Compliance
RIAs, insurance agencies, and small advisory firms sit under overlapping cybersecurity rules — the FTC/GLBA Safeguards Rule and, for registered firms, the SEC and FINRA. Here's which ones actually apply to you, plain-English.
If you run a registered investment adviser, an insurance agency, or a small wealth-management firm, you're under cybersecurity rules — the question is which ones, and the answer depends on how you're registered. The good news for a small firm drowning in acronyms: the rules point at nearly the same control set, so one well-built program satisfies the regulator and the cyber-insurance carrier at once. This guide untangles which rules apply to you.
The Gramm-Leach-Bliley Act's Safeguards Rule (16 CFR Part 314) applies to a broad, deliberately non-bank set of "financial institutions." The FTC's enumeration of covered businesses explicitly includes investment advisers that aren't required to register with the SEC — and the agency describes that list as examples, not an exhaustive set (FTC). Insurance agencies, finance companies, and state-registered advisers commonly fall in.
If the Safeguards Rule applies, it requires a written information security program built on a risk assessment, a designated Qualified Individual, and specific safeguards — access controls, encryption of customer information at rest and in transit, multi-factor authentication, and logging. A breach-notification duty rides along: notify the FTC within 30 days of discovering a breach affecting at least 500 consumers (FTC).
SEC-registered advisers generally fall under SEC oversight rather than the FTC's Safeguards Rule, but the destination is similar. In May 2024 the SEC amended Regulation S-P (SEC Press Release 2024-58) to require broker-dealers, registered investment advisers, investment companies, and transfer agents to adopt a written incident-response program and to notify affected individuals of certain breaches as soon as practicable and no later than 30 days after becoming aware. Compliance was required by December 3, 2025 for larger firms and June 3, 2026 for smaller firms — so for most small advisers, it is in effect now. Cybersecurity has also been a recurring SEC exam priority for years, and broker-dealers carry parallel FINRA expectations around protecting customer data and records.
The exact rule that governs you depends on your registration, and some of this area continues to evolve — so confirm your specific obligations with your compliance counsel. But the controls don't really change between regimes: documented program, MFA, encryption, access control, monitoring, incident response, vendor oversight.
For a firm that handles client funds and account access, the cyber-insurance questionnaire reads almost exactly like a compliance file. That's not a coincidence — both the regulator and the underwriter are pricing the same risks: account takeover, unauthorized transfers, and breach of client financial data.
That means you don't build three programs. You build one, mapped to the Safeguards elements (or the SEC's), and use the single evidence package to answer the examiner and the application. The priority controls for this vertical:
Treat the compliance program and the cyber-insurance posture as one project — they're the same controls. The Cyber Insurance Readiness Sprint maps your firm against the Safeguards (or SEC) control set and the cyber questionnaire in a fixed-scope, seven-business-day engagement, and produces the WISP, the risk assessment, and the evidence package that answers both an exam and an application. See the Financial Services & Insurance Agencies security page for how the program runs.
If you're a non-SEC adviser or an insurance agency, the GLBA Safeguards Rule likely applies and requires a written program with MFA and encryption. If you're SEC-registered, the SEC's framework (including the 2024 Regulation S-P amendments) governs instead — but asks for the same controls. Either way, build one program, document it once, and it answers the regulator and the carrier together. Confirm the precise rule with your compliance counsel; get the controls right regardless.
Want to know whether your firm's security would survive an exam — or an underwriter? Book a financial-services readiness assessment.
Last updated
June 17, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Many do. The Gramm-Leach-Bliley Act's Safeguards Rule applies to a broad set of non-bank 'financial institutions,' and the FTC's own list explicitly includes investment advisers that are not required to register with the SEC. If you're a state-registered RIA, an insurance agency, or another non-SEC adviser, the Safeguards Rule likely applies — requiring a written security program, a Qualified Individual, MFA, encryption, and access controls.
SEC-registered advisers fall primarily under SEC oversight rather than the FTC Safeguards Rule. In May 2024 the SEC amended Regulation S-P to require broker-dealers, registered investment advisers, investment companies, and transfer agents to adopt a written incident-response program and to notify affected individuals of certain breaches no later than 30 days after becoming aware. Compliance was required by December 3, 2025 for larger firms and June 3, 2026 for smaller firms — so for most small advisers it is already in effect. The practical control set the SEC expects overlaps heavily with GLBA and with what a cyber insurer scores.
A Written Information Security Program — the documented plan that says how you protect client information: the risk assessment, the safeguards (MFA, encryption, access control, monitoring), the designated person who runs it, vendor oversight, and the incident-response plan. It's the core deliverable the Safeguards Rule requires, and it doubles as evidence for an exam and a cyber-insurance application.
Almost entirely. For a firm that handles client funds and account access, the cyber-insurance questionnaire reads like a compliance file, and the controls an examiner asks about are the same controls an underwriter scores. Building one program — documented once — answers the regulator and the carrier at the same time.
Related reading
Most dealerships that arrange financing are 'financial institutions' under the FTC Safeguards Rule — which means a specific, named cybersecurity program is required by regulation. Here's what's on the list and how to satisfy it.
Read articleIf you make anything for the defense supply chain — even as a sub-tier subcontractor — CMMC may now gate your contracts. Here's who's actually in scope, what Level 2 requires, and what non-defense manufacturers should do instead.
Read articleIf you take card payments — in a shop or online — PCI DSS applies to you, and 51 new v4.x requirements became mandatory in 2025. What that means for a small merchant, plain-English, without the jargon.
Read article