Regulation S-P Is Changing: How AI-Driven Due Diligence Can Help You Be Ready by June 2026
How Firms Can Operationalize with AI
The SEC formally adopted amendments to Regulation S-P in May of last year to modernize and strengthen data protection, incident response, and breach notification rules for covered financial institutions.
The changes went into effect December 3rd, 2025 for large institutions and are enforceable starting June 3rd, 2026 for smaller covered entities, which the SEC outlines as “brokers and dealers, funding portals, investment companies, investment advisers registered with the Commission, and transfer agents registered with the Commission or another appropriate regulatory agency,” according to its Small Entity Compliance Guide. The amendments were made to bring client data security into the modern age, but have a profound impact on asset manager and advisor requirements as they substantially expand expectations around how firms safeguard customer information, manage third parties, and document their compliance processes.
For asset managers, advisors, and broker-dealers, this isn’t just another “cyber” project, but may require an overhaul of due diligence and oversight. AI-powered due diligence workflows can provide critical efficiency and give you leverage.
What’s Changing Under the Amended Reg S-P?
In May 2024, the SEC adopted amendments to modernize Reg S-P, which governs the privacy and safeguarding of consumer financial information.
The amendments do four big things:
1. Require a written incident response program
2. Mandate customer breach notification within 30 days
3. Strengthen service provider oversight
4. Expand recordkeeping and scope of covered entities and data
Strengthening Service Provider Oversight
Perhaps the most consequential elements of the amended Regulation S-P is the SEC’s sharpened focus on service provider oversight. For many firms, this may be the single biggest lift ahead of the 2025-2026 compliance deadlines. Notably, the broad concepts are not new, but the SEC has formalized the guidelines to be more concrete, prescriptive, and evidence-driven.
The SEC’s intent is clear: customer information is only as secure as the weakest link in your vendor ecosystem. And in today’s financial services environment, where cloud platforms, fund administrators, custodians, fintech tools, data partners, and outsourced IT teams all touch sensitive information. This ecosystem is vast and complex.
The amended Reg S-P now requires covered institutions to oversee and monitor service providers as part of their safeguards and incident-response programs, with written policies and procedures reasonably designed to ensure vendors take appropriate measures to protect customer information. This represents a shift from “best practice” to a regulatory mandate, particularly for RIAs, broker-dealers, and investment companies, which are working with an increasing number of outsourced parties and may not have previously maintained robust vendor risk programs.
Below is a deeper look at what the new expectations mean—and how firms can modernize these workflows using purpose-built AI-powered due diligence tools.
A Practical Roadmap: Blending Reg S-P Compliance and AI
#1: Perform Due Diligence on All In-Scope Service Providers
Under the amended rule, “service provider” refers broadly to any vendor that receives, maintains, processes, or otherwise has access to customer information. This includes (but is certainly not limited to):
- Cloud and technology providers
- Fund administrators, custodians, and prime brokers
- Sub-advisers, placement agents, and distributors
- Cybersecurity, monitoring, and IT vendors
- Outsourced administrative or operational partners
Firms must conduct initial due diligence to assess whether each service provider maintains adequate safeguards, including controls for confidentiality, integrity, availability, and incident response.
The challenge is that most diligence programs today are highly manual, relying on static Excel questionnaires, scattered emails, PDFs, and siloed subject matter experts (SME) input. When multiplied across dozens- or hundreds- of vendors, this quickly becomes unmanageable.
How AI can help:
AI-powered due diligence platforms can:
- Ingest and analyze SOC reports, Standardized Information Gathering (SIG) questionnaires, and vendor artifacts to automatically extract control information
- Compare vendor controls against Reg S-P requirements and internal benchmarks
- Identify and highlight red flags across security gaps, weak encryption practices, outdated policies, or missing breach-notification procedures
This is especially valuable for firms without large vendor-risk teams. AI compresses days of manual review into minutes, while improving consistency across vendors.
