Here’s the rare piece of good news in financial services compliance: your regulator and your insurance carrier basically want the same things.
The SEC, FINRA, and virtually every commercial cyber insurance underwriter writing policies for financial services firms have converged on a core set of security controls. Build your cybersecurity program around those controls, and you’re largely checking three boxes at once. Skip them, and you’re exposed on all three fronts simultaneously — higher regulatory risk, higher breach risk, and either denied coverage or a very expensive claim conversation.
This article covers what those controls are, why each framework requires them, and what they look like in practice at a financial services firm.
Multi-factor authentication (MFA) — Required under the GLBA Safeguards Rule. Expected under FINRA cybersecurity guidance. Required by nearly every cyber insurance carrier writing financial services policies. If you’re accessing customer data, systems, or email without MFA, you have a problem on all three fronts. MFA isn’t complicated — but it is non-negotiable at this point.
Endpoint detection and response (EDR) — FINRA’s cybersecurity reports consistently flag unprotected endpoints as a leading factor in financial firm breaches. The SEC’s cybersecurity risk examination priorities list endpoint security explicitly. Cyber insurance underwriters ask specifically whether you have EDR (not just antivirus) and often require it for coverage. Our EDR article explains the difference — it matters here.
Encrypted backups with tested recovery — GLBA requires data protection. The SEC’s business continuity expectations include data recovery capability. Cyber insurance carriers have started requiring proof that backups are tested, not just maintained. A backup that’s never been restored isn’t a recovery strategy — it’s hope. Our BDR article covers the backup architecture that actually holds up.
Access controls and least privilege — Users should have access to exactly what they need to do their jobs, and nothing more. Terminated employees should lose access the same day they leave. Single sign-on and centralized identity management make this manageable at scale.
Written incident response plan — Required under GLBA Safeguards Rule. Expected by the SEC under new disclosure rules. Required by most cyber insurance carriers as a precondition for coverage. The plan needs to exist, the right people need to know it exists, and it needs to be tested. See our article on what happens during an IT emergency for the incident response framework we use across all high-compliance clients.
Email security and archiving — Phishing is the leading initial access vector for financial firm breaches. Strong email filtering, link scanning, and phishing simulation training reduce that risk. Separately, email archiving — capturing all business communications in WORM-compliant storage — satisfies Books & Records obligations under SEC Rule 17a-4 and FINRA Rule 4511. Both matter. They’re related but distinct problems.
Vendor oversight documentation — GLBA requires financial institutions to oversee their service providers’ security practices. The SEC has emphasized third-party risk in recent examination priorities. Cyber insurance underwriters increasingly ask about your vendor management practices. You need a list of your significant technology vendors, some form of security assessment for each, and evidence that you’ve reviewed them.
Annual risk assessment — The GLBA Safeguards Rule requires it explicitly. FINRA and the SEC expect it implicitly. Cyber insurance underwriters use your risk posture as a pricing input. An annual technology risk assessment that identifies gaps and documents remediation isn’t optional for a compliant financial services firm — it’s the foundation everything else is built on.
Public companies and registered investment advisers now face specific SEC requirements around cybersecurity disclosure. For public companies, material incidents must be reported on Form 8-K within four business days of determining materiality. For registered advisers, the rules on cybersecurity risk management and governance have become substantially more specific.
The practical IT implication: you need to know when an incident is material. That requires monitoring capable of detecting incidents in the first place — RMM and EDR — an incident classification process, and escalation paths that get the right information to the right decision-makers. “We weren’t sure if it was a breach” is not a defensible position four business days after an incident.
Financial services firms hold three things attackers want: money, personally identifiable information, and access to other financial accounts. The combination makes you a high-value target regardless of firm size. A two-person independent RIA managing $200M is not flying under anyone’s radar — they’re an attractive target precisely because they’re unlikely to have enterprise-grade security.
FINRA’s cybersecurity examination findings consistently identify the same patterns: stolen credentials from phishing, unpatched systems, and inadequate access controls. These are not exotic attack vectors. They’re the same problems that have existed for a decade, and they remain effective because firms still underinvest in the basics.
Zero Trust isn’t a product — it’s an architecture. Instead of assuming that anything inside your network perimeter is safe, Zero Trust assumes breach and verifies every access request explicitly: who is this user, is this a known device, is this request consistent with normal behavior?
For financial services firms with remote advisors, multiple office locations, and cloud-based platforms like Salesforce FSC and Orion, the network perimeter model hasn’t made sense for years. Zero Trust is the architecture that actually fits how modern financial firms operate. NerdSquad’s Zero Trust Cybersecurity service is how we implement this for our financial services clients.
The firms that handle cybersecurity well in financial services aren’t doing anything exotic. They have MFA everywhere, EDR on every endpoint, encrypted and tested backups, documented access controls, an incident response plan they’ve actually reviewed, and email archiving that captures what it’s supposed to. They’ve done a risk assessment in the last 12 months, they have vendor documentation, and they know who to call when something goes wrong. That’s the program. Building and maintaining it is what NerdSquad does for financial services firms across South Florida and beyond.