A New York City-based registered investment adviser — 4 principals and 12 support staff managing over $450 million in client assets, with SEC cybersecurity rule obligations and growing institutional client expectations.
Security vulnerabilities closed within the first 30 days of engagement
SEC cybersecurity rule compliance controls implemented
Staff enrolled in security awareness training with phishing simulation
In breach-related costs or business disruption since engagement began
THE CHALLENGE
The firm operated with competent financial professionals who understood risk in client portfolios far better than they understood the risks inside their own IT environment. None of the principals used MFA. Client data — including account statements, tax documents, and private communications — was stored in a shared drive with no access controls distinguishing what advisers could see from what support staff could access. Endpoint protection was a commercial antivirus product that hadn’t been updated in 14 months.
When the SEC finalized its cybersecurity risk management rules for registered investment advisers, the compliance burden landed squarely on the firm’s principals. Their cyber insurance renewal was also approaching, and the underwriter’s questionnaire was something the firm’s COO described as “something none of us can answer honestly right now.” The gap between what they had and what they needed to document was significant — and the timeline was not.
WHAT SOLVED IT DID
Cybersecurity Assessment & MFA Rollout
We started with a full security assessment — mapped every asset, reviewed access controls, tested email security, and documented findings against the SEC’s cybersecurity rule framework. MFA was enforced across all 16 user accounts within the first week. No exceptions, no bypass accounts.
Endpoint Protection & MDR
The outdated antivirus was replaced with Microsoft Defender for Business backed by MDR — providing 24/7 threat detection with documented response procedures that satisfy SEC incident response requirements.
Access Controls & Data Classification
File storage was restructured with role-based access controls. Principals, advisers, and support staff operate in properly scoped environments governed by a documented data classification policy — aligned with both SEC requirements and cyber insurance underwriting expectations.
WISP, Incident Response & Insurance
We built the firm’s written information security program (WISP) and incident response plan from scratch to satisfy SEC rule requirements. A phishing simulation identified three staff members who then completed targeted security awareness training. We supported the insurance renewal with a completed security assessment summary, resulting in broader coverage at a favorable rate.
The Results
- MFA enforced across all 16 user accounts — completed in week one of engagement
- Endpoint protection upgraded to MDR-backed Microsoft Defender for Business
- Role-based file access controls and documented data classification policy in place
- Written information security program (WISP) and incident response plan completed per SEC rule
- Phishing simulation completed — 3 staff received targeted security awareness training
- Cyber insurance renewed with broader coverage after security assessment documentation submitted
