by Scott Jack
Content Contributor, E-N Computers
15 years of experience in systems engineering and support including app deployment, mobile device management, and documentation.
The June 3, 2026 compliance deadline for SEC Regulation S-P has passed. You created policies and an incident response plan. But what about covered service providers like your managed IT company?
Most of the attention around Reg S-P has focused on RIAs: your incident response plan, your written policies, your notification procedures. But your IT provider — with remote access to your systems, your email, your files — is classified under Reg S-P as a covered service provider. Your examiner will want to see that you’re managing them accordingly.
Let’s talk about why your IT provider is covered, what you need from them, what to ask them, and what a capable MSP should be able to give you.
QUICK ANSWER:
What are my responsibilities regarding my IT provider under SEC Reg S-P? Question goes here
Your IT provider is a “covered service provider” because of their access to your client information. You must demonstrate ongoing oversight that includes documenting your evaluation of the vendor, confirming they operate under a written information security program (WISP), getting their written commitment to notify you within 72 hours of a security incident, and performing annual reviews of the relationship.
Your IT provider is a covered service provider
Reg S-P defines a “covered service provider” as any vendor that receives, maintains, processes, or accesses customer information on behalf of a covered institution. That definition covers virtually every managed IT provider with remote access to your systems.
Think about what your IT provider can reach: your email, your document storage, your client files, your devices. If they support your firm, they almost certainly meet the definition and are a regulated provider.
That means you need to oversee your IT provider and make sure that they are compliant. You need to document your evaluation of them, that they operate under a written information security program (WISP), that they’ve committed to notify you within 72 hours of a security incident, and that you review the relationship at least annually. Your SEC examiner will be looking for this.
What you need for covered service providers
Reg S-P’s service provider requirements come down to three things:
- A written information security program (WISP). Your IT provider needs a documented, written policy that describes how they protect client data. The program needs to address specific controls: who has access to your data and how that access is managed, how they detect and respond to incidents, how they handle devices and endpoints, how they log activity, and how they manage any subcontractors who might also touch your data.
- A 72-hour breach notification commitment. If your IT provider discovers a security incident that involves, or may involve, your client data, you need them to notify you within 72 hours. The clock starts when they become aware of facts that would lead a reasonable person to believe a security event has occurred. They can’t wait until they’ve confirmed the full scope of the breach. That commitment should be documented in writing, whether by service agreement, attestation letter, or another record you can show your examiner.
- Documented oversight by you. The rule requires you, as the RIA, to oversee your service providers. You need records showing that you evaluated your IT provider, looked over their security documentation, and reviewed the relationship annually. It’s not enough to say that you’ve worked with them for years.
Four questions to ask your IT provider before your next SEC exam
Even if you’re not a tech expert, these four questions will give you the information you need.
- Do you have a written information security program, and can you give me a summary of it?A qualified provider can answer this immediately and produce documentation. The summary doesn’t need to expose their internal security details, but it needs to confirm that the program exists, what it covers, and how it’s maintained.
- Will you commit in writing to notify me within 72 hours of a security incident? You need them to commit to notifying you within 72 hours of them becoming aware of facts that a reasonable person would believe indicate a security incident. Remember, they can and should continue to investigate and determine the extent of the damage after notifying you. Saying that they will notify you “as soon as possible” is not enough.
- Can you provide a written security attestation I can keep in my vendor oversight file? SEC examiners expect you to have documented evidence that you have evaluated their IT vendors. A security attestation letter signed by an authorized representative of your IT provider, confirming their security program is in place, gives you something concrete to show.
- When can we schedule an annual tabletop exercise, and what would that look like? An incident response plan on paper is a great start, but you won’t really see the gaps until you put it to the test. A qualified IT provider can walk you through a simulated incident scenario and produce a record that the exercise happened.
Red flags that your setup needs work
Sometimes you can fix gaps with new policies or addendums. In other cases, they exist because your IT provider is fundamentally unable to do what the regulation requires.
No written security policies. If your IT provider can’t promptly produce documentation of their information security program, they don’t have one. Many break-fix shops and small local IT operations don’t have them.
