🇺🇸 SEC (U.S. Securities and Exchange Commission)
-
Rule 206(4)-7 (Advisers Act Compliance Rule)
Requires investment advisers to adopt and implement written policies and procedures to prevent violations of securities laws. Policies must include monitoring, logging, and documented incident response.
-
Regulation S-P (Privacy of Consumer Financial Information)
Mandates safeguards for protecting customer records and information, including continuous monitoring of networks and access.
-
Regulation S-ID (Identity Theft Red Flags Rule)
Requires detection of suspicious activities or potential identity theft — supports the need for robust evidence trails.
​
🇺🇸 FINRA (Financial Industry Regulatory Authority)
-
Rule 3110 (Supervision)
Requires member firms to establish and maintain supervisory systems designed to comply with applicable securities laws and regulations — this includes monitoring systems and keeping records.
-
Rule 4511 (Books and Records)
Firms must make and preserve books and records, including electronic communications and logs, for specified periods.
​
🇺🇸 NIST SP 800-53 & 800-171 (Recommended for federal contractors and firms handling federal data)
-
AU-2 (Audit Events) and AU-6 (Audit Review, Analysis, and Reporting)
Require continuous monitoring and audit trails to detect and respond to security events.
​
GDPR (General Data Protection Regulation) — if handling EU data
-
Article 32 & Article 33
Require security monitoring and the ability to demonstrate protection of personal data, including logs and incident evidence.
​
🇨🇦 PIPEDA (Canada) & Similar Privacy Laws
-
Require organizations to protect personal information, maintain safeguards, and be able to demonstrate compliance (which includes having audit-ready evidence).
-
​
GLBA (Gramm-Leach-Bliley Act) — if applicable (U.S.)
-
Safeguards Rule
Requires financial institutions to develop, implement, and maintain a comprehensive information security program, including logging and monitoring access to customer information.
​