What compliance regulations apply to financial services IT?

Financial services firms face a multi-layered compliance environment. The GLBA Safeguards Rule (updated 2023) requires a formal written information security program with specific administrative, technical, and physical controls. SOX Section 404 requires IT general controls (ITGCs) over financial reporting systems for public companies. The SEC's cybersecurity disclosure rules (effective 2024) require material incident disclosure within 4 business days and annual cybersecurity risk management disclosure. State-level rules (NY DFS Part 500 being the most comprehensive) add further requirements for firms operating in certain states.

What is the GLBA Safeguards Rule and what does it require for IT?

The FTC's Gramm-Leach-Bliley Act Safeguards Rule applies to non-bank financial institutions — including registered investment advisors, mortgage brokers, auto dealers with financing, tax preparers, and accounting firms. The 2023 update requires: a designated qualified individual (CIO or CISO), annual risk assessments, encryption of customer financial data in transit and at rest, multi-factor authentication, penetration testing annually, vulnerability scanning twice a year, a written incident response plan, and vendor oversight. Firms with fewer than 5,000 customer records have a limited exemption but still must implement basic controls.

What are SOX IT general controls (ITGCs) and who needs them?

SOX Section 404 applies to public companies and requires management to assess the effectiveness of internal controls over financial reporting. IT General Controls (ITGCs) are a key component auditors examine. They cover: logical access controls (who can access financial systems), change management (how software changes are tested and approved), computer operations (backup, monitoring, incident response), and data integrity (accuracy of financial data from source systems through reporting). Your IT provider needs to understand how to document, evidence, and maintain these controls in a way that satisfies external auditors.

What does NY DFS Part 500 require for cybersecurity?

New York's Department of Financial Services Cybersecurity Regulation (23 NYCRR Part 500) is the most comprehensive state cybersecurity regulation for financial services. It applies to DFS-licensed entities — banks, insurers, mortgage companies, licensed lenders. Requirements include: a CISO (or outsourced function), annual penetration testing, bi-annual vulnerability assessments, multi-factor authentication, encryption, audit trails, incident notification within 72 hours, and third-party vendor risk management. The 2023 amendments added covered entity classifications with enhanced requirements for larger firms.

How should a financial services firm evaluate an IT provider's compliance capabilities?

Ask specifically: 'Have you helped a financial services client through a GLBA audit or SOX ITGC assessment?' A capable provider should be able to describe their experience with evidence collection, audit trails, access control documentation, and change management logs. They should also be familiar with the financial applications common in your sector (Orion, Redtail, Salesforce Financial Services Cloud, Quickbooks Enterprise, Sage Intacct, NetSuite) and understand how to maintain those in a compliant posture. If they can't discuss compliance documentation — not just security controls — look elsewhere.

Financial Services IT

IT Support for Financial Services Firms

Financial services firms carry more regulatory IT obligations than almost any other sector — GLBA, SOX, SEC cybersecurity rules, NY DFS Part 500. Get matched with an MSP that treats compliance as a deliverable, not an afterthought.

Get Matched With a Financial Services MSP See Compliance Requirements →

Which Financial Firms Need Specialized IT?

If your firm is regulated by the FTC, SEC, FINRA, OCC, state banking regulators, or insurance commissioners — your IT provider needs to understand what those regulators expect.

📈

Registered Investment Advisors (RIAs)

Subject to GLBA Safeguards Rule and SEC cybersecurity rules. Portfolio management systems, client portals, and CRM data all carry compliance obligations.

🏦

Community Banks & Credit Unions

GLBA, FFIEC guidance, and state banking regulations. Core banking system uptime is non-negotiable. IT must support examiner requests and audit readiness year-round.

🏠

Mortgage Brokers & Lenders

GLBA Safeguards Rule, RESPA, and state licensing. Loan origination systems handle highly sensitive PII. Secure document workflows and access controls are critical.

📊

Broker-Dealers & Securities Firms

FINRA Rule 4370 (business continuity), SEC Rule 17a-4 (records retention in WORM storage), and order management system uptime. Regulators will ask about your BCP in an exam.

🔐

Accounting & Tax Firms

GLBA applies to tax preparers. IRS Publication 4557 outlines data safeguarding requirements. Client financial data is a prime ransomware target — backup strategy is foundational.

🏗️

Private Equity & Venture Capital

SEC cybersecurity rules increasingly apply to registered advisers. Deal data, LP information, and portfolio company access are high-value targets requiring enterprise-grade controls.

Financial Services IT Compliance Requirements

Each regulation has specific IT controls. Your MSP should be able to map their services to these requirements — not just say they're "compliant."

Regulation	Who It Applies To	Key IT Requirements	MSP's Role
GLBA Safeguards Rule FTC	Non-bank financial institutions — RIAs, mortgage brokers, auto dealers with financing, tax preparers	Written information security program, annual risk assessment, MFA, encryption at rest & transit, pen testing annually, vuln scanning 2x/year, incident response plan, vendor oversight	Implement and document all technical safeguards; provide annual evidence for audit; manage vendor risk assessments; respond to and document incidents
SOX Section 302/404 SEC	Public companies and their IT environments supporting financial reporting	IT General Controls (ITGCs): logical access, change management, computer operations, data integrity. Evidence collected and reviewed by external auditors annually.	Maintain audit-trail logs, enforce segregation of duties in financial systems, document change management procedures, provide evidence for PCAOB auditors
SEC Cybersecurity Rules SEC	Public companies (effective 2024) and registered investment advisers	Material incident disclosure within 4 business days (Form 8-K); annual cybersecurity risk management, strategy, and governance disclosure (Form 10-K); board oversight documentation	Incident detection and response capability to meet 4-day window; annual cybersecurity posture documentation; board-level reporting support
NY DFS Part 500 NY DFS	DFS-licensed entities: banks, insurers, mortgage companies, licensed lenders operating in New York	Designated CISO, annual pen testing, bi-annual vuln scans, MFA, encryption, 72-hour incident notification, third-party vendor cybersecurity requirements, annual certification	Provide or support CISO function, conduct/coordinate assessments, manage vendor risk program, prepare annual certification documentation
FFIEC Guidance FFIEC	Federally insured banks and credit unions	IT examination handbook covers: audit, business continuity, cyber risk, development & acquisition, management, operations, outsourcing, retail payment systems, wholesale payment systems	Maintain examination-ready documentation; support IT examinations; provide BCP testing evidence; manage third-party/vendor risk
FINRA Rule 4370 FINRA	Broker-dealers	Written Business Continuity Plan (BCP), annual BCP review, notification to FINRA upon invoking BCP, emergency contact list maintenance	Implement and test BCP; document RTO/RPO for trading systems; maintain off-site backup; provide annual BCP review documentation
SEC Rule 17a-4 SEC	Broker-dealers and registered investment advisers	Electronic records retained in non-erasable, non-rewritable format (WORM) for 3–6 years depending on record type; audit trail required	Implement WORM-compliant storage (e.g., Azure Immutable Blob, AWS Object Lock, Wasabi Compliance); maintain audit trail; verify retention policy compliance

SOX IT General Controls: What Auditors Actually Look At

If you're a public company or approaching an IPO, your IT provider's documentation discipline will directly affect your audit outcome. Here's what PCAOB auditors examine.

Logical Access

Who can access financial applications, databases, and servers. Auditors look for: formal access provisioning/deprovisioning process, quarterly access reviews, segregation of duties (no user should be able to both initiate and approve transactions), privileged access monitoring, and terminated employee access revocation within 24–48 hours. Your MSP should maintain access logs and provide evidence of regular review.

Change Management

How software changes are tested, approved, and deployed to financial systems. Auditors look for: separation of development from production (no developer should push their own code to prod), documented test results before deployment, change approval tickets, and emergency change procedures. Your MSP needs a documented change management process — not just "we test things before deploying."

Computer Operations

Backup and recovery, job scheduling, incident monitoring. Auditors look for: documented backup procedures with tested restores, monitoring of critical financial system jobs with exception alerts, incident ticketing with documented resolution. Your MSP should provide monthly backup test evidence and maintain an incident log.

Data Integrity

Accuracy and completeness of financial data as it flows from source systems (ERP, billing) through to financial reporting. Auditors look for: interface controls between systems, reconciliation procedures, and controls over manual journal entries. Your MSP needs to understand the data flow through your financial systems — not just that the servers are up.

Audit readiness tip: The most common SOX ITGC finding is "insufficient evidence" — not that controls don't exist, but that there's no documentation. Your MSP should generate evidence automatically: access review exports, change tickets, backup logs, monitoring alerts. If they can't produce this on demand, that's a material weakness waiting to happen.

Common Financial Services Applications — IT Considerations

Your IT provider needs to understand what these systems do, where they store data, and what their compliance implications are.

Application	Used By	Data Sensitivity	IT / Compliance Notes
Orion / Orion Portfolio Solutions	RIAs, wealth managers	High — account holdings, performance data, client PII	Cloud-based; SSO integration required; API connections to custodians (Schwab, Fidelity, Pershing) must be secured; user access reviews for GLBA
Redtail CRM	RIAs, financial planners	High — client financial data, beneficiary info	Cloud-based; MFA required for GLBA; data export/backup procedures needed; user offboarding critical
Salesforce Financial Services Cloud	Banks, insurers, wealth management	High — CRM + financial account data	Salesforce Shield or Event Monitoring for audit trails; field-level security for sensitive data; SOX ITGC considerations for change management in Salesforce config
Sage Intacct	Mid-market financial services, fund admins	Critical — general ledger, financial statements	SOX ITGC in scope; role-based access critical; API connections to operational systems must be documented; cloud but access control evidence required
QuickBooks Enterprise	Smaller financial firms, accounting firms	Critical — financial records, client tax data	On-prem or hosted; backup and DR critical; user access controls often under-configured; GLBA Safeguards Rule applies to accounting firms
Encompass (ICE Mortgage)	Mortgage lenders and brokers	Critical — loan applications, SSNs, income data	GLBA Safeguards Rule in scope; vendor access to loan files must be tracked; audit trail for loan file modifications required
Schwab / Fidelity Custodian Portals	RIAs using third-party custodians	High — trading authority, account access	MFA required; trading authority access must be tightly controlled and reviewed regularly; GLBA vendor oversight applies to custodian relationship

Questions to Ask a Financial Services IT Provider

Use these in your first call to separate firms that understand your world from those that will learn it at your expense.

On Compliance & Documentation

Have you supported a GLBA Safeguards Rule audit before?
How do you produce evidence for SOX ITGC reviews?
Can you generate quarterly access review reports for our financial systems?
How do you handle a regulator information request (e.g., SEC exam, FINRA exam)?

On Security Controls

How do you enforce MFA across all financial systems, including custodian portals?
What WORM-compliant storage do you use for records retention?
How quickly can you contain a ransomware incident and what's your breach notification process?
How do you manage third-party vendor access to our systems?

On Experience & References

What financial services clients do you currently manage?
Which financial applications are you familiar with? (Orion, Redtail, Encompass, etc.)
Have you worked with a firm through an SEC examination or FINRA audit?
Do you have a virtual CISO offering for firms that need a designated qualified individual?

Get Matched With a Financial Services IT Provider

Tell us about your firm. We'll match you with MSPs who have verifiable financial services experience — not generalists who've never seen a GLBA audit.

Your Name

Work Email

Type of Firm