Iron Bridge advises registered investment advisers, broker-dealers, and financial institutions on satisfying the cybersecurity obligations of NYDFS Part 500, the SEC's cybersecurity rules, and FINRA examination standards.
Financial services firms face overlapping, evolving cybersecurity obligations. We help you understand what applies, where your gaps are, and how to close them before an examiner does.
New York's cybersecurity regulation applies to all entities licensed under the Banking Law, Insurance Law, or Financial Services Law. Amended in 2023 with significantly heightened requirements — enforcement is active.
The SEC adopted sweeping cybersecurity rules for investment advisers in 2023. Rule 206(4)-9 requires written policies, risk assessments, and governance. Reg S-P was amended to add breach notification obligations.
FINRA does not have a standalone cyber rule, but consistently identifies cybersecurity as a priority area in annual exam findings. Rule 4370 mandates business continuity plans; Rule 3110 requires a supervisory system that includes technology controls.
We deliver the senior-level expertise your firm needs, without the overhead of a full-time hire. Each engagement produces tangible, examiner-ready work product. See the full service menu and pricing →
A structured review of your current security program mapped against NYDFS Part 500, SEC rules, or FINRA requirements. Delivered as a written report with a prioritized remediation roadmap your board can act on.
InquireOngoing strategic leadership on a monthly retainer. Board-level reporting, vendor risk oversight, annual certification preparation, and exam defense — without the cost of a full-time executive.
InquireWe draft the written policies your regulator expects — information security policy, incident response plan, vendor management program, and annual review cycle. Built for your firm, not adapted from a generic template.
InquireTabletop exercises, response plan development, and NYDFS 72-hour and SEC 30-day notification preparation. Know exactly what to do — and what to document — before an incident occurs.
InquireWe understand what examiners look for because we have spent years advising institutions on what regulators actually scrutinize. Our work is designed to withstand review, not merely satisfy internal stakeholders.
We work exclusively in the language of your examiners. Our deliverables reference the specific rule language your regulator will cite, making examination responses straightforward rather than reactive.
The typical small RIA or broker-dealer does not require a $25,000-per-month managed security provider. They need a senior practitioner who understands the rules and can translate them into executable programs.
Every engagement produces work product you can place in front of your board, your regulator, or your E&O carrier. We do not deliver slide decks — we deliver documented programs and signed certifications.
Most of our clients are small advisers facing their first real examination scrutiny. The pattern below is typical of how an engagement unfolds — anonymized, but representative of the work.
“We knew an SEC exam was coming and had no idea whether our policies would hold up. We needed a straight answer, not a sales pitch.”
A six-person registered investment adviser, running entirely on cloud infrastructure and a single outsourced IT provider, was approaching its first SEC examination. It had no written cybersecurity policy, no documented risk assessment, and no way to prove its IT provider was actually maintaining security.
A Tier I Readiness Assessment established an objective baseline against SEC Regulation S-P and the NIST framework, surfacing the gaps that mattered. From there, a prioritized remediation roadmap translated each technical finding into a clear, ordered punch list — and the written policies, incident response plan, and vendor due-diligence records the examination would expect.
The firm walked into its exam with a documented program, a maintained evidence library, and answers that referenced the specific rule language the examiner cited — turning a source of real anxiety into a matter of producing what already existed.
Illustrative engagement. Details are anonymized and representative of typical small-RIA work; they do not describe a single identifiable client.
A practical reference covering the most common examination deficiencies across NYDFS, SEC, and FINRA reviews. Used by compliance officers at RIAs, broker-dealers, and insurance companies.
Your checklist is ready to view now.
A copy is also on its way to your inbox.