• Whether vendor contracts include the required data protection and breach notification provisions
• Whether firms have tested their incident response capabilities (tabletop exercises, simulations)
• Whether firms can produce records that demonstrate ongoing vendor monitoring — not just initial diligence

The message from regulators is clear: it is no longer enough to have vendor contracts on file. Examiners want evidence of active, continuous governance. Firms that cannot produce that evidence will face scrutiny regardless of whether a breach has occurred.

Where Most Firms Currently Fall Short

Despite the December 2025 deadline having already passed for large firms, implementation gaps remain widespread. Common failure points include:

Incomplete vendor inventories. Many firms do not have a comprehensive, current list of all vendors that handle customer information. Without knowing who your vendors are, you cannot assess or monitor them systematically.

Outdated or silent contracts. A significant number of vendor agreements predate the Reg S-P amendments and contain no provisions on data protection standards, security controls, or breach notification timelines. Renegotiating these — especially with large, established service providers — takes time and persistence.

No continuous monitoring. Firms that conduct due diligence at onboarding but have no ongoing review mechanism are operating with a compliance gap. A vendor that was low-risk eighteen months ago may look very different today.

Inadequate documentation. Examiners do not accept assurances — they require evidence. Firms that cannot produce contemporaneous records of their vendor oversight activities will struggle in examinations even if their practices are sound.

How Enlighta Helps Financial Firms Meet Reg S-P Vendor Obligations

This is precisely where a purpose-built vendor governance platform becomes operationally essential — not just useful. Enlighta’s Vendor Lifecycle Management module is designed to address each of the compliance requirements that Reg S-P now mandates.

Centralised Vendor Registry and Risk Tiering

Enlighta gives compliance teams a single, always-current inventory of every vendor relationship — including which vendors have access to customer information, what data they touch, what contracts govern those relationships, and what risk tier each vendor falls into. For Reg S-P compliance, this means firms can immediately identify which vendors are in scope and prioritise oversight effort accordingly.

Contract Lifecycle Management with Compliance Clause Tracking

One of the most complex operational challenges under Reg S-P is ensuring that vendor contracts are updated to include the 72-hour breach notification requirement and appropriate data protection terms. Enlighta’s Contract Lifecycle Management (CLM) module automates contract tracking, highlights agreements that are missing required clauses, and triggers renewal workflows so no contract renewal window is missed. Compliance teams can see at a glance which vendor agreements are Reg S-P-compliant and which require action.

Continuous Monitoring — Not Just Point-in-Time Assessments

Enlighta’s continuous monitoring capability is a direct answer to the SEC’s expectation of ongoing vendor oversight. Rather than relying on annual questionnaires or periodic reviews alone, Enlighta enables compliance teams to monitor vendor risk signals on an ongoing basis — tracking changes in vendor security posture, collecting updated evidence (SOC 2, ISO certifications, audit reports), and generating alerts when vendor risk profiles change.

This shifts the firm’s posture from reactive to proactive — the kind of always-on oversight that SEC examiners are now looking for.

Audit-Ready Documentation

Every vendor interaction, assessment output, contract amendment, and monitoring activity in Enlighta is logged, timestamped, and stored in a format that is immediately accessible for regulatory examination. When an SEC examiner asks for evidence of a firm’s vendor oversight program, Enlighta’s audit trail provides exactly that — without a scramble to reconstruct records from emails and spreadsheets.

Firms using Enlighta do not just claim compliance. They can prove it.

A Practical Checklist: Preparing for Reg S-P Vendor Compliance

Whether you are a larger firm already subject to the December 2025 requirements or a smaller firm approaching the June 3, 2026 deadline, here is where to focus:

Step 1 — Build your vendor inventory Identify every third-party service provider with access to customer information. Include cloud hosts, fund administrators, custodians, transfer agents, IT platforms, and outsourced operational functions.

Step 2 — Risk-tier your vendors Not every vendor carries the same risk. Prioritise vendors by the sensitivity and volume of customer data they access. Apply proportionate due diligence and monitoring to higher-risk vendors.

Step 3 — Audit your contracts Review every vendor contract for Reg S-P compliance gaps. Specifically look for: (a) absence of the 72-hour breach notification requirement, (b) missing data protection obligations, and (c) lack of audit rights or monitoring access. Flag contracts for amendment or renegotiation.

Step 4 — Implement ongoing monitoring Put in place processes — and preferably a technology platform — for continuous vendor monitoring. This includes collecting updated security certifications, reviewing incident reports, and tracking changes in vendor risk posture.

Step 5 — Test your incident response Run tabletop exercises that include vendor breach scenarios. Verify that your vendors understand and can meet the 72-hour notification window. Document the testing and its outcomes.

Step 6 — Build your recordkeeping infrastructure Ensure that all vendor oversight activities are documented and stored in a retrievable format, with retention periods that meet the 5-year (RIA) or 3-year (broker-dealer) requirements.

The Bigger Picture: Vendor Risk as Core Infrastructure

Reg S-P is part of a broader regulatory shift that is visible across multiple agencies and jurisdictions in 2026. The SEC’s 2026 Examination Priorities, FINRA’s Annual Regulatory Oversight Report, and NYDFS’s November 2025 third-party risk guidance all point in the same direction: regulators no longer treat vendor risk as peripheral. They treat it as core operational infrastructure.

Financial firms that approach vendor oversight as a checkbox exercise — something done at onboarding and revisited only when a breach forces the issue — are increasingly misaligned with regulatory expectations. The standard is now continuous, documented, evidence-based governance across the full vendor lifecycle.

The good news is that firms with the right platform in place are not only compliant — they are more operationally resilient, better positioned for examinations, and better protected against the reputational and financial consequences of a vendor-driven breach.

The amended Regulation S-P makes vendor oversight a first-class regulatory obligation for broker-dealers, investment advisers, and other covered financial institutions. The 72-hour breach notification requirement, mandatory written oversight policies, ongoing monitoring expectations, and rigorous recordkeeping standards collectively raise the bar significantly from where it stood even twelve months ago.

For firms approaching the June 3, 2026 deadline, the window to act is narrow. Vendor contracts need updating. Oversight programs need documenting. Monitoring needs to be continuous, not periodic. And every step needs to be recorded in a way that can withstand examination scrutiny.

Enlighta helps financial firms build exactly this kind of vendor governance program — from the initial vendor inventory and risk tiering through contract management, continuous monitoring, and audit-ready documentation. If your firm is working through Reg S-P compliance and wants to see how Enlighta’s vendor lifecycle management platform maps to the SEC’s requirements, we’d be glad to walk you through it.