On November 12, 2025, hackers infiltrated SitusAMC, a third-party vendor that processes residential mortgage data for over 1,500 financial institutions. Within days, JPMorgan Chase, Citigroup, and Morgan Stanley were all notified that sensitive client data—accounting records, legal agreements, and potentially customer information—may have been compromised.
The attackers didn’t need to breach any of those banks directly. They targeted a single third-party vendor and gained access to data flowing across the entire ecosystem.
For RIAs and wealth management firms, this is a real-world case study in the kind of cybersecurity risk that keeps growing but rarely gets the attention it deserves: third-party vendor risk.
One Vendor Breach. Hundreds of Financial Firms Exposed.
SitusAMC handles billions of loan-related documents annually for banks, pension funds, insurance companies, and state agencies. This wasn’t a ransomware attack—no systems were encrypted. Attackers focused on quietly exfiltrating data, the kind of vendor data breach that can go undetected for weeks because nothing visibly breaks. The FBI confirmed it is investigating.
Attackers are not going after your firm’s firewall. They’re going after the vendors you trust with your clients’ data.
Why Third-Party Vendor Risk Is a Top Cybersecurity Concern for RIAs
Every advisory firm runs on a web of third-party relationships—your custodian, CRM, financial planning software, portfolio reporting tools, email provider, and cloud storage. Each one touches some portion of your clients’ sensitive data, and each one represents a potential entry point for an attacker.
The SEC has made vendor oversight a regulatory priority. The updated Regulation S-P (compliance deadlines December 2025 and June 2026) now requires RIAs to maintain written incident response programs and ensure that third-party service providers can notify the firm within 72 hours of a data breach. The 2026 SEC Examination Priorities specifically call out vendor oversight and cybersecurity governance as top-tier focus areas for investment advisers. And the SEC’s Cyber and Emerging Technologies Unit (CETU) is focused squarely on cybersecurity enforcement among registered entities, including RIAs.
The message is clear: if a vendor gets breached and your firm can’t demonstrate a reasonable vendor risk management program, you’re exposed to both the breach itself and regulatory action.
Practical Steps for RIA Third-Party Vendor Risk Management
Advisory firms don’t need enterprise procurement departments to manage vendor cybersecurity risk effectively. They need a disciplined, documented process:
How Aurmis Helps
At Aurmis, we help RIAs and wealth management firms build and maintain third-party vendor risk management programs that are practical, documented, and exam-ready. Our platform supports full third-party vendor reviews, ongoing management, and auditing—so your firm has a clear, defensible process for every vendor relationship that touches client data or critical operations.
Whether you need a comprehensive vendor risk assessment, help updating your incident response plan to address supply chain scenarios, or fractional CTO/CISO leadership to guide your cybersecurity program, Aurmis can help you translate today’s risk landscape into a concrete plan for your firm.
