Regulation P is a relatively unimportant regulation driven by the one time distribution of a disclosure. Any policy for that topic alone would be verbose once you passed the second paragraph; i.e. it is unnecessary.
The broader topic of "Privacy" would incorporate information security and all other ways that banks can hemorrhage customer information. It would be a double edged sword; i.e. you could make a grandiose statement that could be used against you in the wrong situation. Write it if you need it, but don't over promise.
_________________________
In this world you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant.