How to Write a Cybersecurity Policy for Your RIA (Without Hiring a Lawyer)
Your Written Information Security Program (WISP) is the single most important document in your compliance program. Here is how to write one that actually holds up during an SEC or NYDFS exam, section by section.
Why your RIA needs a WISP
Under SEC Reg S-P (17 CFR 248.30), every SEC-registered investment adviser must adopt written policies and procedures reasonably designed to protect customer records and information. The 2024 amendments raised the bar by adding specific mandates for incident response plans, vendor oversight, and breach notification. If you are also subject to NYDFS 23 NYCRR 500, your cybersecurity policy needs to satisfy Sections 500.3 and 500.4 on top of that.
You do not necessarily need a lawyer to write this. You need to understand what it must cover, write it so your team can actually follow it, and keep it current. A clear internal policy that people read beats an expensive legal document gathering dust.
What a WISP needs to cover
Below is a section by section breakdown with what regulators expect and what to actually write.
Section 1: Purpose and scope
State why the policy exists and who it applies to: all employees, contractors, and any third party with access to your systems or customer data. Reference the applicable regulations (Reg S-P Rule 248.30, Rule 206(4)-7 under the Advisers Act, NYDFS 23 NYCRR 500 if applicable).
Keep it short. Two or three paragraphs. This section is not where you prove your legal knowledge. It is where you explain what the document is for.
Section 2: Data classification
Define the categories of information your firm handles and the sensitivity level of each:
- Customer Personally Identifiable Information (PII). Social Security numbers, account numbers, dates of birth, financial records. This is the highest sensitivity level.
- Non-public personal information (NPI). As defined in Regulation S-P, this includes any personally identifiable financial information provided by a consumer, or resulting from a transaction.
- Internal business data. Financial statements, trade records, compliance documentation. Sensitive but not customer-facing.
- Public information. Marketing materials, published ADV filings, website content.
For each category, specify handling requirements: who can access it, how it should be stored, whether it must be encrypted, and how long it is retained.
Section 3: Access controls
Document how your firm manages access to systems and data. This section should cover:
- Role-based access. Define roles (adviser, operations, compliance, IT) and what each role can access. Apply the principle of least privilege: people should have access only to what they need for their job.
- Authentication requirements. Specify password complexity standards, password rotation schedules (if any), and where multi-factor authentication (MFA) is required. At minimum, MFA should be required for email, custodian portals, CRM systems, and any remote access.
- Access provisioning and de-provisioning. Describe how access is granted to new employees and removed when someone leaves. Include a specific process for same-day deactivation upon termination.
- Access reviews. State how often access is reviewed (at least annually per NYDFS 500.7) and who conducts the review.
Section 4: Encryption and data protection
NYDFS 500.15 specifically requires encryption of non-public information both in transit and at rest. Reg S-P requires "reasonable" safeguards, which the SEC has interpreted to include encryption.
Document: what encryption standards you use (AES-256 at rest, TLS 1.2+ in transit), how encryption keys are managed, what happens to data on decommissioned devices, and your policy on removable media (USB drives, external hard drives).
Section 5: Incident response plan
Examiners spend more time on this section than on most others. Under the 2024 Reg S-P amendments, your IRP must include:
- Detection and assessment. How your firm identifies potential incidents (monitoring tools, employee reporting, vendor notifications).
- Roles and escalation. Who does what when an incident is detected. Name specific roles, not just titles. Include contact information and backup personnel.
- Notification timelines. 72 hours for service providers to notify you (per Reg S-P). 30 days to notify affected individuals. 72 hours to notify the NYDFS Superintendent if you are a covered entity under 23 NYCRR 500.14.
- Containment and recovery. Steps to isolate affected systems, preserve evidence, restore operations, and conduct a post-incident review.
- Annual testing. The plan must be tested at least annually, typically through a tabletop exercise.
