Welcome back to The Current. This week we’re covering two regulatory developments that are moving faster than most programs have caught up to, plus kicking off a conversation we hear from TPRM professionals constantly: how do you get leadership to actually invest in the program?
As always, we’ve distilled what’s changed, what it means for your work, and what to do about it.
Let’s dive in.🌊
Quick Note: Risk Tide shares educational insights and our take on regulatory changes, this is not legal or compliance advice. Every organization is different, so always check with your legal or compliance teams. Think of us as your "practical" TPRM guide, not your lawyers.
The 72-Hour Vendor Notification Rule Is Here. Are Your Contracts Ready?
Regulators have been signaling for years that vendor oversight needed teeth. Now it has a timer.
What changed:
The SEC's amended Regulation S-P is now in effect for larger financial institutions, broker-dealers, investment companies, RIAs, and transfer agents, with smaller entities required to comply by June 3, 2026. The most operationally demanding piece: vendors that experience a breach of customer information must notify the covered institution within 72 hours of becoming aware of it. The institution then has 30 days to notify affected customers after becoming aware that a breach has occurred.
The clock doesn't pause for weekends, holidays, or vendor finger-pointing. And it doesn't just apply to your own systems. If a service provider is breached, you inherit the timeline.
What didn’t change:
Responsibility still sits with you. You can contractually delegate the customer notification task to a vendor, but you cannot delegate accountability. Your vendors' problems are your problems.
What it means your program:
Updated contracts are the starting point, not the finish line. The real question is whether your team can actually execute when the call comes in. Not in a tabletop exercise. On a random Saturday morning, with incomplete information, and a clock already running. That's the standard the rule is holding you to.
The bottom line:
If your vendor calls today, how long does it take you to understand what data was exposed, who's affected, and what the notice needs to say? If the answer is "we'd have to figure it out," the next 100 days before the June deadline are your window to change that.
Which Angle Wins the Room?
A quick framework for matching your TPRM pitch to what leadership actually cares about right now.
You already know the arguments. Cost of a breach. Regulatory exposure. Time spent chasing vendors manually. Onboarding bottlenecks. The challenge isn’t having the right material, it’s knowing which piece of it to lead with for this conversation, with this leader, at this point in the year. Here’s a quick way to diagnose it before you walk in.
1. What’s on their scorecard right now?
A business line leader chasing revenue targets needs to hear how TPRM removes friction: faster vendor onboarding, fewer contract delays, less back-and-forth that slows deals down. A leader coming off a rough audit needs to hear about risk reduction and exam readiness. Same investment, two completely different lenses. The one question that tells you which applies: what are they being measured on this quarter?
2. Cost savings or time savings: which currency matters more?
Cost savings is a finance conversation. It requires numbers, avoided losses, and ideally a benchmark showing what peer organizations are spending. Time savings is a business line conversation. It's about how many hours their team spends chasing vendor documents, re-answering the same questions, or waiting on a contract to clear before a project can move. One lands with spreadsheets. The other lands with a story. Know which one you're telling before you start talking.
3. Is there a live vendor pain point you can anchor to?
The most effective pitches aren't hypothetical. In practice, the conversations that turned into funded programs almost always started with something real: a vendor delay that stalled a product launch, a compliance gap that surfaced mid-audit, a near-miss that was still fresh in the room. That kind of anchor shifts the conversation from "here's what we should invest in" to "here's how this would have gone differently." Real is always more persuasive than projected.
4. What’s the cost of doing nothing, in their terms?
Not in program terms. In their terms. A slowed product launch. A contract that stalls because vendor diligence isn't complete. An exam finding that lands in their business unit, not yours. Translating program risk into business line consequences is usually the missing piece, and it's the one that turns a polite conversation into a funded one. If you can't answer that question for the specific leader you're meeting with, you're not quite ready to walk in yet.
Get More Than Just A Registration
When you register for our in-person Risk Tide Labs- New York, you’re getting more than a seat, you’re getting a complete, hands-on training experience, including:
• Up to 15 CPE credits
• A 200+ page comprehensive guidebook
• Exclusive Risk Tide swag
• 30 and 60-day 1:1 instructor check-ins
• A certificate and digital badge to share
• And more!
Fewer than 10 seats remain, secure your spot before they’re gone.⬇️
Where in the world is Garit?
Risk Tide co-founder (and frequent flyer) Garit Gemeinhardt is always on the move, so we’ve decided to keep track of his travels.
This week’s destination: ARTE Museum- New York
