For Financial Services

Your customers expect their money to be safe.
Regulators expect you to be able to prove it.

We do information security and AI governance for financial services firms — RIAs, broker-dealers, community banks, fintechs, family offices, insurance agencies — that need to satisfy SEC, FINRA, GLBA, 23 NYCRR 500, and the customer security questionnaire all at once. Without turning your team into compliance lawyers.

Schedule a regulatory readiness call See what we actually do
Built forRIAs, BDs, banks, fintechs
PostureSEC- and FINRA-defensible
OutputWISP & WSP-grade docs
Where most firms are

Three places we usually find people.

Financial services compliance is a moving target — examination priorities shift, AI guidance keeps evolving, customer questionnaires get longer. Most firms walk into our office because of one of these three triggers.

01

SEC just published the new examination priorities. AI is on the list.

Cybersecurity. Reg S-P. AI use in advice and operations. The exam letter hasn't arrived yet, but the priorities are public and the next pass through your size band is statistically due. You can guess what they'll ask. You'd rather have the answers ready than improvised.

02

An AI tool entered your practice. Your WSPs didn't get the memo.

An AI-powered research tool. A copilot that drafts client emails. A vendor's "AI-enhanced" suitability analysis. The work is faster — and the Reg BI obligations didn't change just because the tool did. Your written supervisory procedures still describe a process that no longer matches reality.

03

A customer questionnaire arrived. The answers don't exist yet.

An institutional client. A wholesaler. A fund-of-funds that's diligencing you. Forty pages of "logical access controls" and "incident response runbook" and "SOC 2 Type II report attached." Half of it you can answer. Half is somewhere between aspirational and made-up. The renewal won't wait.

What we actually do

Six concrete pieces of work. Done in plain language.

Compliance vendors love acronyms. Examiners want evidence. Customers want their money where they left it. We translate among all three.

Written Information Security Program (WISP).

The document GLBA, FTC Safeguards, and most state laws expect you to have. Most we see are five years old, written for a different firm, or downloaded from a template site. We write yours so it matches your environment, your vendors, and your size — and so it survives the questions auditors actually ask.

Written Supervisory Procedures (WSPs).

FINRA-required for broker-dealers, expected for many advisors. We update yours to match what your team actually does in 2026 — including AI tool usage, remote work, electronic communications supervision, and any tech that's slipped in since the last revision. The procedures should describe reality, not aspiration.

23 NYCRR 500 (NYDFS) compliance.

If you do business in New York or with New York-regulated firms, this applies. Annual certification, 72-hour incident reporting, MFA, asset inventory, third-party security policy. We map your current state to the requirements, close the gaps, and prepare the certification package the Superintendent expects to see.

Vendor risk & due diligence.

A real inventory of who's touching customer data, what contracts cover it, and what their controls actually look like. Including the AI vendors who showed up after your last vendor review. We get the agreements right, the diligence done annually, and the answers ready before an examiner asks.

Cyber + D&O insurance renewal support.

Answering the questionnaire so the answers earn the renewal — and the premium doesn't double. We've sat in calls with brokers and underwriters in financial services. We know which line items move premium, which create exclusions, and which require a phone call before you sign anything in writing.

Incident response & reportable event playbook.

When something happens, the SEC wants 4-day reporting on material cyber incidents. NYDFS wants 72 hours. State AGs each want their own thing. We've made these calls. We know who to notify in what order, what counts as "material," and how to keep the response from becoming the bigger problem.

How we work

Three things you won't get from a generalist IT shop.

01

We've defended controls in front of SEC and FINRA examiners.

We know which questions come up in a routine exam, which come up in a focused exam, and which signal that something has the staff's attention. We know what evidence holds up and what gets follow-up requests. Most IT vendors have read about regulatory exams. We've sat in the rooms.

02

We bid against the actual regulatory surface, not the brochure.

An RIA in California has a different surface than a broker-dealer in New York than a fintech with a national charter. State laws stack on federal rules. The work that's actually required varies. We size to your real exposure — not the universal "compliance program" template that everyone in the industry seems to be selling.

