Most RIA principals assume their managed service provider is handling the security side of their business. The MSP manages the firewall, monitors the network, keeps the software patched. That should count for something under Reg S-P, right?

Here is the hard truth: your MSP’s technical competence is not the issue. The issue is contractual and documentary. Under the SEC’s amended Reg S-P (Release No. 34-100155), what your MSP does technically is almost irrelevant during an exam. What matters is what your MSP has agreed to in writing — and in most cases, that agreement does not exist in the form the rule requires.

If your MSP has not signed a 72-hour notification addendum, your firm is out of compliance. Full stop. And based on the volume of Reg S-P deficiency letters already going out in 2025 and 2026, this is the single most common gap examiners are finding at small and mid-size RIA firms.

Why Your MSP Is at the Center of Reg S-P Risk

Your MSP has access to nearly everything. Client records. Internal communications. Portfolio data. Custodian credentials. CRM databases. For most small RIAs, the MSP is the most privileged third party in the entire vendor ecosystem — more so than the custodian in many cases, because the MSP has direct, persistent access to the firm’s infrastructure rather than a read/write API connection to specific data fields.

Under the amended Reg S-P rule, any third-party service provider that has access to client personal information is a “covered service provider.” That category almost certainly includes your MSP. And covered service providers must meet specific contractual requirements before the June 3, 2026 deadline.

What the Rule Requires from Covered Vendors

  • A written agreement that obligates the vendor to implement and maintain appropriate safeguards for client data
  • A contractual requirement that the vendor notify your firm within 72 hours of any security incident that involves — or may involve — your clients’ personal information
  • Provisions allowing your firm to audit or assess the vendor’s security practices
  • Compliance with your firm’s written Vendor Oversight Policy

If you ask your MSP whether they have signed anything like this for your firm, most will say no. Many will not know what you are talking about. Some will say they have a standard service agreement and that should be fine. It is not fine. Standard MSP service agreements were not written to satisfy Reg S-P vendor oversight requirements.

What Your MSP Must Provide (And Probably Doesn’t)

The 72-Hour Notification Addendum

This is the non-negotiable. The amended Reg S-P rule explicitly requires that covered service providers notify the financial firm of a security incident within 72 hours. Your MSP’s standard service agreement almost certainly does not contain this language. The typical MSP contract mentions incident notification in vague terms — “prompt notice,” “reasonable notification,” or simply a general obligation to maintain security without specifying notification timelines at all.

You need a signed addendum — a specific contractual document that commits the MSP to the 72-hour timeline, defines what constitutes a reportable incident, and specifies the notification channel and escalation contact. Without a signed addendum, you have no contractual basis to enforce the requirement, and you have no documentation to show an examiner.

A Data Handling Policy Aligned to Reg S-P

Your MSP must be able to tell you exactly what client personal data they access, where it is stored, how it is protected, and what their internal incident response procedures look like. Most small MSPs do not have a written policy at this level. If your MSP cannot provide documentation of their security practices, that is a due diligence failure on your firm’s part under the rule’s vendor oversight requirements.

Annual Security Review Participation

Your Vendor Oversight Policy must require annual review of each covered vendor’s security posture. Your MSP must participate in this review — even if it is just a documented conversation where they confirm their security controls are current. If you have never had this conversation with your MSP and documented it, you have a recordkeeping gap.

How to Audit Your MSP Relationship for Reg S-P Compliance

Step 1: Pull Your Current MSP Contract

Read it. Specifically, look for:

  • Any mention of data breach notification — what does it say, and does it specify a timeline?
  • Any reference to regulatory compliance obligations — does it mention SEC, FINRA, or financial services regulations?
  • Access scope — does it define what data the MSP can access?
  • Subcontracting clauses — can your MSP share your data with their own subcontractors without your consent?

If the notification timeline is not “72 hours” or if the notification obligation is missing entirely, you have a gap that must be remediated before June 3, 2026.

Step 2: Ask Your MSP These Specific Questions

  • “What is your internal incident response procedure if you discover a breach involving client data from one of your financial services clients?”
  • “Within what timeframe would you notify us if you discovered or suspected a security incident involving our client data?”
  • “Are you willing to sign a notification addendum specifying a 72-hour notification timeline as required by SEC Reg S-P?”
  • “Do you have written security policies you can provide for our vendor due diligence file?”

Document their answers. The documentation itself is part of your compliance record.

