Executive Summary
In 2026, regulatory scrutiny of financial firms’ management of third-party service providers has intensified. The Securities and Exchange Commission (SEC) has updated Regulation S-P, and the SEC’s 2026 examination priorities emphasize not only internal safeguards, but also strong oversight of vendors that access or handle customer information. Similarly, FINRA’s 2026 Annual Regulatory Oversight Report highlights the evolving threat of third-party risks as a key compliance area. For broker-dealers and investment advisers, this means developing documented vendor oversight programs, incorporating contractual controls (including 72-hour incident notification requirements), and maintaining records of due diligence, monitoring, and readiness to respond. The following provides an overview of why these changes are important, the current regulatory environment, and practical steps firms need to take.
Understanding the Regulatory Shift: Reg S-P & the 2026 Priorities
In 2024, the SEC adopted significant amendments to Regulation S-P (Reg S-P), reshaping how broker-dealers and investment advisers must protect customer information. Among these changes is a formalized requirement to reasonably oversee third-party service providers that access, process, or maintain customer data, including cloud hosts, custodians, core IT systems, and outsourced platforms. This oversight obligation includes ensuring that vendors notify the broker-dealer or investment adviser as soon as possible, and no later than 72 hours after becoming aware of unauthorized access to a customer information system.
This procedural obligation is not a distant theoretical standard. The SEC’s 2026 examination priorities specifically highlight Regulation S-P compliance, with a focus on firms’ policies and procedures, internal controls, and oversight of third-party vendors. It is anticipated that SEC examiners will not only scrutinize whether firms have documented programs, but also whether those programs are operationalized and demonstrable during inspection.
In parallel, FINRA’s 2026 Annual Regulatory Oversight Report identifies the third-party risk landscape as a concern for member firms. FINRA notes an increase in cyberattacks and operational outages at third-party vendors, threats that can cascade across multiple firms in the absence of strong vendor controls. The report discusses effective practices such as due diligence, monitoring, vendor system inventory, and ongoing risk assessment as means to mitigate these risks.
Taken together, these regulatory pronouncements reflect a fundamental truth: delegation does not diminish responsibility. Firms remain accountable for the security, confidentiality, and integrity of customer information even when technology and services are outsourced. This unified emphasis from both the SEC and FINRA underscores that third-party risk management is central to regulatory compliance in 2026.
Practical Compliance Considerations for Firms
With third-party vendor oversight now squarely in the regulatory spotlight of the SEC and FINRA, firms must translate the SEC’s amended Regulation S-P requirements into concrete, operational compliance practices. Firms should be prepared to demonstrate how vendor risks are identified, managed, documented, and tested in practice. The practical considerations outlined below highlight the core elements examiners are likely to assess when reviewing third-party service provider controls.
- Formalizing Vendor Oversight Programs. Firms must update written policies and procedures to reflect oversight expectations, including risk-based vendor assessments, security controls reviews, and contractual obligations. These policies should document how the firm identifies critical vendors, assesses their risk, and monitors their compliance through ongoing controls and evidence collection.
- Embedding Contractual Controls (Including 72-Hour Notices). Beyond internal policies, firms should ensure that vendor contracts or written commitments explicitly include breach notification timelines, particularly the 72-hour incident notice. Documenting these expectations in agreements or executed attestations helps demonstrate that the firm’s oversight program is not merely aspirational but enforceable.
- Testing and Documentation. Operational readiness is now a compliance requirement. Firms should regularly test incident-response procedures, conduct vendor audits or questionnaires, and maintain detailed records of due diligence efforts, evidence of vendor safeguards, and any communications related to security incidents.
- Coordinating Across Functions. Compliance, technology, legal, and risk management must work in concert. Vendor oversight spans cyber controls, contract law, data governance, and operational risk, and siloed approaches create gaps that regulators are likely to identify.
- Preparing for Examinations. Documentation is the backbone of defensible compliance. During examinations, SEC and FINRA teams will expect to see evidence of how firms have implemented policies, how vendors were assessed and monitored, and how incident notifications were captured, escalated, and resolved.
Conclusion
The regulatory spotlight on third-party vendor oversight, driven by the 2024 Regulation S-P amendments and highlighted in SEC and FINRA priorities, makes clear that firms must move beyond basic policy statements to actionable, auditable vendor risk programs. The requirement to ensure timely, including 72-hour vendor incident notifications, is not merely an operational detail, but a core compliance obligation in an increasingly interconnected financial services environment.
Call to Action
Firms should immediately inventory vendors with access to customer information, update oversight policies, integrate 72-hour notice obligations into vendor controls, and execute documentation practices that will withstand regulatory scrutiny. If your firm needs support updating policies, vendor contracts, or compliance programs to align with these priorities, engage experienced regulatory counsel or compliance advisors today.