The 72-Hour Rule: What Reg S-P Vendor Oversight Means for Your Firm

What the rule says

Under amended Rule 248.30(a)(3), covered institutions must require service providers to notify them as soon as possible, and no later than 72 hours after becoming aware that a security incident involving customer information has occurred or is reasonably likely to have occurred.

This is a contractual requirement. The SEC expects you to put it in writing. A verbal understanding or a vendor's general privacy policy does not count.

Who counts as a "service provider"?

The rule defines it broadly: any person or entity that receives, maintains, processes, or otherwise has access to customer information through providing services to your firm. For most RIAs, that list is longer than you think:

• CRM platforms (Redtail, Wealthbox, Salesforce) if they hold client PII
• Financial planning software (eMoney, MoneyGuidePro, RightCapital) with client data
• Portfolio management and reporting tools (Orion, Black Diamond, Tamarac)
• Custodians to the extent they handle your customer information under your direction
• Cloud providers (Microsoft 365, Google Workspace) hosting client communications or files
• Document storage services holding client agreements or tax documents
• IT managed service providers with access to your systems and data
• Compliance technology vendors processing client information
• Email marketing platforms if they receive client contact information

If they touch client data, they count as a service provider under this rule.

What your contracts need to include

At minimum, every vendor agreement should cover:

• The 72-hour notification obligation. Explicit, unambiguous. Not "promptly" or "as soon as practicable." 72 hours from when the vendor becomes aware.
• Definition of "security incident." Be specific so there's no ambiguity about what triggers notification.
• Obligation to safeguard customer information. General duty of care over the data they handle.
• Right to audit or receive security attestations. SOC 2 reports, penetration test summaries, or the right to send a questionnaire.
• Cooperation during incident investigation. If they have a breach, you need them to help you figure out what happened.
• Data handling on termination. What happens to your client data when the relationship ends? Return, destruction, or certification of deletion.
• Sub-processor provisions. If your vendor uses sub-contractors who also access client data, the 72-hour obligation should flow through to them.

The legacy contract problem

This is where it gets painful. If you have existing vendor contracts that don't include the 72-hour clause, you need to amend them before the June 2026 deadline. That means:

• Inventorying every vendor that touches client data
• Reviewing each contract for existing incident notification provisions
• Reaching out to vendors to negotiate amendments
• Documenting the process, especially if a vendor pushes back

Start this early. Vendors move slowly. Legal review takes time. Some vendors will need months to update their standard terms across their entire client base.

When a vendor won't agree

Some vendors will resist. Large platform providers with standardized contracts may not want to customize terms for individual RIAs. The SEC anticipated this.

Their position: you must requirethe provision. If a vendor refuses, you have to consider whether to continue the relationship or find an alternative. If the vendor is truly indispensable, document your efforts to negotiate, the vendor's response, and any compensating controls you've put in place.

Good faith effort matters. But "we didn't ask" is not a defense.

Due diligence: not just at onboarding

The SEC expects ongoing vendor oversight, not a one-time questionnaire you file and forget. Your due diligence program should cover at least these areas:

• Before you sign: Review security practices, certifications (SOC 2 Type II, ISO 27001), breach history, and incident response capabilities
• Every year: Request updated SOC 2 reports, check for changes in ownership or business practices, and look for any reported security incidents
• Between reviews: Keep an eye on public information about vendor breaches, regulatory actions, or material changes to their technology stack
• Periodically reassess what client information each vendor actually needs access to. Access creep is real.

TAMPs and custodial platforms

RIAs that use turnkey asset management platforms or outsource to third-party administrators have an extra layer to think about. Client data may pass through multiple entities before reaching the custodian. Each one may qualify as a service provider.

The major custodial platforms (Schwab Advisor Services, Fidelity Institutional, Pershing) have generally updated their agreements to include incident notification provisions. But "generally" is not "definitely." Review your specific agreement. Check the language. Make sure it meets the 72-hour standard.

Practical steps

1. Build your vendor inventory. List every vendor that touches client data. Include the type of data they access and the contract expiration date.
2. Flag gaps. Which contracts have no incident notification clause? Which ones say "promptly" instead of 72 hours?
3. Prioritize by risk. Start with vendors that hold the most sensitive data or have the broadest access.
4. Negotiate amendments. Use a standard addendum where possible to reduce legal costs.
5. Set up a review cycle. Reassess vendors annually. Check for updated attestations. Document the review.

Wrapping up

Vendor oversight is one of the most time consuming parts of the amended Safeguards Rule. RIAs feel it more than most because the typical firm runs on a dozen or more third party platforms. The 72-hour notification requirement gets the headlines, but the real grind is in the contracts and the due diligence. The annual monitoring never really stops.

Get the inventory done and the contracts updated. Document everything. BlackSheep tracks it all in one place.