Cybersecurity Compliance · RIAs · Broker-Dealers · Funds · Family Offices

Built for the exam.
Maintained year-round.

Whether you're an RIA, broker-dealer, hedge fund, or family office, MTradecraft builds the cybersecurity compliance program your SEC or FINRA examiner, your insurance carrier, and your institutional investors expect to see — and maintains it year-round.

Independent by design: no resale, no commissions, no vendor bias.
Practical knowledge, transferred with precision.

Every recommendation maps to a rule
  • Rule 206(4)-7
  • Reg S-P
  • Reg S-ID
  • Rule 204-2
Work With Us

We build and operate your program.

For firms with a CCO and an outsourced IT provider but no internal cybersecurity function. MTradecraft becomes that function — and every deliverable maps to the rule an examiner will cite.

  • Recurring external attack surface assessments with documented, prioritized findings
  • Microsoft 365 / Azure configuration drift reporting
  • Policy and procedure refresh, vendor due diligence, annual review support
  • An exam-ready evidence file maintained year-round
  • A named CISO for Form ADV, DDQs, and carrier applications (Remote CISO tier)

Two engagements — $36,000 or $72,000 per year, flat fee.

Compare the Engagements
Work From Our Playbook

The BrainTrust Membership

For firms that handle compliance in-house. The working materials from our consulting practice, self-serve — the same documents and tools we deliver in paid engagements.

  • Reg S-P vendor due-diligence portal — 600+ vendors, researched and cited
  • 60+ editable policies, frameworks, and templates
  • FieldCraft employee security training for up to 50 users
  • Incident Response Plan Builder and live-incident Assistant
  • Email support from MTradecraft on compliance questions

Free tier, no card required. Premium $2,500 per year.

See What's Included
Engagements

Two tiers. One discipline.

Most firms come to us for one of two reasons — an upcoming SEC examination, or a request from their cyber insurance carrier, a custodian, or an institutional DDQ they cannot answer with what they currently have on file. Both engagements are built to close that gap and keep it closed.

Tier One

Cyber Compliance Consultant

$36,000 per year

A full cybersecurity compliance program operated on an annual cadence. Quarterly attack surface assessments, documented policy and procedure updates, vendor oversight, and exam-ready evidence retention. Built for firms that have a CCO and an outsourced IT provider but no internal cybersecurity function.

  • Quarterly external attack surface assessment with documented findings
  • Monthly Microsoft 365 / Azure configuration drift report
  • Continuous breach and credential exposure monitoring
  • Annual cybersecurity policy and procedure refresh
  • Vendor due diligence questionnaire administration and review
  • Year-round evidence file maintained for SEC examination
  • One advisory call per quarter · five-business-day response
Full Scope
The BrainTrust — Self-Serve Membership

Vet your vendors, train your staff, document your program — without a full engagement.

Not every firm is ready for a full engagement. BrainTrust Premium gives CCOs and IT managers a working Reg S-P vendor due-diligence portal — 600+ of the vendors RIAs actually use, with high-sensitivity providers researched and cited — alongside automated FieldCraft employee training and the cybersecurity policy, framework, and template library we use in our own consulting engagements.

The free tier includes five working resources — the Securing Compliance report, the SEC exam preparedness brief, the document review matrix, and our posts — no payment required. Premium ($2,500 a year) unlocks everything: the full vendor evidence database, training for up to 50 users, 60+ editable policies and frameworks, the AI governance kit, and two interactive tools — the Incident Response Plan Builder and the live-incident Incident Response Assistant — plus email support from MTradecraft on cybersecurity compliance questions.

Premium Membership
$2,500 per year
  • Reg S-P vendor due-diligence portal — 600+ vendors
  • FieldCraft employee training — up to 50 users
  • Incident Response Plan Builder
  • Incident Response Assistant — live-incident guidance & record
  • Full policy, framework & template library — 60+ documents
  • AI governance kit — framework, workbook & validation tools
  • Email support on compliance questions
What Drives Cybersecurity Compliance

Five parties write the test.

The actual pressure on a firm's cybersecurity program comes from five places, and they are the five things our engagements are designed to answer for:

Driver 01

Cyber insurance carriers

Renewal applications now run 40 to 80 questions on access controls, MFA coverage, backup posture, incident response procedures, and named security leadership. The answers determine whether a firm gets coverage, what it pays, and what is excluded.

Driver 02

Custodians and prime brokers

Every major custodian runs an annual cybersecurity attestation. Prime brokers and fund administrators ask the same questions in a different format. None of them accept "we use a good MSP" as an answer.

Driver 03

Institutional DDQs

Pension consultants, endowment investment offices, and fund-of-funds now ask about CISO designation, third-party penetration testing, and tabletop exercise cadence in their standard due diligence questionnaires. A weak answer here costs allocations.

Driver 04

SEC Division of Examinations

Examiners ask for the firm's cybersecurity policies, the most recent annual review under Rule 206(4)-7, and the evidence file showing the policies were actually implemented and tested. Firms without documentation written by a knowledgeable party fail this test.

Driver 05 — The One That Matters Most

The firm's own clients

The firm's clients assume the firm they hired is operating like Fort Knox. When a client picks up the phone and asks how their data is protected, what the firm did when a breach was reported in the news, or what happens to their account if the firm's email is compromised — the answer has to be specific, accurate, and unrehearsed. Vague reassurances cost trust on the first call and assets under management on the second. A documented program is the only way to answer those questions consistently across every person at the firm who might take them.

Book a Call

Twenty minutes is enough to know whether we're the right firm for what you need — before any commitment.

Most calls start with a specific trigger — an upcoming examination, an insurance renewal, a DDQ response, or a custodian attestation. Tell us what's driving the timing and we'll tell you honestly whether we can help.

Click here to start a conversation →

Not ready for an engagement? The BrainTrust starts free →