SplitSecure for SEC Reg S-P

Recent SEC enforcement and updated interpretations of Regulation S-P make one point clear: third-party vendor incidents are no longer treated as external failures. They are treated as failures of internal controls.

Firms are now expected to demonstrate that they technically limit, monitor, and revoke vendor access to customer information and critical systems. Policies, contracts, and questionnaires are no longer sufficient. Regulators expect enforceable access controls that reduce blast radius and prove operational discipline before an incident occurs.

This shift creates a new category of security requirement that legacy IAM and PAM tools were not designed to meet. Nearly 80% of enterprise cyberattacks originate from compromised vendors.

What Has Changed Under Reg S-P

Reg S-P has evolved from a data privacy rule into a practical test of operational security maturity. The SEC is now focused on four questions during examinations and enforcement actions:

1. Was third-party access technically constrained, or merely governed on paper?
2. Could a single vendor credential expose more than it needed to?
3. Was access time-bound, revocable, and auditable in real time?
4. Can the firm prove, not assert, that safeguards were reasonable?

If the answer to any of these is unclear, firms are increasingly found at fault even when the breach originated outside their organization.

The Core Regulatory Gap

Most third-party risk programs were built for oversight, not control.

Common failures include:

• Standing vendor credentials that persist indefinitely
• Shared admin access between internal teams and vendors
• Secrets stored by vendors or PAM systems themselves
• Delayed or incomplete revocation when vendors change scope or exit
• Inability to demonstrate asset-level access boundaries during an incident review

From a regulator’s perspective, these are not vendor failures. They are access design failures.

The New Expectation: Access as a Safeguard

Reg S-P now implicitly treats access control as a safeguard in itself.

That means firms must:

• Limit vendor access to specific assets, not entire environments
• Eliminate single points of failure in privileged access
• Prevent vendors from ever possessing reusable credentials
• Reduce the maximum possible damage of any one compromise
• Produce clear, defensible audit evidence without reconstruction

This is a technical requirement, not a compliance checkbox.

Where SplitSecure Fits

SplitSecure was designed for environments where trust cannot be assumed.

It enables firms to:

• Grant vendor and contractor access without ever sharing or storing secrets
• Enforce multi-party or multi-entity approval for sensitive access
• Scope access to a single system, account, or asset
• Make access time-bound, non-reusable, and cryptographically enforced
• Eliminate reliance on vendor honesty or internal process discipline

Even if a vendor is compromised, the damage is contained by design.

Why This Matters Now

Regulators are no longer asking whether firms assessed vendor risk. They are asking whether firms engineered systems that remain safe when vendors fail.

This is especially urgent for:

• Financial institutions and RIAs under SEC and state oversight
• Firms with MSPs, consultants, offshore developers, or data vendors
• Organizations protecting ultra-high value assets such as root accounts, production databases, or customer records
• Mid-market firms that cannot operate complex PAM infrastructure

Contact Sales

If you’d like to know more about how SplitSecure can help your organization, or if you’d like to see our technical whitepaper to get a better idea of how it works, please contact our sales team.