Xcelus Executive Decision Lab · For Vendor and Service Provider Leadership
The MSA You Didn’t Read
When an eighteen-page contract becomes a federal securities investigation.
90 minutes · Facilitated executive discussion
Your Content Goes Here
The Scenario
It is 2:30 PM on a Thursday. The CEO of Meridian Blue Data Systems — your privately-held data services firm with eighty-four employees, eight publicly traded enterprise clients, and forty percent growth over the last three years — has just taken a call from the General Counsel of one of those clients. Their CCO has discovered that one of your senior technical support specialists viewed an FDA approval notification on their system on Tuesday morning. Forty-three minutes later, his sister bought eight hundred shares of the client’s stock through a small retail brokerage account. The technician has been placed on administrative leave. The CEO has called this meeting. And somewhere in the room, someone is about to discover that the standard NDA clause in the standard MSA — three paragraphs across eighteen pages, the kind of contract language that gets signed without specialist legal review — quietly committed the entire workforce to federal securities law obligations under the misappropriation theory. Almost no one in the room had read it carefully.
Two Realizations Landing Simultaneously.
The leadership team that walks into this meeting believes it is a serious organization with mature operational practices. Within the next ninety minutes, that self-assessment will be tested in two ways.
The Immediate Problem
Alex Reyes
Senior Technical Support Specialist
Alex has been with Meridian Blue for four years. He has standard access to publicly traded client systems through his role. On Tuesday morning, he saw the FDA approval notification on the client’s system. By 10:30 AM, his sister had bought eight hundred shares. The Susan-Alex pattern — vendor employee, family-account trade, forty-three-minute gap between access and execution — is one of the most common patterns in SEC misappropriation enforcement actions. By the time the CEO takes the client’s call on Thursday, the violation is complete, the trade has cleared, and the question shifts from prevention to response.
The Structural Realization
The MSA
Eighteen Pages · Twelve Months Old
The MSA with this client was signed twelve months ago. The NDA clause is three paragraphs. The contract does not specifically reference securities law training. The contract does not address personal trading policy. The contract does not screen for family-account access. The standard NDA language, common across virtually every commercial agreement, created federal securities law obligations across the entire workforce under the misappropriation doctrine — and almost no one in the leadership team had read the contract carefully enough to know that. There are seven other publicly traded clients. Approximately thirty-two employees have similar access across those accounts. The structural exposure is not Alex. The structural exposure is the contract architecture.
Four Pressures Active in the Room
Decision Labs work because they put real pressure on real decisions. These four pressures, operating simultaneously, are why service providers consistently underestimate vendor-side securities exposure until an incident forces it.
The Eighteen Pages
The contract is eighteen pages. The standard NDA clause is three paragraphs. Nobody on the leadership team has read it front to back since signing.
The Client Relationship
Meridian Blue’s business is built on long-term trust from enterprise clients. The instinct in any sensitive matter is to manage the relationship directly, executive to executive, which destroys privilege the moment the substance gets discussed.
The Insurance Gap
E&O coverage typically excludes securities law violations. Most service provider CFOs do not know this until an incident forces the carrier conversation. By then, the exposure is unbounded.
The Workforce Question
Alex is one employee. The other thirty-one employees with public-company access are watching how the organization responds. Their behavior over the next twelve months — what they self-disclose, what they avoid, what they normalize — is being shaped by what they observe this week.
What this Lab surfaces
Standard MSA language creates federal securities law obligations across the vendor’s workforce. The duty of trust under the misappropriation theory (United States v. O’Hagan, 1997) is established by the NDA clause found in virtually every commercial services agreement. The vendor’s executive team typically does not understand the scope of obligation they have already accepted on behalf of every employee with system access to publicly traded client environments.
Service providers consistently underestimate how seriously the SEC pursues vendor-side misappropriation cases. These cases are higher-profile and more reputationally damaging than the same conduct by a public company insider because the vendor relationship architecture enabled the trade. The SEC’s enforcement framework rewards self-reporting and cooperation — and the financial differential between a cooperative posture and a reactive one can be the difference between continuity and dissolution for a non-public service provider.
Standard public-company employee insider-trading training is inadequate for service-provider workforces. Vendor-side misappropriation theory operates differently — the duty arises from the contract, not from corporate insider status — and most training programs do not cover this. Insider trading training designed specifically for non-public-company employees with access to public-company systems is an underdeveloped market segment in most service providers’ compliance programs.
