RIAs: Complying with Third-Party Cybersecurity Requirements

For many years, the Securities and Exchange Commission (SEC) has focused on how registered investment advisors (RIAs) identify and manage cybersecurity risks. Although RIAs have taken steps to secure their own environments, the risks don’t stop there.

Third-party vendors are an extension of your RIA’s security practices. Taking a proactive approach to reviewing and assessing your vendors’ cybersecurity posture helps ensure SEC compliance. 

The SEC’s Cybersecurity Requirements for Investment Advisors 

In its 2025 examination priorities, the SEC highlighted cybersecurity as a key focus area and noted increased third-party risks. Ultimately, it’s your RIA’s responsibility to protect client data – whether it’s in your hands or a third-party vendor’s.  

Here are key regulatory areas from the SEC for RIAs: 

Material incident reporting 

Under Regulation S-P, if client information is compromised, RIAs should notify customers within 30 days, even if the incident originated with a service provider. Third-party service providers must be able to notify RIAs promptly (no later than 72 hours) if a breach impacts client information.

Note: Regulation S-P defines a service provider as “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.”

Under the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule, publicly traded companies must report material cybersecurity incidents. This disclosure must occur within four business days of determining whether the incident was material.  

Although this may not apply to your RIA, it’s a clear focus of the SEC and a best practice to implement. Many states also have cybersecurity disclosure rules appliable to RIAs.  

Written policies and procedures 

Regulation S-P requires RIAs to establish, maintain, and enforce written third-party risk management policies and procedures. These should address third-party oversight, including due diligence and monitoring.  

RIAs must also implement and maintain policies and procedures for cybersecurity programs. These must be reasonably designed to address cybersecurity risks.  

Incident response plans 

Under Regulation S-P, RIAs must have an incident response plan that lays out how they’ll detect, respond to, and recover from unauthorized access or use of client information. The plan should include procedures for how your RIA will assess, contain, and control the incident.

If a third-party incident impacts client information, your RIA must have a plan to respond appropriately.  

Documentation and recordkeeping 

RIAs must create and maintain records that document compliance with Regulation S-P, including how service providers are overseen.  

Related: TPRM for Investment Advisors: What’s Substantiation? 

Third-Party Risk Management Practices for RIAs to Comply with the SEC 

Given the SEC’s recent adoption of the cybersecurity rule and its changes to Regulation S-P, it’s clear that cybersecurity and third-party service providers are risk areas for your RIA to address.

Not only does your RIA need to comply with the SEC’s expectations, but you also need to ensure third-party service providers do the same.  

Here are practices RIAs can implement to help with SEC compliance: 

• Implement or review third-party risk management policies and procedures: Have policies and procedures that outline how your RIA identifies, assesses, and manages third-party risks. Include roles and responsibilities, current risk management practices, and the scope of your third-party oversight. 
• Identify and assess third-party cybersecurity risks: Create an inventory of third parties that access your RIA’s data. Evaluate how those third parties will protect your data. Review documentation like information security policies, SOC 2 reports, and incident response plans. Compare the third party’s security practices against your requirements and the SEC’s expectations.  
• Include cybersecurity requirements in third-party contracts: Although Regulation S-P doesn’t require data protection clauses in third-party contracts, it’s still a best practice that helps outline compliance expectations. Require the third party to send breach notifications within 72 hours of discovery, outline minimum security standards, and include right to audit provisions.  
• Monitor third-party cybersecurity risks: Periodically assess the third party’s cybersecurity risks and ensure documentation remains up to date. Consider using tools to continuously monitor for new vulnerabilities and cybersecurity risks.  
• Have a plan for third-party incidents: Per the SEC’s requirements, include third-party incidents in your RIA’s incident response plans. Include notification requirements, stakeholder responsibilities, and regulatory reporting workflows. Remember to test the plan so you can identify issues before an incident. 
• Document, document, document: During exams, the SEC will look for documentation that your RIA is complying with expectations. Maintain detailed records of due diligence documents and findings, third-party contracts, monitoring reports, and remediation efforts. Keep this information in a centralized place so it’s easy to find and maintain.  

Related: Inside the SEC’s New Vendor Management Requirements 

Complying with the SEC’s cybersecurity expectations and ensuring third-party service providers do the same is critical for success. It helps protect your RIA from facing enforcement actions while also protecting your firm and clients from third-party incidents and data breaches.  

What are the SEC’s regulatory priorities for 2025? Review their expectations in this free eBook.