Vendor cybersecurity due diligence
Vendor cybersecurity due diligence in financial and capital markets is no longer a checklist exercise. The U.S. Securities and Exchange Commission's third-party risk provisions embedded in its 2023 cybersecurity disclosure rules, combined with active supervisory expectations from the European Banking Authority and the Office of the Comptroller of the Currency, have made vendor oversight a direct regulatory exposure. Firms are auditing vendor contracts and incident notification clauses now, not waiting for examination cycles.
Watch
- SEC cybersecurity disclosure rule: vendor incident materiality determinations under 72-hour pressure
- EBA ICT third-party risk guidelines: concentration risk thresholds for critical service providers
- OCC third-party risk guidance update: board-level accountability expectations for fintech vendors
- DORA enforcement timeline: January 2025 deadline for EU-regulated entities with U.S. parent firms
- Contractual right-to-audit clauses: examiners flagging absence in vendor agreements
Recent material activity in Financial & Capital Markets
-
SEC proposes amendments to Exchange Act Rule 3b-16 expanding ATS definition to include DeFi protocols
The SEC has proposed rule changes that would bring decentralized finance protocols under the regulatory umbrella of Alternative Trading Systems. The amendment targets platforms facilitating token swaps exceeding $50M dai…
Read a full sample brief → -
SEC enforcement action against crypto lending platform for unregistered securities offering
The Commission filed charges against a major crypto lending platform alleging the firm offered and sold crypto asset lending products that constituted unregistered securities. The complaint seeks disgorgement of $340M in…
Read a full sample brief → -
CFTC and SEC release joint statement on digital asset classification framework
The two primary federal financial regulators issued a joint interpretive statement providing guidance on when digital assets fall under securities law versus commodities law. The framework introduces a functional test ba…
Read a full sample brief → -
Federal Reserve announces enhanced supervisory expectations for banks with crypto asset exposure
The Board of Governors issued SR 26-4 establishing new supervisory expectations for state member banks engaging in crypto-related activities. Banks must now maintain dedicated risk management frameworks, capital reserves…
Read a full sample brief → -
SEC approves spot Ethereum ETF amendments allowing staking yield pass-through
The Commission approved amendments to existing spot Ethereum ETF registration statements permitting the pass-through of staking rewards to fund shareholders. The approval includes enhanced disclosure requirements and a 3…
Read a full sample brief → -
SEC Division of Examinations publishes 2026 priorities: crypto compliance tops the list
The SEC's examination division released its annual priorities letter placing crypto asset compliance, stablecoin reserves, and DeFi protocol governance as the top three examination focus areas for 2026. Registered invest…
Read a full sample brief → -
FINRA proposes new rules for broker-dealer crypto custody and customer protection
FINRA filed a proposed rule change establishing custody requirements for broker-dealers holding crypto assets on behalf of customers. The proposal requires segregated wallets, proof-of-reserves attestations, and $10M min…
Read a full sample brief → -
Federal Reserve Board publishes research paper on CBDC impact on commercial bank deposits
The Board published a staff research paper modeling the potential displacement of commercial bank deposits by a retail CBDC. The paper estimates 8-12% deposit migration in the first two years, with disproportionate impac…
Read a full sample brief →