Comprehensive Information Risk Management for Financial Firms
TL;DR: Firms need to look at compliance and beyond. It’s not just fulfilling a regulatory obligation. It’s also what they're doing to proactively manage information risk.
Business communications are the lifeblood of financial services. Yet every email, message, and AI-driven workflow can expose sensitive client information to risk. Cyber criminals, negligent insiders, and even trusted vendors have become avenues for potential data breaches. The stakes are high: the average cost of a breach in 2024 reached $6.1M, and insider incidents cost nearly three times that amount.
Why information risk management matters to firms
Regulators including the SEC, FINRA, and Europe’s DORA have raised the bar for data protection, vendor oversight, and incident response. Firms that rely on fragmented, check-the-box approaches to security often find themselves reacting to incidents, rather than proactively managing risk.
Data privacy infractions also carry severe consequences, with violations of GDPR subject to up to 2-4% of previous year's revenue. To truly protect client information — and your firm’s reputation — it’s time to think holistically about information risk.
Types of information risks facing financial firms
Modern risk extends far beyond phishing emails or ransomware. Firms must account for:
- Messaging and web threats such as phishing, ransomware, and even deepfakes (which accounted for 51% of incidents in 2024)
- Endpoint and application vulnerabilities, including those introduced by hybrid workforces and rapid adoption of emerging tools like generative AI — where only 24% of initiatives were secured
- Insider threats from both negligence and malicious intent
- Third-party and supply chain risks tied to vendors and foundational AI providers that have varying levels of knowledge of financial services information management requirements
- Data and system policy gaps that can expose PII, intellectual property, or sensitive client information
The reality: vulnerabilities exist across every communication channel and every step of the information lifecycle.
What are the major information protection regulations and standards that apply to financial services?
Regulators, including FINRA and the SEC (through the recently updated Regulation S-P), are mandating comprehensive cybersecurity risk management, incident response, vendor oversight, and timely notification to mitigate these growing threats.
But that’s not all.
Financial services firms also need to look beyond what is explicitly required by financial regulatory compliance requirements. This includes ensuring that they are providing coverage across all facets of regulatory, IP, infosec, and privacy risk.
One central risk management challenge facing firms today is to ensure that information protection controls map to regulatory obligations, as well as those advised by standards bodies and data privacy authorities.
As you can see in the table below, this can be extensive.
| Regulator or legislation |
Encryption | Policy controls | Audit trail | Storage |
|---|---|---|---|---|
|
SEC |
Required |
Required |
Required |
Secure WORM-compliant Records retained 3-6 years |
|
FINRA |
Required |
Required |
Required |
Secure Immutable Resilient Records retained 6 years |
|
FCA |
Required |
Required |
Required |
Secure Centralized Varied retention timelines |
|
MiFID II |
Required |
Required |
Required |
Secure Records retrievable within 72 hours |
|
NARA |
Encouraged |
Required |
Required |
Secure |
|
GDPR |
Strongly recommended |
Required |
Required |
Secure |
|
CRPA |
Required |
Required |
Required |
Secure |
|
NYDFS |
Required |
Required Periodic review of policy controls and data handling policies |
Required |
Required |
|
DORA |
Required |
Required |
Required |
Secure Immutable Resilient Periodic review and testing |
Why legacy information protection approaches fall short
Traditionally, firms relied on single-purpose information protection investments for a variety of reasons, including:
- Evolving cyber threats
- Dynamic regulatory requirements
- Emerging communications tools
- Inherent functional complexities of decentralized business units
These functionally selected and targeted solutions often led to fragmented — and inefficient — information protection postures. These leave gaps that attackers can exploit. Four common challenges stand out:
Brittle controls in a rapidly evolving threat landscape
The threat landscape evolves faster than many firms can adapt. Traditional defenses — like email scanning, malware filters, and endpoint protections — were built for yesterday’s risks. Emerging technologies such as ephemeral messaging apps, generative AI, and crypto assets introduce new vulnerabilities that these legacy controls can’t address.
The result: firms are forced into an endless cycle of specialized, piecemeal tools that struggle to keep up.
Patchworked regulatory compliance gaps
Regulators set high expectations, but their requirements can feel fragmented. FINRA and the SEC evaluate cybersecurity programs across multiple domains — from governance and access management to incident response and vendor oversight — each with different reporting obligations and timelines.
In Europe, the Digital Operational Resilience Act (DORA) aims to unify standards but acknowledges that years of inconsistent national rules have left firms with a patchwork of testing requirements. Compliance spend often follows enforcement priorities rather than building a cohesive, future-ready strategy.
