WesTech WesTech Solutions
Sample Information Security Policies | WesTech

Information Security Policies

Protecting Client Data for Financial Services Firms

Our Commitment to Security

WesTech provides robust information security policies to ensure the protection of nonpublic personal information (NPI) for our clients, including Registered Investment Advisors (RIAs) and Accounting Firms. Below are SAMPLE policies, compliant with federal and state regulations, available for download.

Sample Information Security Policies

Registered Investment Advisor (RIA) Policy

# Information Security Policy for [RIA Firm Name]

## Purpose
This Information Security Policy establishes the framework for [RIA Firm Name], a Registered Investment Advisor, to protect nonpublic personal information (NPI) of clients, comply with federal and state regulations, including Regulation S-P (17 CFR Part 248.30) and the Gramm-Leach-Bliley Act (GLBA), and mitigate cybersecurity risks.

## Scope
This policy applies to all employees, contractors, and third-party service providers who access, process, or store NPI on behalf of [RIA Firm Name]. NPI includes client names, Social Security numbers, account numbers, financial details, or any information that could identify a client or access their accounts.

## Definitions
- **Nonpublic Personal Information (NPI)**: Information about clients, including names, Social Security numbers, account numbers, or financial data, as defined by Regulation S-P.
- **Sensitive Customer Information**: NPI that, if accessed or used without authorization, could cause significant harm (e.g., Social Security numbers, account access codes).
- **Covered Institution**: [RIA Firm Name], as a registered investment adviser under the Investment Advisers Act of 1940.

## Policy

### 1. Information Safeguards
- **Access Controls**: Access to NPI is restricted to authorized personnel only. Systems require unique user IDs, strong passwords (minimum 12 characters, mixed case, numbers, symbols), and multi-factor authentication (MFA) for all client data systems.
- **Encryption**: NPI is encrypted at rest (AES-256) and in transit (TLS 1.3). Portable devices (laptops, USB drives) containing NPI must use full-disk encryption.
- **Physical Security**: Physical records containing NPI are stored in locked cabinets in a secure office. Access to office areas with NPI is restricted via keycard entry.
- **Network Security**: Firewalls, endpoint detection, and antivirus software are deployed and updated regularly. Secure Wi-Fi (WPA3) is used for all network connections.
- **Data Disposal**: NPI is securely disposed of via shredding for physical records and secure wiping (NIST 800-88 standards) for digital records.

### 2. Incident Response Program
- **Detection and Assessment**: [RIA Firm Name] will monitor systems for unauthorized access to NPI using intrusion detection tools. Any suspected breach will be assessed within 24 hours to determine the scope and affected systems.
- **Notification**: If sensitive customer information is accessed or reasonably likely to have been accessed without authorization, affected clients will be notified as soon as practicable, but no later than 30 days after discovery, per Regulation S-P. Notifications will include details of the incident, steps to protect against harm (e.g., fraud alerts), and contact information for support.
- **Documentation**: All incidents, investigations, and notifications will be documented and retained for at least 5 years, as required by Regulation S-P and Rule 204-2.
- **Recovery**: The firm will take steps to contain breaches (e.g., isolating affected systems) and restore operations, coordinating with IT and legal counsel.

### 3. Vendor Management
- **Due Diligence**: Third-party service providers (e.g., cloud providers, custodians) handling NPI must be vetted for cybersecurity practices before engagement. Contracts must include provisions for breach notification within 72 hours.
- **Oversight**: Vendors are reviewed annually to ensure compliance with Regulation S-P. Documentation of vendor agreements and audits is maintained.

### 4. Employee Training
- All employees are trained annually on this policy, data protection, and recognizing phishing or social engineering attacks. New hires receive training within 30 days of onboarding.
- Training includes procedures for reporting suspected breaches to the Chief Compliance Officer (CCO).

### 5. Privacy Notices
- **Initial Notice**: Clients receive a clear, conspicuous privacy notice at the time of establishing a customer relationship, detailing NPI collection, sharing practices, and opt-out rights under GLBA.
- **Annual Notice**: Privacy notices are provided annually to all clients, included with Form ADV Part 2A delivery or via mail/email.

### 6. Annual Review and Updates
- The CCO will review this policy annually to ensure it remains effective and compliant with federal and state regulations. Updates will address new threats, regulatory changes, or operational needs.
- Tabletop exercises are conducted annually to test the incident response plan.

### 7. Compliance and Enforcement
- The CCO is responsible for administering this policy. Violations (e.g., unauthorized disclosure of NPI) may result in disciplinary action, up to termination.
- Records of policy distribution, employee acknowledgments, and compliance reviews are maintained per Rule 204-2.

