Whether you're an RIA, broker-dealer, hedge fund, or family office, MTradecraft builds the cybersecurity compliance program your SEC or FINRA examiner, your insurance carrier, and your institutional investors expect to see — and maintains it year-round.
Independent by design: no resale, no commissions, no vendor bias.
Practical knowledge, transferred with precision.
External and internal assessment establishes what is actually deployed — and where your documentation diverges from your environment.
We build the program — WISP, incident response, vendor file, policies — every document mapped to the rule that requires it.
Quarterly testing, evidence collection, and updates keep the file current — so the exam notice is an administrative event, not an emergency.
Most firms come to us for one of two reasons — an upcoming SEC examination, or a request from their cyber insurance carrier, a custodian, or an institutional DDQ they cannot answer with what they currently have on file. Both engagements are built to close that gap and keep it closed.
A full cybersecurity compliance program operated on an annual cadence. Quarterly attack surface assessments, documented policy and procedure updates, vendor oversight, and exam-ready evidence retention. Built for firms that have a CCO and an outsourced IT provider but no internal cybersecurity function.
Everything in the Cyber Compliance Consultant program, plus a named Chief Information Security Officer for your firm. Used by firms whose insurance carriers, prime brokers, or institutional investors require a named CISO on the cybersecurity governance chart.
Not every firm is ready for a full engagement. BrainTrust Premium gives CCOs and IT managers a working Reg S-P vendor due-diligence portal — 600+ of the vendors RIAs actually use, with high-sensitivity providers researched and cited — alongside automated FieldCraft employee training and the cybersecurity policy, framework, and template library we use in our own consulting engagements.
Free tier includes the Securing Compliance report and our posts. Premium ($2,500 a year) unlocks everything — the full vendor evidence database, training for up to 50 users, 60+ editable policies and frameworks, the AI governance kit, and interactive tools like the Reg S-P Incident Response Plan Builder — plus email support from MTradecraft on cybersecurity compliance questions.
The actual pressure on a firm's cybersecurity program comes from five places, and they are the five things our engagements are designed to answer for:
Renewal applications now run 40 to 80 questions on access controls, MFA coverage, backup posture, incident response procedures, and named security leadership. The answers determine whether a firm gets coverage, what it pays, and what is excluded.
Every major custodian runs an annual cybersecurity attestation. Prime brokers and fund administrators ask the same questions in a different format. None of them accept "we use a good MSP" as an answer.
Pension consultants, endowment investment offices, and fund-of-funds now ask about CISO designation, third-party penetration testing, and tabletop exercise cadence in their standard due diligence questionnaires. A weak answer here costs allocations.
Examiners ask for the firm's cybersecurity policies, the most recent annual review under Rule 206(4)-7, and the evidence file showing the policies were actually implemented and tested. Firms without documentation written by a knowledgeable party fail this test.
The firm's clients assume the firm they hired is operating like Fort Knox. When a client picks up the phone and asks how their data is protected, what the firm did when a breach was reported in the news, or what happens to their account if the firm's email is compromised — the answer has to be specific, accurate, and unrehearsed. Vague reassurances cost trust on the first call and assets under management on the second. A documented program is the only way to answer those questions consistently across every person at the firm who might take them.
Most calls start with a specific trigger — an upcoming examination, an insurance renewal, a DDQ response, or a custodian attestation. Tell us what's driving the timing and we'll tell you honestly whether we can help.
Click here to start a conversation →