WISP — Written Information Security Program
Every regulator expects a WISP. A WISP that isn’t enforced is evidence against you.
FCI writes and maintains the Written Information Security Program — and enforces the controls behind it. The policy on paper matches what is actually deployed, and the FCI Portal produces the living evidence.
A WISP — Written Information Security Program — is the written policy regulators expect every financial services firm to maintain: how the firm protects customer information, who is responsible, and which controls enforce it. FCI writes and maintains the WISP, enforces its controls, and produces continuous evidence in the FCI Portal that the program is followed.
What a WISP Is
One document, expected by nearly every regulator you answer to.
A Written Information Security Program — a WISP — is the document that describes how the firm protects customer information: the safeguards in place, who is responsible for them, and how they are maintained. It is often the first thing an examiner or auditor asks for, because it defines the standard the rest of the firm’s evidence is measured against. And the requirement comes from multiple directions at once.
States impose written information security program requirements on firms that hold their residents’ personal information — Massachusetts 201 CMR 17.00 is the best-known example, requiring a comprehensive written program with designated responsibility and specific safeguards. A firm with clients in multiple states answers to multiple versions of this requirement at once.
The Safeguards Rule under the Gramm-Leach-Bliley Act requires covered financial institutions to develop, implement, and maintain a written information security program — with a designated individual responsible for it, a risk assessment behind it, and safeguards that address the risks identified.
The SEC requires written policies and procedures to safeguard customer records and information. The amended Regulation S-P raises the bar further — written incident response procedures and vendor oversight documentation are now part of the expectation.
FINRA expects supervisory system documentation and specific cybersecurity controls during routine reviews — written supervisory procedures that describe the program, and evidence that the program described is the program actually running.
Policy vs. Proof
The gap between what the policy says and what is deployed.
Regulators are increasingly asking for evidence of enforcement, not just evidence of policy. A written supervisory procedure that says “all devices must run endpoint protection” is only valuable if the firm can prove it is true — across every registered representative, every branch, every device.
This is where a WISP turns dangerous. If the program says encryption is required and half the field’s laptops are unencrypted, the document is no longer a defense — it is a written record that the firm knew the standard and did not meet it. Checking a box without verification creates liability.
The policy was written once — perhaps by a consultant, perhaps from a template — and filed. It says the right things. But nothing enforces it, nothing verifies it, and no evidence exists that any device actually complies. In an exam or an insurance claim, every sentence becomes a question the firm cannot answer.
The same policy — but every control it names is technically enforced, and every enforcement generates timestamped evidence. When the examiner reads a requirement and asks “show me,” the answer is on screen in the FCI Portal. The document and the deployment are the same program.
What FCI Delivers
One provider writes the WISP, enforces it, and proves it.
“The firm defines its cybersecurity program — its policies, procedures, and compliance framework. FCI implements the technical controls that enforce those policies and produces the evidence that demonstrates compliance.”
Aligned to your regulator’s specific language and reviewed annually. Not a generic template — a policy that maps to the controls FCI actually implements and enforces.
Every requirement the WISP names — endpoint protection, encryption, MFA, access control — deployed and enforced across every user, every device, every network. The policy is not a request to the field; it is a configuration.
Evidence builds every day as controls run. Timestamped enforcement records, a device inventory with current control verification, and point-in-time audit capability — the proof that the program described is the program running.
Every control the WISP requires, cross-referenced to every applicable regulatory requirement — SEC, FINRA, NYDFS, NAIC — so one written program answers every regulator the firm reports to.
At Exam Time
The WISP maps to what is actually deployed.
When the examiner opens the WISP, every section points to evidence that already exists. There is no scramble to make the document match reality — the document and reality were never allowed to drift apart.
WISP — common questions
Related
Where the WISP fits.
The WISP is one deliverable in a larger picture: every control mapped to the frameworks your regulators use, with evidence that builds every day — not just before an exam.
Sixteen questions on regulatory readiness, breach preparedness, and the gap between policy and proof — including the ones a WISP is supposed to answer.
See whether your WISP matches what is actually deployed — in 30 minutes.
FCI works with broker-dealers and branch offices, insurance carriers and agencies, and RIAs. Request a gap analysis. You will have a clear picture of what your written program requires, what is actually enforced, and where the gap between the two would surface in an exam.