Step 3: Get the Addendum Signed

Most MSPs will sign a notification addendum if asked. The barrier is usually that the RIA firm either does not know they need one, or they do not have the addendum language to present. Your MSP is not going to draft this document for you — they have no incentive to create additional contractual obligations for themselves. The addendum needs to come from your side of the table, and it needs to contain specific, compliant language.

Step 4: Document the Vendor in Your Oversight Register

Your Vendor Oversight Policy must include a register of all covered service providers. Your MSP must be on that list with: date of engagement, data access scope, addendum signed date, annual review date, and contact information for security escalation. This register is what examiners will ask for when they are reviewing your vendor oversight program.

Red Flags in Your MSP Relationship

These are indicators that your MSP relationship is creating Reg S-P exposure right now:

  • Your MSP contract is more than 3 years old and has never been updated for regulatory requirements
  • Your MSP has never asked you about your compliance obligations or offered to discuss them
  • Your MSP uses subcontractors or offshore resources without notifying you — and your contract does not restrict this
  • You do not know the names of all the technicians who have remote access credentials to your systems
  • Your MSP has never provided you with a written security policy, incident response plan, or SOC 2 report
  • When you mention “72-hour notification addendum,” your MSP has no idea what you are talking about
  • Your contract with the MSP is a general IT services agreement not customized for financial services clients

Any of these is a gap. More than two of them is a serious compliance liability that needs to be addressed immediately.

The Examiner’s Perspective: What They’re Actually Looking For

When an SEC examiner is reviewing your Reg S-P vendor oversight compliance, they are working through a mental checklist that looks roughly like this:

  1. Does this firm have a written Vendor Oversight Policy? (Yes/No)
  2. Does the policy include the 72-hour notification requirement for covered vendors? (Yes/No)
  3. Can the firm produce signed addenda from their covered service providers? (Yes/No)
  4. Does the firm have a vendor register that identifies all covered parties? (Yes/No)
  5. Is there documentation of annual vendor review? (Yes/No)

A “No” on any of these is a deficiency. The examiner is not evaluating whether your network is secure. They are evaluating whether your documentation is complete. A firm with mediocre security but complete documentation will fare better in an exam than a firm with excellent security but no paperwork. That is the reality of regulatory compliance, and it is the trap most technically-competent small RIAs fall into.

The Real Risk: Why This Is Not Just a Paperwork Problem

Here is what happens if your MSP has an incident — and they will, eventually — and they do not notify you within 72 hours because they have no contractual obligation to do so.

Your clients’ data is compromised. You find out days or weeks later — maybe from a client, maybe from a fraud alert, maybe from a news report. By then, the 30-day customer notification clock has either started running without your knowledge, or the delay itself has become an additional regulatory violation. You are now looking at a Reg S-P deficiency, a potential failure to provide timely customer notification, and the reputational damage of having been the last person in the chain to know about a breach involving your own clients.

The 72-hour notification requirement exists precisely to prevent this scenario. But it only works if it is contractually enforced. Without the signed addendum, you have no enforcement mechanism and no regulatory defense.

What a Compliant MSP Relationship Looks Like

After June 3, 2026, a compliant small RIA firm will have all of the following in place with their MSP:

  • A signed 72-hour notification addendum with specific language referencing Reg S-P obligations
  • A current MSP service agreement that has been reviewed for compatibility with the firm’s Vendor Oversight Policy
  • A documented vendor register entry for the MSP with current contact information and data access scope
  • At least one documented annual review of the MSP relationship, even if it is just a logged conversation
  • MSP security policy documentation on file — SOC 2 report, internal security policy, or written acknowledgment of security practices

June 3, 2026 is not a soft deadline. The SEC is already issuing deficiency letters. Getting from where most small RIAs are today to where they need to be requires action now. The addendum language needs to be right. The vendor oversight policy needs to exist and be connected to the addenda. The documentation needs to be organized for retrieval. This is not something your MSP is going to handle for you, and it is not something a generic compliance template covers adequately.

Your MSP contract almost certainly lacks the 72-hour breach notification clause Reg S-P requires. Our compliance package includes a pre-drafted addendum for your MSP — attorney-reviewed and ready to send.

MrFixItGeeks.com provides a complete Reg S-P compliance package including a Vendor Oversight Policy with 72-hour notification addendum templates ready to present to your MSP and other service providers — all 5 required documents delivered in 3 business days.

Get your Reg S-P compliance package at mrfixitgeeks.com/reg-sp-compliance

Share: