How to Build a Written Information Security Program (WISP) for Your RIA

Why the SEC requires written policies

The SEC does not have a single rule titled "you must have a WISP." The requirement comes from multiple sources: Regulation S-P (safeguarding customer information), Regulation S-ID (identity theft prevention), and the SEC's long-standing position that an adviser's fiduciary duty includes protecting client data.

OCIE (now the Division of Examinations) has included written cybersecurity policies in its examination priorities every year since 2014. In practice, this means every RIA examination includes a request for your written information security program. If you do not have one, that is a finding. If you have one but it is generic or outdated, that is also a finding.

What a WISP must cover

Based on SEC examination focus areas, risk alerts, and enforcement actions, a compliant WISP for an RIA should address these core areas:

Access controls

Who has access to client data, how access is granted, how it is revoked when someone leaves, and how you enforce least-privilege principles. This includes logical access (system logins, permissions) and physical access (office entry, server rooms, file cabinets with client records).

Examiners ask specific questions: How do you handle access when an employee is terminated? How long before accounts are deactivated? Who reviews access permissions and how often? Your WISP needs answers to all of these.

Encryption

Data at rest and data in transit. Client information stored on laptops, in cloud platforms, or on portable media must be encrypted. Email containing sensitive client data must use encryption. The WISP should specify what encryption standards your firm uses (AES-256 for storage, TLS 1.2+ for transmission) and where they are applied.

Vendor and third-party oversight

Your custodian, CRM, portfolio management software, cloud storage, email provider, and any other vendor with access to client data represent risk to your firm. The WISP must describe how you evaluate vendor security before onboarding, what contractual protections you require (including the 72-hour notification provision under amended Regulation S-P), and how you conduct ongoing oversight.

Incident response

What happens when something goes wrong. Your incident response section should define what constitutes an incident, who is responsible for each step of the response, how you assess the scope and impact, how you contain the threat, and how you handle notification obligations. This section has become significantly more detailed since the SEC amended Regulation S-P to include specific notification timelines.

Employee training

Policies are useless if your staff does not know they exist. The WISP should describe your training program: what topics are covered, how often training occurs, how you test comprehension, and how you document completion. At minimum, training should cover phishing awareness, password hygiene, data handling procedures, and incident reporting.

Data classification and retention

Not all data carries the same risk. Your WISP should classify information by sensitivity level and specify retention and disposal policies for each category. Client Social Security numbers require different handling than marketing email lists. Examiners want to see that you know the difference and have documented procedures accordingly.

Physical safeguards

If your firm has a physical office, the WISP must address physical security: locked offices, clean desk policies, visitor procedures, secure disposal of paper records, and physical access controls to areas where client data is stored or processed. Remote work policies belong here too — how employees secure client data when working from home.

Annual review and updates

A WISP is not a one-time document. The SEC expects policies to be reviewed at least annually and updated whenever there are material changes to your operations, technology, or threat landscape. The review should be documented — who conducted it, what was changed, and why.

The cost problem

Most RIA firms do not have in-house cybersecurity staff. When the SEC tells you to produce a written information security program, you have three options:

1. Hire a consultant. Typical cost: $5,000 to $15,000 for initial development, plus $2,000 to $5,000 annually for reviews and updates. You get a customized document, but the quality varies wildly and you are still responsible for implementation.
2. Use a template and customize it yourself. Lower cost, higher risk. Generic templates miss firm-specific details that examiners look for. If your WISP reads like it was written for a different firm — because it was — that undermines its credibility.
3. Use a platform that guides the process.This is the middle ground: structured guidance that produces a customized WISP based on your firm's actual operations, at a fraction of the consultant cost.

Building your WISP step by step

If you are starting from scratch, here is a practical sequence:

1. Inventory your data and systems. List every system that stores or processes client information. Include cloud services, local devices, email, and any paper records. You cannot protect what you have not identified.
2. Map your current practices. Before writing policies, document what you actually do today. How do employees access systems? What happens when someone leaves? How do you handle a suspicious email? Your WISP should formalize your real practices, not describe an aspirational state.
3. Identify gaps. Compare your current practices against the categories listed above. Where you have no documented procedure, that is a gap. Where your procedure is informal or inconsistent, that is also a gap.
4. Write the policies.For each area, write clear, specific procedures. Avoid vague language like "employees should use strong passwords." Instead: "All employee accounts must use passwords of at least 14 characters with multi-factor authentication enabled. Passwords must be changed every 90 days. The CCO reviews active accounts quarterly."
5. Assign responsibility. Every policy needs an owner. Someone is responsible for reviewing access logs. Someone is responsible for conducting training. Someone is the point of contact for incident response. Name the roles.
6. Train your team. Walk every employee through the WISP. Make sure they know where to find it, what it requires of them, and who to contact when something goes wrong. Document the training.
7. Schedule the first annual review. Put it on the calendar now. When the review happens, document what you examined, what changed, and why.

How BlackSheep helps

BlackSheep's RIA compliance platform walks your firm through building a WISP section by section, tailored to your firm's size, technology stack, and operational model. The platform generates policies based on your actual answers — not boilerplate — and tracks annual reviews, employee training completion, and policy version history.

It covers access controls, encryption standards, vendor oversight, incident response (aligned with amended Regulation S-P requirements), training documentation, and everything else an SEC examiner expects to see. At $249 per month, it replaces the $5,000 to $15,000 consultant engagement and the ongoing maintenance fees.