Pushback on a contract addendum. A provider that already works with regulated clients will understand why you’re asking and is already operating the way the rule requires. If there’s confusion or hesitation, they’re probably not able to fulfill their end of the contract.
No defined breach notification timeline. Vague promises won’t cut it. They need to be clear about when the 72-hour countdown clock starts.
No annual review or security attestation. Reg S-P requires ongoing vendor oversight. A proactive IT provider should be conducting annual reviews at minimum, discussing security controls and opportunities to improve them, and scheduling tabletop exercises to practice and optimize your incident response plan.
No visibility into your full system. A provider can only notify you of an incident they can detect. If your IT provider doesn’t have monitoring tools in place including endpoint detection, logging, and security event management, they have no reliable way to know when something has gone wrong. If they can’t monitor for security incidents, they can’t notify you of them, either. If you’re a small broker-dealer affiliate, pay attention to the next section.
One major hiccup for small broker-dealer affiliates
Your relationship with your broker-dealer can throw a major wrench into an IT provider’s ability to secure and monitor your systems. Many broker-dealers manage your email and identity, which is the basis for many modern security solutions. On top of that, email carries most of your client data and poses most of your security risk. Without visibility into and control over email, an IT provider is limited in what they can do for you.
“The broker-dealer kind of snags the low hanging fruit and leaves all the difficult work with the devices and everything else up to the local guys,” said Ian MacRae, president of E-N Computers. “There’s no pattern recognition to anything. There’s no way that you can install a single tool on all of the computers and then look and see if there’s a pattern because nobody gives you administrative control to the entire system.”
In that case, the problem isn’t your IT provider’s qualifications, but the split control over essential systems. Even if we were to give you an alternate identity (i.e., a secondary email like you@yourcompany.onmicrosoft.com), we would be limited in our ability to detect and mitigate threats.
If your broker-dealer manages your email, no IT provider is going to be able to meet your security, monitoring, and notification requirements.
What a compliant MSP looks like — and what they can hand you on day one
A managed IT provider that works with regulated financial firms should be able to answer all four of the questions above without hesitation and produce documentation the same week you ask.
When E-N Computers onboards an RIA client, the contract includes a formal information security addendum to the service agreement. That addendum defines what constitutes a security event, commits E-N Computers in writing to 72-hour notification, specifies the content that notification must include, and establishes cooperation obligations if the firm faces an SEC examination.
The written information security program covers eleven security domains: access controls, multi-factor authentication, encryption, endpoint security, incident detection and response, vendor and subcontractor management, personnel screening, physical security, audit logging, change management, and annual review. That program is built on NIST 800-53, which is also the baseline for Reg S-P. Ian puts it plainly: “This is stuff you should be doing anyway.” The regulation didn’t raise the bar — it just started enforcing it.
Within 60 days of engagement, E-N Computers delivers a written summary of the WISP program to the client, in enough detail to satisfy vendor oversight obligations under Reg S-P without exposing sensitive security specifics. Annually, and on request, we provide a signed security attestation letter. This is a formal written confirmation, signed by an authorized representative, that the program is in place, that no undisclosed security events have occurred, and that relevant personnel have completed security training.
The audit documentation package also includes a tailored incident response plan, a Microsoft Secure Score report showing current controls and a remediation roadmap, and a security control inventory summarizing the safeguards in place.
If you need a provider that meets the standard, here’s what to do
When you ask the four questions above, you’ll quickly get an idea whether your IT provider can meet your needs or not.
A provider that works with regulated clients will engage immediately. They’ll know what a written information security program is, they’ll have addendum language ready, and they’ll be able to describe their notification procedures without looking anything up. The documentation exists because they’ve built the program, not because you asked.
A provider that hasn’t worked in regulated industries will show it quickly. They may not know what a vendor security attestation is. They may push back on adding contractual language. They may give you reassurances instead of documents.
If that’s where you land, E-N Computers works with registered investment advisors across Virginia and the Washington, DC metro area. Schedule a complimentary consultation with E-N Computers.
Not sure if you need managed IT services?
Take the IT Maturity Self-Assessment
In a few minutes, get actionable insights on your IT strategy, plus a free strategic consultation.