Section 6: Vendor management
Reg S-P Rule 248.30(b) requires written policies governing service providers who access customer information. Your vendor management section should cover:
- Due diligence requirements before onboarding a vendor
- Contract provisions for data protection, notification timelines, and audit rights
- Ongoing monitoring and periodic reassessment (at least annually)
- A vendor inventory listing all third parties with access to NPI
- Procedures for terminating vendor relationships and retrieving data
Section 7: Employee training
Both the SEC and NYDFS expect documented, recurring cybersecurity training. Under NYDFS 500.14(a)(2), training must occur at least annually. Your policy should specify:
- Training frequency (at minimum annually, ideally semi-annually)
- Topics covered: phishing awareness, password hygiene, social engineering, data handling, incident reporting
- How completion is tracked and documented
- New employee onboarding training requirements
Section 8: Business continuity and disaster recovery
NYDFS 500.16 requires a written BCDR plan. Even if you are only SEC-registered, examiners expect one. Cover:
- Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical systems
- Backup procedures, locations, and testing schedules
- Communication plan during an outage
- Alternative operating procedures if primary systems are unavailable
Section 9: Risk assessment
Both Reg S-P and NYDFS 500.9 require periodic risk assessments. Your policy should define the methodology (threat identification, likelihood, impact), frequency (at least annually), who conducts it, and how findings are documented and acted upon.
Section 10: Governance and oversight
Who is responsible for cybersecurity at the firm? Under NYDFS 500.4, covered entities must designate a CISO (which can be outsourced). For SEC-registered firms, the CCO typically oversees cybersecurity policy compliance. Document:
- The designated responsible person(s)
- Reporting structure to senior management or the board
- Frequency of cybersecurity reporting to governance
- Policy review and update schedule (at least annually)
Common mistakes to avoid
- Copying a generic template without customizing it. Examiners can tell when a policy was pulled off the internet and the firm name was swapped in. Your WISP needs to describe your firm, your technology, and how you actually operate.
- Writing aspirational policies. Do not describe what you wish you did. Describe what you actually do, and improve from there. A policy you cannot back up with evidence is worse than having no policy.
- Forgetting version control. Every version of your WISP should be dated and signed by the responsible officer. Keep prior versions on file.
- Ignoring the annual review. Both SEC and NYDFS expect policies to be reviewed and updated at least annually. An unchanged policy from three years ago signals neglect.
- Too long, too legal. A 90-page policy written in legal jargon that nobody at the firm reads is useless. Write clearly. If your employees cannot understand the policy, they will not follow it.
- No evidence of implementation. The policy itself is not enough. You need evidence that each section is being followed: training logs, access review records, risk assessment reports, incident response test results.
Template structure
Here is a practical structure for organizing your WISP document:
- Cover page with firm name, version number, effective date, approver signature
- Table of contents
- Purpose, scope, and regulatory references
- Data classification and inventory
- Access controls and authentication
- Encryption and data protection
- Incident response plan (can be a standalone appendix)
- Vendor and third-party management
- Employee training program
- Business continuity and disaster recovery
- Risk assessment methodology
- Governance, roles, and oversight
- Policy review and update procedures
- Appendices: vendor inventory, system inventory, contact list, regulatory reference table
A complete WISP for a small to mid-size RIA typically runs 20 to 40 pages. Anything under 10 pages is probably missing something. Anything over 80 pages probably includes filler that nobody reads.
SEC expectations vs NYDFS requirements
If you are dual registered or subject to both regulators, your WISP needs to satisfy both. The differences worth knowing:
- NYDFS is more prescriptive. It specifies exactly what must be in the policy (CISO designation, pen testing, MFA, encryption standards). The SEC uses a "reasonably designed" standard that gives more flexibility but also more ambiguity.
- NYDFS requires annual certification (23 NYCRR 500.17). The SEC does not have a comparable annual filing requirement.
- NYDFS 500.5 requires annual penetration testing. The SEC does not mandate it but examiners view it favorably and will ask about vulnerability assessments.
The practical move: write your WISP to the NYDFS standard. If you meet NYDFS requirements, you satisfy the SEC as well.
If you want a platform that generates policy templates tailored to your firm and tracks implementation evidence automatically, BlackSheep starts at $249/month.