03

We work alongside your compliance officer, not over them.

Your CCO knows your business. We know the technical controls. The best programs come from those two roles working as one team — not from a vendor handing down "the right answer" or a CCO trying to teach themselves SIEM configuration in their spare time. We complement, we don't replace.

Questions we get every week

The questions financial services leaders actually ask us.

Bring better questions to the readiness call and we'll go further. These are the starters.

Does Reg S-P apply to AI tools we use?+
Yes — and the SEC's amended Reg S-P (effective phased through 2025–2026) explicitly broadens the rules. If an AI vendor processes nonpublic personal information about your customers, the safeguards rule applies. The incident response notification rule applies (30 days). The disposal rule applies. The vendor's "we're SOC 2 compliant" statement is not, by itself, enough. You still own the obligation; you just delegated some of the controls.
What's required under 23 NYCRR 500 for a small advisor?+
If you're a Class A or limited-exemption Covered Entity (smaller firms with limited NY exposure), you get a reduced set of obligations — but not zero. You still need a written cybersecurity program, MFA, an annual certification, 72-hour incident reporting, and a third-party policy. Above the small-firm threshold, the full set kicks in including risk assessments, penetration testing, and a CISO designation. We map your status and the requirements you actually carry.
What's a WISP and why do regulators care?+
A Written Information Security Program — required by GLBA's Safeguards Rule (now strengthened by the FTC's 2023–2024 amendments) and most state laws (Massachusetts 201 CMR 17, NY DFS, California, etc.). It's the document that demonstrates you have a real program, not just a hope. Regulators care because it's the first artifact they ask for in an exam, and because it's the easiest single document to use as evidence of negligence if it doesn't exist or doesn't match reality.
We're a small RIA — do we really need SOC 2?+
Probably not. SOC 2 is most useful when an institutional client is making it a condition of your engagement, when you're a vendor selling to other RIAs or banks, or when you handle large volumes of customer data on behalf of someone else. For a small advisory firm with a retail-focused practice, the cost-benefit usually doesn't justify it. We'll tell you straight if it does or doesn't apply to your situation.
Our vendor says they're "compliant" — is that enough?+
No. The SEC has been increasingly pointed about this — Reg S-P Section 248.30 makes clear that engaging a "compliant" service provider doesn't transfer your obligation. You still need to perform your own diligence, document it, and re-perform it periodically. We do this work routinely: read the SOC 2 report, verify what's actually attested, check whether the controls relevant to your engagement are in scope, and produce documentation an examiner can actually use.
What does this actually cost?+
A real ongoing program — WISP and WSP maintenance, vendor risk reviews, annual certifications, incident response retainer, examiner-prep work — typically runs $25–125k/year for a small-to-mid financial services firm. Implementation that gets you from "we have a folder somewhere" to a defensible posture for the next exam runs $40–175k depending on scope. SOC 2 Type II adds materially on top. We quote our piece on the call so you have real numbers before committing.
How to start

Three ways in. Pick what fits.

No qualifying call before the qualifying call. Each path is real, each one's free or fixed-fee, each ends with you having a better answer than you walked in with.

01
30 MIN · NO FEE

Regulatory readiness call.

Bring your last exam letter, your current WISP, your AI vendor list, your insurance renewal. We'll tell you where the real gaps are between what you have and what an SEC or NYDFS examiner expects to see — and roughly what it'll cost to close them.

Schedule the call
02
90 SECONDS · FREE

Take the AI Readiness Scorecard.

Especially relevant for financial services right now — the SEC's AI focus is sharpening and the questions are about to start arriving in exam letters. Twelve questions, a real grade, no email gate. Useful to read your starting position before the regulators do.

Start the Scorecard
03
5 DAYS · FIXED-FEE

Read about the Exposure Report.

Same engagement style we'd run for a regulatory pre-assessment, applied to AI exposure. Worth a look if you want to see how we run paid diagnostics — and to gauge fit before the call.

See deliverables