#2: Monitor Vendors on an Ongoing Basis
Oversight under Reg S-P is not a one-time exercise. Firms must monitor service providers on an ongoing basis and adjust risk tiers and controls as vendors’ services or risk profiles evolve. This includes:
- Annual or periodic refreshes of questionnaires
- Review of new SOC reports or cyber attestations
- Monitoring for changes in data flows or new access rights
- Tracking issues, exceptions, or remediation plans
- Escalating deficiencies when vendors fail to meet required standards
This ongoing monitoring is often where firms fall short—not due to lack of effort, but due to fragmented processes.
How AI can help:
AI-enhanced platforms automate and streamline continuous oversight by:
- Automatically surfacing changes in vendor controls from updated SOC reports or questionnaires
- Tracking remediation of outstanding issues and sending reminders
- Cross-referencing internal incidents related to vendor systems
- Providing dashboards that show the real-time health of your vendor ecosystem
Instead of ad-hoc monitoring buried in inboxes or disorganized drives, firms gain a structured, auditable, and scalable approach.
#3: Update Contracts and Require Prompt Breach Notification
Perhaps the most operationally significant change is the requirement to update service provider contracts to ensure they notify the covered institution promptly after a data breach—commonly within 72 hours.
This is essential because firms must meet the new 30-day customer notification deadline under Reg S-P. If a vendor delays reporting a breach, the firm risks violating the rule even if the vendor was responsible for the incident.
How AI can help:
AI can assist by automating contract intelligence:
- Scanning existing contracts to locate (or detect the absence of) breach-notification clauses
- Extracting key elements such as notification timing, data protection obligations, encryption requirements, and incident-response cooperation expectations
- Flagging contracts that require amendments
- Tracking the execution of new riders or contract updates
This reduces the legal and operational burden of contract review across dozens of providers.
#4: Maintain Evidence of Oversight (Recordkeeping)
The amendments strengthen recordkeeping requirements. Firms must maintain written documentation of:
- Due diligence performed
- Monitoring activities
- Vendor risk assessments
- Issue remediation
- Contract provisions
- Incident communications
- Testing and validation of oversight processes
This “audit trail” must be available for examiners and often must be retained for multiple years.
How AI can help:
AI-powered diligence platforms can:
- Automatically classify and file/organize documents (DDQs, SOC reports, contracts, findings, notifications, etc.)
- Link each document to specific Reg S-P obligations
- Generate exam-ready reports showing evidence of vendor oversight
- Preserve decision logs and workflow history
- Generate exam-ready reports showing evidence of vendor oversight
Instead of scrambling during an SEC exam, firms can produce a complete, well-organized story within minutes.
Why This Matters: The Strategic Risk Behind Vendor Oversight
Vendor incidents are now at the center of regulatory scrutiny. In fact:
- At least 35.5% of all data breaches originate with third-party service providers, according to SecurityScorecard’s 2025 Global Third-Party Breach Report
- Regulators across the SEC, OCC, FINRA, and global frameworks (e.g., DORA, CPS 230) are tightening expectations
- Clients increasingly expect transparency into how firms oversee vendors
The amended Reg S-P brings U.S. financial services more in line with global operational-resilience and vendor-risk standards, raising the bar for the entire industry. Strong vendor oversight is now not just a competitive imperative; it’s a regulatory requirement and a competitive differentiator.
Bottom Line: AI Makes Reg S-P Vendor Oversight Achievable
Where traditional vendor-risk programs struggle, volume, coordination, and documentation - AI excels. With AI-powered due diligence platforms like CENTRL’s:
- Firms automate vendor assessments
- Risks and gaps are surfaced instantly
- The entire process is systematic, concrete, and documented
- Oversight becomes repeatable, measurable, and scalable
The latest amendments to Reg S-P were made to bring customer privacy and compliance into the modern era. It’s appropriate to respond with the greatest, most sophisticated tools. Instead of viewing the Reg S-P amendments as a compliance burden, firms can use this moment to modernize their vendor oversight programs, strengthening resilience, reducing risk, and building a defensible compliance posture ahead of the deadlines.
