Your portfolio management platform just sent a breach notification. Client names, account numbers, and Social Security numbers were exposed. The vendor is handling the incident response - but your clients are calling you. And the SEC examiner reviewing your next audit wants to know what due diligence you did before onboarding that vendor.

If you don’t have a good answer ready, that’s the problem this post is here to solve.

The Problem: Most Small Advisory Firms Have No Vendor Risk Process

A typical boutique registered investment advisor (RIA) running five to thirty people might rely on a dozen or more third-party platforms to do business - portfolio management software, a CRM, a financial planning tool, a document vault, an e-signature platform, payroll, and a managed IT provider, to name a few. Most of those vendors touch client data in some form.

The problem isn’t that firms use vendors. They have to. The problem is that most smaller advisory firms have never formally asked: Who has our client data, what are they doing to protect it, and what happens if something goes wrong?

There’s no formal inventory. There are no vendor security questionnaires. The contracts were signed without much scrutiny of breach notification timelines or liability clauses. And if a regulator asked for documentation showing vendor oversight, there isn’t any to show.

This isn’t a criticism - it’s a structural reality. Small firms are stretched thin. The principal is usually the compliance officer, the relationship manager, and the business developer rolled into one. Nobody handed them a vendor risk management framework when they registered.

But the exposure is real. And the expectation that you manage it is already baked into the rules.

Why This Matters for Registered Investment Advisors

The Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) have both made clear that third-party risk isn’t just a large-firm problem.

The SEC’s Regulation S-P - which governs the privacy and safeguarding of client financial information - requires registered advisors to have written policies and procedures that address how they protect client data, including data held or processed by service providers. The 2023 amendments to Reg S-P, which take effect for smaller entities in 2026, add explicit requirements around incident response programs and vendor notification timelines.

FINRA’s cybersecurity guidance similarly calls out third-party vendor oversight as a core expectation, noting that member firms are responsible for assessing the security practices of vendors that access their systems or client data.

Here’s what that means in plain terms: if a vendor you’ve hired gets breached and your clients’ data is exposed, the regulatory question isn’t just “what did the vendor do wrong?” It’s “what did you do to vet them, monitor them, and protect your clients?” You remain responsible for the data your clients entrusted to you - regardless of who’s holding it at the moment something goes wrong.

The financial and reputational stakes are significant. A breach can trigger state-level notification obligations under laws like the California Consumer Privacy Act (CCPA). It can expose the firm to client complaints, arbitration, or civil liability. And it can generate exactly the kind of regulatory attention a boutique firm is least equipped to handle.

How to Build a Vendor Risk Management Process That Fits a Small Firm

You don’t need an enterprise governance, risk, and compliance (GRC) platform. You need a process that’s consistent, documented, and proportionate to the size of your firm. Here’s a practical framework.

Step 1: Build a vendor inventory.

Start by listing every third party that touches client data - directly or indirectly. Include platforms where client records are stored, tools where advisors input client information, any IT provider with access to your systems, and cloud services where documents are retained. For each vendor, note what type of data they access and whether they store it or merely process it.

This list is the foundation of everything else. You can’t manage risk you haven’t mapped.

Step 2: Tier your vendors by risk.

Not every vendor deserves the same scrutiny. A vendor that stores client account data and Social Security numbers is higher risk than a vendor that manages your email newsletter list. Assign a basic risk tier - high, medium, or low - based on the sensitivity of the data they touch and how deeply they’re integrated into your operations.

Step 3: Ask the right questions before and after onboarding.

For any medium- or high-tier vendor, you should be able to answer the following:

  • Do they carry security and privacy liability insurance, and for how much?
  • Have they completed a Service Organization Control 2 (SOC 2) Type II audit in the past twelve months? Can they provide the report?
  • What’s their contractual obligation to notify you in the event of a breach? Is there a specific timeline - ideally 48 to 72 hours?
  • Do they have a documented incident response plan?
  • Who within the vendor organization is responsible for security, and how do you reach them?

If a vendor can’t answer these questions - or resists answering them - that tells you something.

Step 4: Review your vendor agreements.

Pull the service agreements for your high-risk vendors and look for data processing language, breach notification clauses, and indemnification terms. If your agreement is silent on breach notification, you may have no contractual right to timely notice - and no recourse if the vendor delays telling you.

Step 5: Document your annual review.

Once a year, revisit your vendor inventory. Confirm that high-risk vendors still have current SOC 2 reports. Check that your contacts are current. Note any changes in services that might affect the data exposure. Keep a simple log. This documentation is what you’ll show a regulator or auditor to demonstrate that vendor oversight is a real, recurring practice - not just an intention.

What to Look for in an IT Partner

Your managed IT services provider is one of your highest-risk vendors - they likely have administrative access to your systems, your email environment, and your client data. They deserve the most scrutiny of anyone on your list.

When evaluating an IT partner, ask:

  • Do they carry security liability insurance, and will they share evidence of coverage?
  • Have they undergone any third-party security assessments or audits?
  • What’s their process for managing privileged access to client systems?
  • Can they help you build and maintain your vendor risk inventory as part of their service?
  • Do they understand SEC and FINRA compliance requirements - not just general IT best practices?

A good IT partner for a financial advisory firm should be able to speak your regulatory language. If they’re not familiar with Reg S-P or the SEC’s security rules, they’re not the right fit for your practice.

The Bottom Line

Vendor risk management isn’t an enterprise problem that small RIAs can ignore. Regulators expect oversight. Clients deserve it. And the liability when something goes wrong falls on your firm, regardless of where the data was sitting.

The good news: a practical program isn’t complicated. A vendor inventory, a few key due diligence questions, and an annual review cadence will put you ahead of most firms your size - and give you something concrete to show if anyone ever asks.

Frequently Asked Questions

What is vendor risk management for a small RIA?

Vendor risk management for a small RIA is the process of identifying which third-party software and service providers have access to client data, evaluating how securely they handle that data, and maintaining documentation of that oversight. For a boutique firm, this typically means keeping a vendor inventory, reviewing key contracts for security and breach notification terms, and conducting a lightweight annual review. It doesn’t require specialized software - a well-maintained spreadsheet and consistent process is a reasonable starting point.

Is my RIA required to manage vendor risk under SEC rules?

Yes. Regulation S-P requires registered investment advisors to implement written policies and procedures for safeguarding client financial information, including information held by service providers. The 2023 amendments to Reg S-P strengthen these requirements and add explicit provisions around incident response and vendor notification timelines. FINRA’s guidance on information security similarly identifies third-party vendor oversight as an expectation for member firms.

What should I look for in a vendor’s SOC 2 report?

A SOC 2 Type II report documents whether a vendor’s security controls were operating effectively over a defined period - typically six to twelve months. When reviewing one, confirm that the audit period is recent (within the last year), that the auditor’s opinion is unqualified, and that the report covers the trust service criteria most relevant to your data - usually security, availability, and confidentiality. If a vendor only has a SOC 2 Type I report, note that it reflects a point-in-time assessment, not ongoing operational effectiveness.

How often should a small advisory firm review its vendors?

An annual review is the standard expectation and a defensible cadence for most boutique firms. For your highest-risk vendors - particularly IT providers and platforms that store client financial data - you should also review any material changes to services, personnel, or security practices on an ongoing basis. If a vendor experiences a security incident or announces a significant change to their data handling practices, that warrants an immediate out-of-cycle review.

If you’re working through vendor risk management challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area - we know your world.