## Approval
This policy is approved by [CCO Name], Chief Compliance Officer, and effective as of [Date]. Annual reviews are documented and maintained for regulatory inspections.
Download as Word (.docx) Download as Text (.txt)

Accounting Firm Policy

# Information Security Policy for [Accounting Firm Name]

## Purpose
This Information Security Policy establishes the framework for [Accounting Firm Name] to protect nonpublic personal information (NPI) of clients, comply with federal and state regulations, including the Gramm-Leach-Bliley Act (GLBA) and applicable state data protection laws, and mitigate cybersecurity risks.

## Scope
This policy applies to all employees, contractors, and third-party service providers who access, process, or store NPI on behalf of [Accounting Firm Name]. NPI includes client names, Social Security numbers, tax records, financial statements, or any information that could identify a client.

## Definitions
- **Nonpublic Personal Information (NPI)**: Information about clients, including names, Social Security numbers, tax IDs, financial data, or account details, as defined by GLBA.
- **Sensitive Client Information**: NPI that, if compromised, could cause significant harm (e.g., tax IDs, bank account numbers).

## Policy

### 1. Information Safeguards
- **Access Controls**: Access to NPI is restricted to authorized personnel. Systems require unique user IDs, strong passwords (minimum 12 characters, mixed case, numbers, symbols), and multi-factor authentication (MFA) for all client data systems.
- **Encryption**: NPI is encrypted at rest (AES-256) and in transit (TLS 1.3). Portable devices (laptops, USB drives) containing NPI must use full-disk encryption.
- **Physical Security**: Physical records containing NPI are stored in locked cabinets in a secure office. Office access is restricted via keycard or lock-and-key systems.
- **Network Security**: Firewalls, endpoint detection, and antivirus software are deployed and updated regularly. Secure Wi-Fi (WPA3) is used for all network connections.
- **Data Disposal**: NPI is securely disposed of via shredding for physical records and secure wiping (NIST 800-88 standards) for digital records.

### 2. Incident Response Program
- **Detection and Assessment**: [Accounting Firm Name] will monitor systems for unauthorized access to NPI using intrusion detection tools. Suspected breaches will be assessed within 24 hours to determine the scope and affected systems.
- **Notification**: If sensitive client information is accessed or reasonably likely to have been accessed without authorization, affected clients will be notified within 30 days, per state data breach laws (e.g., California’s CCPA, New York’s SHIELD Act). Notifications will include incident details, protective steps (e.g., credit monitoring), and contact information.
- **Documentation**: All incidents and responses are documented and retained for at least 5 years, compliant with state recordkeeping requirements.
- **Recovery**: The firm will contain breaches (e.g., isolating affected systems) and restore operations, coordinating with IT and legal counsel.

### 3. Vendor Management
- **Due Diligence**: Third-party service providers (e.g., cloud accounting software, tax preparation platforms) handling NPI must be vetted for cybersecurity practices. Contracts must include breach notification clauses within 72 hours.
- **Oversight**: Vendors are reviewed annually for compliance with GLBA and state laws. Documentation of vendor agreements is maintained.

### 4. Employee Training
- All employees are trained annually on this policy, data protection, and recognizing phishing or social engineering attacks. New hires receive training within 30 days of onboarding.
- Training includes procedures for reporting suspected breaches to the designated Compliance Officer.

### 5. Privacy Notices
- **Initial Notice**: Clients receive a clear, conspicuous privacy notice at the time of establishing a client relationship, detailing NPI collection, sharing practices, and opt-out rights under GLBA.
- **Annual Notice**: Privacy notices are provided annually to all clients, included with tax documents or via mail/email.

### 6. Annual Review and Updates
- The Compliance Officer will review this policy annually to ensure it remains effective and compliant with federal and state regulations. Updates will address new threats or regulatory changes.
- Tabletop exercises are conducted annually to test the incident response plan.

### 7. Compliance and Enforcement
- The Compliance Officer is responsible for administering this policy. Violations (e.g., unauthorized disclosure of NPI) may result in disciplinary action, up to termination.
- Records of policy distribution and employee acknowledgments are maintained for regulatory inspections.

## Approval
This policy is approved by [Compliance Officer Name], Compliance Officer, and effective as of [Date]. Annual reviews are documented and maintained for regulatory inspections.
Download as Word (.docx) Download as Text (.txt)

Need Customized Policies?

Contact WesTech to tailor these policies to your firm’s specific needs and ensure compliance.

Get in Touch
→ Back to Training & Policies

References

  • SEC Regulation S-P, 17 CFR Part 248.30, as amended in 2024.
  • Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §§ 6801-6809.
  • State data protection laws (e.g., California CCPA, New York SHIELD Act).
  • Internal WesTech expertise on cybersecurity and compliance.

Disclaimer

The information provided on state and federal regulations is accurate as of August 7, 2025, based on available sources. However, regulations are subject to change, and specific requirements may vary by state, industry, or business structure. Readers are strongly encouraged to conduct their own research and consult with legal, compliance, or industry professionals to ensure adherence to current laws and regulations applicable to their specific circumstances.

References

→ Back to Services