832-304-1850

Texas Compliance and Cybersecurity for RIAs and Financial Advisors

Your SEC obligations, the FTC Safeguards Rule, and Texas’s newer requirements have stopped being separate problems — they’re one written program, and the proof it holds up under examination. Briggs IT helps Texas advisory firms understand what’s required and build the documentation that stands when someone asks to see it.

The regulatory stack

got heavier. And it’s already in effect.

The SEC’s Regulation S-P amendments are now in force for advisory firms of every size — including the smaller-firm deadline that has already passed. That means a written incident response program, customer notification within a set window after a breach of sensitive customer information, and updated safeguards policies aren’t on the horizon. They’re expected of your firm today. Layered on top is the FTC Safeguards Rule, in effect since 2023, with its own breach-notice obligations and a designated person responsible for the security program.

Texas added two more pieces. The Texas Responsible AI Governance Act (TRAIGA) — the state’s AI governance law, effective at the start of 2026 — creates obligations for any firm using AI tools in client communications, portfolio analysis, or marketing. And Texas Senate Bill 2610 (SB 2610) offers the other side of the coin: an affirmative safe harbor against punitive damages for a firm under the employee threshold that has the right program documented at the time of a breach. Taken together, the question isn’t whether these reach your firm. It’s whether you can show, in writing, that you’ve answered them.

What an advisory firm

actually needs

A defensible program is a set of pieces that work together — and, just as important, the written evidence that each one exists. For most advisory firms, that looks like things such as:
The point isn’t to assemble all of this the week before an examination. It’s to have it already in place, documented, and ready to hand over — so an exam is a file you pull, not a fire you fight.

What happens when

the SEC shows up

A cybersecurity-focused examination tends to ask for the same things: your Written Information Security Program, your risk assessments and incident response plan, evidence that staff completed annual training, your vendor oversight documentation, and proof that multi-factor authentication is actually enforced. A firm that’s ready opens the file and hands it over. A firm that isn’t spends the next several weeks assembling it under pressure — and examiners notice the difference.

Briggs IT can’t rewrite your history — no one can produce records for assessments that never happened. What we can do is start building the record properly from day one, and keep it current, so that the history accumulates as we go. The firm that begins now is the firm that, a year or two from now, simply pulls the file when a request arrives — because the documentation has been growing the whole time, dated and real. The goal is steady, in the background, so the answer is “here it is,” not “give us three weeks.”

The two things every advisory

firm says first

“Our custodian handles our cybersecurity.”

Your custodian protects their own systems — not yours. The workstations your team works on, the email you send client communications through, the system where client records live, the cloud storage holding financial plans: all of that is the firm’s responsibility, not the custodian’s. Regulation S-P applies to the adviser, not to the institution that holds the assets. When an examiner asks to see your program, “our custodian handles it” is not an answer that protects you.

“We’re a small firm.”

The smaller-firm provision in Regulation S-P extended the deadline — it never granted an exemption. Smaller advisers still have to comply; they were simply given more time to get there, and that time is now up. Size changes the calendar. It does not change the obligation. A smaller firm is held to the same standard — and is often the firm least prepared to meet it on short notice.

See where your firm stands

The Compliance Readiness Review is a working session built for advisory firms. We walk through where your firm sits against Regulation S-P, the FTC Safeguards Rule, and Texas Senate Bill 2610. Afterward, once we’ve worked through what we found, you get a written gap report — the specific documentation, policies, and controls you’re missing, in plain English. No sales pressure. The report is yours to keep, whether or not you ever hire Briggs IT.