Information risk management often takes a back seat
It’s no surprise that firms prioritize core financial risks and cyber defense — failure in either can have immediate, devastating consequences. But this focus often pushes broader information risks (like privacy, IP protection, or insider threats) down the priority list. The result is a “bolt-on” security posture, where disconnected programs spring up reactively after an incident or new regulation, rather than being part of an integrated risk management strategy.
Slow and fragmented incident response
Information and communications risks know no boundaries — neither should your defenses. By extending the NIST Cybersecurity Framework, firms can adopt a comprehensive posture that can move beyond reactive threat responses, and prepare for all aspects of information protection, including:
- Governance: Clear cyber compliance strategies, policies, roles, responsibilities, and oversight for all information sources leveraged by the business for existing and emerging tools
- Information inventories: Know where data resides, how it’s accessed, how it’s protected, vendor controls, and what standards or attestations are supported
- Protection and prevention: Examine the effectiveness of identity and access management, encryption, data loss prevention, and network and application security layers
- Detection: Strong audit trails, telemetry, and reconciliation features to enable timely discovery and analysis of anomalies and potential attacks
- Response and recovery: Comprehensive incident response and continuity plans for cyber incidents, insider attacks, PII exposure and data integrity issues — including clear procedures for escalation, communication with stakeholders, and prompt recovery actions to limit damage
Both FINRA and the SEC are intensifying their scrutiny of firms’ data protection programs, moving toward more unified and comprehensive requirements. In Europe, DORA is designed to consolidate and upgrade communications risk standards, explicitly addressing the “gaps, overlaps, and inconsistencies” created by divergent national rules.
Adopting a holistic approach allows firms to proactively manage interconnected risks, comply with evolving regulations, and maintain client trust.
How Smarsh can help with financial information risk management
Smarsh delivers information protection capabilities that are purpose-built for the demands of financial services firms. This starts with capabilities to address the core regulatory information protection obligations outlined by financial regulators.
Security at every level
Smarsh provides encryption in transit and at rest across all communications sources under management using true object level encryption using AES256. Additionally, Smarsh does not have readable access to client data unless previously authorized by a client.
Policy and access controls
Smarsh provides a robust set of role-based access controls to ensure that only authorized individuals have access to information based upon risk categories, business units or geographic restrictions. Additionally, Smarsh provides multiple-tiered security controls across network and infrastructure layers, end point and SSL/TLS authentication controls.
Audit trail requirements
All activities performed against archived data (e.g., search, review, retrieval/export) are captured via robust audit trails along with a completely automated end-to-end reconciliation process.
Secure storage
Smarsh provides secure storage capabilities that meet all requirements as outlined by SEC 17a-4 and other similar regulations around the world. This includes preserving records in a non-erasable, non-rewriteable format to ensure that the accuracy and integrity of stored objects have been preserved. Smarsh Enterprise Archive operates exclusively within AWS’ public cloud infrastructure and is deployed in a triple-active configuration to ensure that data is always accessible, even if an issue arises with the primary storage location.
Customer information protection
Smarsh implements layered controls to protect against unauthorized access to or use of customer information. These measures include policies that restrict client data from being stored, processed, or transmitted on corporate IT systems.
Only authorized Smarsh employees have access to production systems. Smarsh maintains a robust information security program with administrative, technical, and physical safeguards designed to ensure the security and confidentiality of all information processed or stored on behalf of clients. These safeguards protect against anticipated threats or hazards to the security or integrity of such information and prevent unauthorized access or use.
Audited security controls
Smarsh security protocols and practices are evaluated through annual independent third-party audits, including SOC 2 audits, and quarterly internal security audits conducted by the information security team. Penetration tests are performed annually, and vulnerability scanning occurs weekly.
These evaluations ensure that controls are effective in defending against potential threats. Smarsh ensures security across cloud services, websites, and private applications by implementing:
- Zero Trust Network Access (ZTNA)
- SentinalOne
- DNSSec
- SIEM agents
- DLP
- Netskope
Beyond compliance, Smarsh unifies protection across email, collaboration platforms, voice, social, and generative AI tools. By creating a single system of record, firms can better identify, manage, and mitigate risks across the full spectrum of cybersecurity, privacy, IP, and regulatory challenges.
Share this post!
- Comprehensive Information Risk Management for Financial Firms - August 22, 2025
- Modernizing FINRA Rules for the Modern Workplace - June 24, 2025
- Innovation vs. Regulation: Who Wins in the Deregulation Era? - March 21, 2025
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
More Resources
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US