We do — and we’ve been doing it long enough to know the difference between helping you get compliant and just telling you that you are.
Compliance in financial services isn’t a checkbox you complete once and forget. It’s a continuous operating posture — one that has to be woven into your technology environment, your access controls, your vendor relationships, and your incident response process. The technology side is where NerdSquad lives.
Here’s what that looks like in practice, framework by framework.
If you’re a financial institution under U.S. law — and the definition is broader than most people realize, covering RIAs, broker-dealers, mortgage companies, tax preparers, insurance agencies, and others — the GLBA Safeguards Rule applies to you.
The 2023 updates to the Safeguards Rule brought it substantially closer to the HIPAA Security Rule in specificity. The requirements now include: a written information security program, a designated qualified individual responsible for it, risk assessments, encryption of customer data in transit and at rest, MFA for anyone accessing customer information, access controls, employee training, vendor oversight, and an incident response plan.
We help financial firms build and maintain each of these on the technology side. Multi-factor authentication, encryption, endpoint protection, and documented access controls aren’t things we bolt on at the end — they’re how we build every environment from the start.
For a plain-English breakdown of GLBA specifically, see our GLBA IT dictionary entry.
The SEC and FINRA operate in parallel: the SEC sets the rules, FINRA enforces them for broker-dealers (and coordinates with the SEC on RIA oversight). Both care deeply about your technology environment.
Books & Records (SEC Rule 17a-4 / FINRA Rule 4511). Electronic business communications — email, text messages, Teams and Slack messages — must be retained for defined periods in a format that cannot be altered. That means WORM storage and a compliant archiving solution that captures communications automatically. We deploy and monitor these systems, and we verify they’re actually capturing what they’re supposed to. A broken archiving solution that nobody noticed isn’t a technology problem during an exam — it’s an enforcement problem.
2023 SEC Cybersecurity Rules. Publicly traded companies and registered investment advisers now face disclosure requirements for material cybersecurity incidents and annual reporting on cybersecurity risk management. The practical IT requirement: you need an incident response plan, and you need to know when an incident is material. Our article on what happens during an IT emergency or system outage covers the incident response framework we use across all high-compliance clients.
Examination readiness. FINRA and SEC examinations increasingly focus on cybersecurity practices — not just policies on paper, but demonstrated controls. We document your environment, access controls, patch history, and vendor relationships in a format an examiner can follow.
For broader context on these frameworks, see our SEC and FINRA IT dictionary entry.
Not every financial firm processes credit cards, but those that do — insurance agencies, tax preparation firms, some wealth management operations — have PCI-DSS obligations layered on top of everything else. The core principle is scope minimization: the less infrastructure that touches cardholder data, the smaller your compliance burden. We help firms architect their payment environments to keep that scope as tight as possible.
Across all of these frameworks, the technology requirements overlap more than they differ. Here’s what we implement and maintain for financial services clients:
We manage the technology side. We are not your compliance officer, your legal counsel, or your auditor. We will never sign off that your firm "is compliant" — that determination belongs to qualified compliance professionals and examiners, not your IT provider. What we will tell you is that your technology environment is built and maintained in a way that supports your compliance program, gives your compliance team accurate information to work with, and holds up when an examiner looks closely.
Regulations change. The 2023 SEC cybersecurity rules are newer than some of our longer-tenured clients’ compliance programs. If you haven’t reviewed your IT-side compliance posture since 2021, it’s worth a conversation.