Whether you're an RIA, broker-dealer, hedge fund, or family office, MTradecraft builds the cybersecurity compliance program your SEC or FINRA examiner, your insurance carrier, and your institutional investors expect to see — and maintains it year-round.
Independent by design: no resale, no commissions, no vendor bias.
Practical knowledge, transferred with precision.
For firms with a CCO and an outsourced IT provider but no internal cybersecurity function. MTradecraft becomes that function — and every deliverable maps to the rule an examiner will cite.
Two engagements — $36,000 or $72,000 per year, flat fee.
Compare the EngagementsFor firms that handle compliance in-house. The working materials from our consulting practice, self-serve — the same documents and tools we deliver in paid engagements.
Free tier, no card required. Premium $2,500 per year.
See What's IncludedMost firms come to us for one of two reasons — an upcoming SEC examination, or a request from their cyber insurance carrier, a custodian, or an institutional DDQ they cannot answer with what they currently have on file. Both engagements are built to close that gap and keep it closed.
A full cybersecurity compliance program operated on an annual cadence. Quarterly attack surface assessments, documented policy and procedure updates, vendor oversight, and exam-ready evidence retention. Built for firms that have a CCO and an outsourced IT provider but no internal cybersecurity function.
Everything in the Cyber Compliance Consultant program, plus a named Chief Information Security Officer for your firm. Used by firms whose insurance carriers, prime brokers, or institutional investors require a named CISO on the cybersecurity governance chart.
Not every firm is ready for a full engagement. BrainTrust Premium gives CCOs and IT managers a working Reg S-P vendor due-diligence portal — 600+ of the vendors RIAs actually use, with high-sensitivity providers researched and cited — alongside automated FieldCraft employee training and the cybersecurity policy, framework, and template library we use in our own consulting engagements.
The free tier includes five working resources — the Securing Compliance report, the SEC exam preparedness brief, the document review matrix, and our posts — no payment required. Premium ($2,500 a year) unlocks everything: the full vendor evidence database, training for up to 50 users, 60+ editable policies and frameworks, the AI governance kit, and two interactive tools — the Incident Response Plan Builder and the live-incident Incident Response Assistant — plus email support from MTradecraft on cybersecurity compliance questions.
The actual pressure on a firm's cybersecurity program comes from five places, and they are the five things our engagements are designed to answer for:
Renewal applications now run 40 to 80 questions on access controls, MFA coverage, backup posture, incident response procedures, and named security leadership. The answers determine whether a firm gets coverage, what it pays, and what is excluded.
Every major custodian runs an annual cybersecurity attestation. Prime brokers and fund administrators ask the same questions in a different format. None of them accept "we use a good MSP" as an answer.
Pension consultants, endowment investment offices, and fund-of-funds now ask about CISO designation, third-party penetration testing, and tabletop exercise cadence in their standard due diligence questionnaires. A weak answer here costs allocations.
Examiners ask for the firm's cybersecurity policies, the most recent annual review under Rule 206(4)-7, and the evidence file showing the policies were actually implemented and tested. Firms without documentation written by a knowledgeable party fail this test.
The firm's clients assume the firm they hired is operating like Fort Knox. When a client picks up the phone and asks how their data is protected, what the firm did when a breach was reported in the news, or what happens to their account if the firm's email is compromised — the answer has to be specific, accurate, and unrehearsed. Vague reassurances cost trust on the first call and assets under management on the second. A documented program is the only way to answer those questions consistently across every person at the firm who might take them.
Most calls start with a specific trigger — an upcoming examination, an insurance renewal, a DDQ response, or a custodian attestation. Tell us what's driving the timing and we'll tell you honestly whether we can help.
Click here to start a conversation →Not ready for an engagement? The BrainTrust starts free →