You Can't Outsource the Risk: Reg S-P and Vendor Oversight

The SEC's amended Regulation S-P raises the bar on how investment advisors protect customer data — and the compliance timeline isn't moving. In this episode of the Ncast, Rafael DeLeon sits down with Tracy Soehle, Associate General Counsel at the Investment Advisors Association, to work through what the rule demands in practice: building an incident response program, meeting the 30-day notification requirement, and managing service providers in a regulatory environment that still leaves a lot open to interpretation. For RIAs, this isn't just a compliance exercise. It runs directly through fiduciary duty — and Tracy walks through how firms can meet that obligation while navigating vendor relationships that don't always cooperate. In this episode: The two most significant changes in amended Reg S-P: mandatory incident response programs and the 30-day customer notification requirement Why that 30-day clock is harder than it sounds — and what firms need in place before a breach happens What "reasonable assurances" from vendors actually means when the rule doesn't require it in the contract Which service providers will renegotiate and which won't — and how to document the diligence either way Why you can delegate notification to a vendor but can't delegate the liability Data mapping as the non-negotiable foundation of the entire program What SEC examiners are asking for and what "reasonably designed" has to mean in practice #ncontracts #regulation #regulationsp #sec #investment #dataprivacy #incidentresponse #vendormanagement #cybersecuritycompliance