Your client list is confidential. Their account numbers, Social Security numbers, and tax records live in your systems. And as of 2023, the Federal Trade Commission (FTC) has specific, enforceable opinions about how you protect all of it. Most of the coverage on the FTC Safeguards Rule focuses on banks and credit unions. This post is for the boutique registered investment advisor (RIA), the independent financial planner, and the small wealth management firm that nobody wrote the manual for.
The Problem: A Major Compliance Update That Most Small Firms Missed
The FTC Safeguards Rule - formally the Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act (GLBA) - was updated in 2021 and its key provisions took effect in 2023. The amendments significantly expanded which businesses the Rule covers and added specific technical requirements that did not exist before.
Here is the part that catches small advisory firms off guard: the Rule does not just apply to banks. It covers “financial institutions” as the FTC defines them - and that definition is broad. If your firm provides financial advisory services, processes loan applications, prepares taxes, or handles consumer financial data in any meaningful way, you are likely covered. The FTC has explicitly confirmed that many RIAs, mortgage brokers, and tax preparers fall within scope.
The previous version of the Rule was vague enough that a firm could claim general good intentions and move on. The 2023 amendments replaced that flexibility with a concrete list of requirements. You now need specific controls, a named person responsible for your security program, and documentation to prove it.
Most of the compliance guidance published after these amendments was written for institutions with dedicated legal and compliance teams. A 15-person RIA in the Bay Area is not Wells Fargo. The requirements, however, do not disappear because your firm is small. Understanding exactly what applies to you - and what does not - is where you need to start.
Why This Matters for RIAs and Independent Financial Advisors
The financial advisory relationship is built on trust. Your clients hand you access to their most sensitive financial information - sometimes their entire net worth. A data breach does not just expose that information. It can end the firm.
The FTC has enforcement authority under the Safeguards Rule and has pursued cases against non-bank financial firms. Civil penalties can reach $51,744 per violation per day under the FTC Act. More practically, a breach that exposes client data triggers notification obligations, potential state-level regulatory scrutiny, and the kind of press coverage that is very difficult to recover from when your business runs on referrals.
For RIAs specifically, the stakes compound. The Securities and Exchange Commission (SEC) has its own cybersecurity expectations under Regulation S-P, which requires firms to adopt written policies and procedures to protect customer records. The SEC’s updated Regulation S-P rule, finalized in 2024, added incident response and notification requirements on top of what the FTC already mandates. If your firm is a registered investment advisor, you may be navigating two overlapping compliance frameworks simultaneously.
The California Consumer Privacy Act (CCPA) adds a third layer for California-based firms or those with California clients. CCPA gives consumers rights over their personal data and creates liability for firms that fail to implement reasonable security measures.
None of these frameworks are optional. And none of them include a carve-out for boutique firms.
How to Meet the FTC Safeguards Rule Requirements
The Rule organizes its requirements around a written information security program. Here is what that program must include for most covered firms.
Assign a Qualified Individual You need a designated person responsible for overseeing your information security program. This does not have to be an in-house chief information security officer (CISO). At many small firms, it will be a principal or operations lead - or an outsourced IT provider serving in that function. What matters is that someone is named, accountable, and actually doing the job.
Conduct a Written Risk Assessment You must identify the risks to customer information your firm faces, evaluate your existing safeguards, and document both. This is not a one-time exercise. You need to revisit it regularly and when your operating environment changes.
Implement Specific Technical Safeguards The 2023 amendments got specific. Your program must include:
- Multi-factor authentication (MFA) for anyone accessing customer financial data
- Encryption of customer information both in transit and at rest
- Secure development practices if your firm builds or configures software
- Monitoring and testing of your security controls
- A written incident response plan
For firms with 5,000 or more customer records, the Rule adds penetration testing at least annually and vulnerability assessments at least every six months. If you manage a meaningful book of business, that threshold is probably not as far away as it sounds.
Oversee Your Vendors This is the requirement most small firms overlook. If any third party - your portfolio management software provider, your document storage service, your CRM vendor - handles customer financial data, you must assess their security practices before engaging them and monitor them on an ongoing basis. Your contracts with those vendors should include security requirements. A vendor’s data breach can become your compliance problem.
Train Your Staff Your team needs regular security awareness training. Phishing attacks targeting financial advisory clients are sophisticated. Social engineering is the most common entry point for breaches. Training is not optional and “we told them to be careful” does not satisfy the requirement.
Report to Your Board or Senior Leadership The qualified individual responsible for your program must report to your board or, if you do not have a board, to your senior officer at least annually. That report should address the status of your program and the material risks your firm faces.
What to Look for in an IT Partner
If you are working with an IT provider or considering one, the Safeguards Rule gives you a concrete checklist to evaluate them against. Ask these questions directly:
- Can you help us document a written information security program that meets FTC Safeguards Rule requirements?
- Do you have experience serving firms under GLBA and Regulation S-P specifically?
- How do you support vendor security assessments?
- What does your penetration testing and vulnerability assessment process look like?
- Can you serve as or support a qualified individual function under the Rule?
- How do you handle incident response and, if needed, client notification support?
A provider who hesitates or pivots to generic answers on any of these questions may not have the compliance depth your firm needs. Managed IT for a financial advisory firm is a different discipline than managing an office network. The firm you choose should understand that difference without you having to explain it.
The Bottom Line
The FTC Safeguards Rule now sets enforceable, specific requirements for most small RIAs and independent financial advisors. You need a written information security program, a named person responsible for it, MFA, encryption, vendor oversight, and staff training - at minimum. The compliance investment is real, but the alternative is regulatory exposure and the kind of breach that ends client relationships for good. Get the program in place.
Frequently Asked Questions
Does the FTC Safeguards Rule apply to my small RIA if I have fewer than 10 employees?
Yes. The FTC Safeguards Rule does not include a small business exemption based on headcount. There is a limited exception for firms with fewer than 5,000 customer records - those firms are exempt from the annual penetration testing requirement - but the core written information security program requirements apply regardless of firm size. If you provide financial advisory services and handle consumer financial data, assume the Rule covers you.
What counts as “customer information” under the FTC Safeguards Rule?
Customer information means any record containing nonpublic personal information about a customer that a financial institution maintains. For a financial advisory firm, this includes names paired with account numbers, Social Security numbers, income or asset information, transaction data, and anything else in your files that would not be public knowledge. Effectively, your entire client record system falls within scope.
Do I need a separate written security policy just for the FTC Safeguards Rule, or does one document cover my SEC obligations too?
A single well-constructed information security program can satisfy the requirements of both the FTC Safeguards Rule and the SEC’s Regulation S-P, provided it addresses the specific elements each framework requires. The overlap is significant. That said, Regulation S-P’s 2024 updates added incident response and notification requirements with specific timelines that you should verify are explicitly addressed in whatever document your firm uses. Have a compliance-aware IT provider or attorney review the final version.
What happens if my firm gets audited and does not have a written information security program?
The FTC can pursue enforcement action, including civil monetary penalties, for Safeguards Rule violations. Beyond federal enforcement, a gap in your written program also creates exposure under state law - particularly under the California Consumer Privacy Act if you have California clients - and can complicate your firm’s standing with the SEC if your RIA registration is under review. The written program is not a technicality. It is your primary documented defense.
One82 provides managed IT, cybersecurity, compliance, and AI integration services exclusively for professional services firms in the San Francisco Bay Area. Schedule a 15-Minute Discovery Call to discuss your firm’s FTC Safeguards Rule compliance posture.
