Regulation P is a relatively unimportant regulation driven by the one time distribution of a disclosure. Any policy for that topic alone would be verbose once you passed the second paragraph; i.e. it is unnecessary.
The broader topic of "Privacy" would incorporate information security and all other ways that banks can hemorrhage customer information. It would be a double edged sword; i.e. you could make a grandiose statement that could be used against you in the wrong situation. Write it if you need it, but don't over promise.
In this world you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant.