WISP — Written Information Security Program

Every regulator expects a WISP. A WISP that isn’t enforced is evidence against you.

FCI writes and maintains the Written Information Security Program — and enforces the controls behind it. The policy on paper matches what is actually deployed, and the FCI Portal produces the living evidence.

30+
years serving financial services exclusively
365
days a year evidence builds
80%+
compliance management time returned to the firm

A WISP — Written Information Security Program — is the written policy regulators expect every financial services firm to maintain: how the firm protects customer information, who is responsible, and which controls enforce it. FCI writes and maintains the WISP, enforces its controls, and produces continuous evidence in the FCI Portal that the program is followed.

What a WISP Is

One document, expected by nearly every regulator you answer to.

A Written Information Security Program — a WISP — is the document that describes how the firm protects customer information: the safeguards in place, who is responsible for them, and how they are maintained. It is often the first thing an examiner or auditor asks for, because it defines the standard the rest of the firm’s evidence is measured against. And the requirement comes from multiple directions at once.

State Law
State Data-Security Laws

States impose written information security program requirements on firms that hold their residents’ personal information — Massachusetts 201 CMR 17.00 is the best-known example, requiring a comprehensive written program with designated responsibility and specific safeguards. A firm with clients in multiple states answers to multiple versions of this requirement at once.

Federal
GLBA & the FTC Safeguards Rule

The Safeguards Rule under the Gramm-Leach-Bliley Act requires covered financial institutions to develop, implement, and maintain a written information security program — with a designated individual responsible for it, a risk assessment behind it, and safeguards that address the risks identified.

SEC
Regulation S-P

The SEC requires written policies and procedures to safeguard customer records and information. The amended Regulation S-P raises the bar further — written incident response procedures and vendor oversight documentation are now part of the expectation.

FINRA
Supervisory Expectations

FINRA expects supervisory system documentation and specific cybersecurity controls during routine reviews — written supervisory procedures that describe the program, and evidence that the program described is the program actually running.

NYDFS Part 500 NAIC Model Law NIST Cybersecurity Framework GLBA Safeguards Rule

Policy vs. Proof

The gap between what the policy says and what is deployed.

Regulators are increasingly asking for evidence of enforcement, not just evidence of policy. A written supervisory procedure that says “all devices must run endpoint protection” is only valuable if the firm can prove it is true — across every registered representative, every branch, every device.

This is where a WISP turns dangerous. If the program says encryption is required and half the field’s laptops are unencrypted, the document is no longer a defense — it is a written record that the firm knew the standard and did not meet it. Checking a box without verification creates liability.

A WISP on Paper

The policy was written once — perhaps by a consultant, perhaps from a template — and filed. It says the right things. But nothing enforces it, nothing verifies it, and no evidence exists that any device actually complies. In an exam or an insurance claim, every sentence becomes a question the firm cannot answer.

A WISP with Enforcement Evidence

The same policy — but every control it names is technically enforced, and every enforcement generates timestamped evidence. When the examiner reads a requirement and asks “show me,” the answer is on screen in the FCI Portal. The document and the deployment are the same program.

Do your written supervisory procedures have technical enforcement evidence behind them — or are they policies on paper?

What FCI Delivers

One provider writes the WISP, enforces it, and proves it.

“The firm defines its cybersecurity program — its policies, procedures, and compliance framework. FCI implements the technical controls that enforce those policies and produces the evidence that demonstrates compliance.”

01
Written Information Security Program

Aligned to your regulator’s specific language and reviewed annually. Not a generic template — a policy that maps to the controls FCI actually implements and enforces.

02
Technical Enforcement

Every requirement the WISP names — endpoint protection, encryption, MFA, access control — deployed and enforced across every user, every device, every network. The policy is not a request to the field; it is a configuration.

03
Living Evidence in the FCI Portal

Evidence builds every day as controls run. Timestamped enforcement records, a device inventory with current control verification, and point-in-time audit capability — the proof that the program described is the program running.

04
Framework Alignment Mapping

Every control the WISP requires, cross-referenced to every applicable regulatory requirement — SEC, FINRA, NYDFS, NAIC — so one written program answers every regulator the firm reports to.

At Exam Time

The WISP maps to what is actually deployed.

When the examiner opens the WISP, every section points to evidence that already exists. There is no scramble to make the document match reality — the document and reality were never allowed to drift apart.

The Policy
Current, reviewed annually, aligned to the regulator’s own language — produced on request, not reconstructed under deadline.
The Deployment
A device inventory with control verification for every endpoint the WISP covers — updated continuously, not quarterly.
The Evidence
Timestamped enforcement records generated on demand through the FCI Portal, structured to match what examiners ask for.
The History
Point-in-time audit capability — go back to any date and demonstrate exactly what the firm’s posture was when it mattered.
If an examiner read your WISP today and asked “show me,” section by section — how many sections could you evidence on the spot?

WISP — common questions

A WISP — Written Information Security Program — is the written document describing how a firm protects customer information: the safeguards in place, who is responsible for them, and how they are maintained. State data-security laws such as Massachusetts 201 CMR 17.00, the GLBA Safeguards Rule, and SEC and FINRA supervisory expectations all converge on the same requirement — so virtually every financial services firm needs one.
Both. FCI writes and maintains the WISP — aligned to your regulator’s specific language and reviewed annually — and implements the technical controls that enforce it. Every enforcement generates evidence in the FCI Portal, so the policy and the proof come from the same program.
The gap becomes evidence against the firm. Regulators are increasingly asking for evidence of enforcement, not just evidence of policy — a written procedure is only valuable if the firm can prove it is true across every registered representative, every branch, every device. FCI closes that gap by enforcing the controls the WISP names and producing the evidence that they are followed.
Every section of the WISP maps to controls that are actually deployed. The device inventory, control verification, and timestamped enforcement records are generated on demand through the FCI Portal, structured to match what examiners ask for — so the examiner sees a program that was running before the notice arrived.

See whether your WISP matches what is actually deployed — in 30 minutes.

FCI works with broker-dealers and branch offices, insurance carriers and agencies, and RIAs. Request a gap analysis. You will have a clear picture of what your written program requires, what is actually enforced, and where the gap between the two would surface in an exam.