Personal trading policy, family-account screening, and pre-clearance requirements for trades in client stocks are the most common gaps in vendor-side compliance programs. The Susan-Alex pattern — vendor employee with system access, family member trading on misappropriated information — is also the most common pattern in actual enforcement cases. The pattern is preventable. Most service providers have not built the policy architecture to prevent it.
The Room
The Lab is designed as an executive discussion across the full vendor leadership team. Privately-held service providers typically face this kind of incident without the board structure or external investor relations function of a public company — which makes the cross-functional alignment around outside counsel, client communication, and workforce response especially important.
CEO
You signed the MSA. The NDA clause obligated your workforce.
COO / Head of Operations
The other 31 employees with public-company access work for you.
General Counsel
Privilege architecture. Probably not a securities specialist.
Chief Information Security Officer
Audit logs. Evidence. The forensic record of Tuesday morning.
Head of Account Management
Eight publicly traded clients. Two are already calling.
Chief Human Resources Officer
Alex. The other 31. The personal trading policy was never written for this.
Chief Financial Officer
Cash runway. E&O exclusion. Client revenue exposure.
How the Session Runs
90 minutes. Seven segments.
Every Kit Includes Seven Deliverables
Licensed to your organization. Run by your internal facilitator. Unlimited internal use.
Facilitator Guide
Full session script with phased narration, decision points, and the patterns experienced practitioners follow.
Premium Slide Deck
32 slides sequenced to match the guide. Executive-grade design.
Role Cards
Printable, one per leadership role, with the primary concerns and predictable blind spots for that seat.
Injection Cards
Three time-stamped cards: Thursday 2:30 PM (the call), Saturday 9:00 AM (T+48 hours escalation), and an optional mid-Phase 2 reporter-callback card with an additional pattern at the Aurora account.
After-Action Review Template
Structured form for capturing commitments live in the room.
Executive Summary Template
One-page memo for the board, ownership, or insurance carrier — depending on organizational structure.
30-Day Check-In Template
Status tracking against each commitment to keep the work moving.
Five Commitment Areas
Decision Labs are commitment-producing sessions. The After-Action Review captures specific actions with named owners and 30-day check-in dates.
MSA Review — Securities Obligations Audit
Review every active MSA with a publicly traded client. Examine the NDA language and what federal securities law obligations the contract creates. Document where the contract is silent on training, screening, or personal trading.
Insider Trading Training for Non-Public Company Employees
Implement training specifically for service provider employees with access to public company systems. Standard public-company-employee training is not adequate. Underserved market segment.
Personal Trading Policy and Pre-Clearance
Formal personal trading policy with pre-clearance for trades in client stocks. Explicit screening for immediate family member accounts. Address the Susan-Alex pattern directly.
Access Controls and Audit Logging
Review system access architecture for employees serving publicly traded clients. Implement tiered access where feasible. Enhance audit logging to support post-incident forensic reconstruction.
Incident Response Playbook for Securities Matters
Document the playbook for the situation that was walked through. Client notification, outside counsel retention, evidence preservation, SEC self-report framework, workforce communication, and insurance notification.
Designed for
Service providers, consulting firms, managed service providers, IT support organizations, data services firms, SaaS implementation partners, and any non-public company with active enterprise client relationships that include system access to publicly traded clients. The Lab works for any privately held service provider that signs MSAs with public companies — across industries ranging from technology to professional services to specialty data and analytics. Especially relevant for service providers with fewer than fifty employees that have grown into publicly traded client portfolios without building specialist compliance infrastructure to match.
Contact Xcelus for Pricing
Licensed to your organization. Unlimited internal use. Run by your internal facilitator.
Pairs with The Invisible Insider — the public-company-side companion to this Lab, designed to run in sequence around the same scenario architecture. Bundles with the other Executive Decision Labs are also available.
How it works. Purchase the kit. Receive all seven deliverables digitally within 24 hours. Schedule the session for whenever your leadership team is available.
Related Resources
Companion Decision Lab — Pairs With This One
The public company is a companion to this Lab. Same scenario, opposite side of the table. Strongest when run in sequence.
The Vendor MNPI Exposure Scenario →
The desk-level Xcelus scenario for the support technician who sees the gateway notification. Trains the recognition behavior before the trade happens.
Insider Trading and Market Integrity Training Scenarios →
Full cluster of related Xcelus scenarios on insider trading, MNPI, and personal trading policy.
The contract didn’t change today. Your understanding of it did. The only question is whether you have this conversation now — or after the client’s General Counsel calls you on a Thursday afternoon.
© 2005–2026 Xcelus LLC. All rights reserved. Executive Decision Lab™ is a trademark of Xcelus LLC.