A Really, Really, Ridiculously Super Helpful Video on Understanding SEC Cyber Compliance Good.

Please forgive the terrible Zoolander references in our marketing. Hopefully, you are here for cybersecurity compliance advice, and not marketing advice.

With that said….

We’re excited to present our newest YouTube video titled “A Really, Really, Ridiculously Super-Helpful Video for SEC Executives Who Don’t Understand Cybersecurity So Good”.

We Cover:

  • What the SEC expects you to know
  • The vital role of cybersecurity in today’s digital age
    • Unveiling how “Cybersecurity Compliance Rules are IN the regulations”
    • Effective strategies for managing cyber risk while striving to comply with SEC regulations
    • Tips and Tricks on how to manage your SEC cybersecurity compliance program
    • Regulation 206(4)-9 and discuss practical ways to tackle the new cyber regulations.

And that’s just scratching the surface! Join us for an insightful video that goes beyond being really, really, ridiculously good-looking—maybe there’s more to life in the world of cybersecurity compliance. Let’s navigate this complex terrain together and emerge better equipped.

Navigating Cybersecurity Compliance in 2024: Trends, Threats, and Strategic Responses for SEC-Registered Firms

The cybersecurity landscape is a dynamic one, constantly evolving with new challenges and threats that specifically impact SEC-registered firms.

In this video, we offer an in-depth analysis of the cybersecurity trends that are shaping 2024. We explore the rise in zero-day vulnerabilities, the profound effects of generative AI on email security, and the escalating significance of IoT security.

Our panel of unbiased experts, equipped with technical insights, delve into these trends, translating them into potential threats for SEC-registered firms. They navigate the intricacies of the changing regulatory environment, pinpointing emerging attack vectors and providing strategic guidance to mitigate these risks.

A key aspect of our discussion is the newly introduced SEC Rule 206(4)-9 regulations. We dissect these regulations, offering practical advice to ensure your firm remains compliant while concurrently strengthening its cybersecurity posture.

The objective of this video is to arm you with actionable knowledge that can shape your firm’s cyber risk management strategy. By harnessing our professional and informative approach, we aim to leave you with a lucid understanding of the cybersecurity landscape in 2024 and effective strategies to navigate it.

Don’t let your firm fall behind in the ever-changing realm of cybersecurity. Update your cybersecurity knowledge and prep your firm for the future by watching this video now. Remember to subscribe to our channel for more unbiased, technical, and beneficial cybersecurity content.

The Cybersecurity Liability of the CCOs and other Executives of SEC Registered Firms

In this video, we will scrutinize the prevalent cybersecurity shortcomings in the SEC RIA CCO community and dissect their potential legal exposure.

In light of the SEC’s recent intention to prosecute the CISO of SolarWinds following a high-profile breach, comprehending the intricacies of the cybersecurity terrain and the accompanying responsibilities has never been more imperative.

We will shed light on the pervasive lapses we have identified across a majority of SEC RIA CCOs. Our expert analysis will offer unbiased guidance on how these pitfalls can be circumvented.

As we navigate an era characterized by escalating cybersecurity incursions and heightened SEC enforcement—which can result in substantial penalties and damage to reputation—our webinar offers an essential opportunity. It equips your organization with the vital knowledge required to steer clear of such risks and potential litigation.

Beyond Compliance: Enhancing Cybersecurity with SEC Rule 206(4)-9 – A Webinar by MTradecraft

This informative video provides Registered Investment Advisers (RIAs) with professional advice on navigating the complex landscape of cybersecurity compliance.

In this webinar, we explore how SEC Rule 206(4)-9 is not just a regulatory hurdle, but an opportunity to strengthen your firm’s cybersecurity practices. We offer clear, concise, and unbiased guidance on overcoming operational challenges, developing effective compliance strategies, and leveraging regulatory requirements to enhance your firm’s cybersecurity standing.

This video is more than a guide to SEC cybersecurity compliance – it’s about transforming regulatory obligations into strategic advantages. By staying informed and compliant, your firm can stay ahead in the face of cyber threats.

Stay ahead with MTradecraft. Subscribe to our channel for more insights into intelligence and cybersecurity consulting.

The CRVT Report

The CRVT Report – Cybersecurity Risk, Vulnerability, and Threat Assessments for SEC Registered Firms

Our comprehensive cybersecurity threat and risk assessment reports tailored specifically for SEC registered investment advisory firms. These reports delve deep into the intricate landscape of digital threats, providing a thorough analysis of vulnerabilities, potential risks, and recommended mitigation strategies.

Compliance 101: A Guide to Mastering the new SEC Cybersecurity Regulations; 206(4)-9

Are you a Registered Investment Adviser (RIA) concerned about how to comply with the new SEC 206(4)-9 Cybersecurity regulations?

Don’t worry, MTradecraft has you covered! Learn more in our latest video.

Our team of experts will explain the operational challenges posed by the new regulation and show you how MTradecraft can help ensure your RIA is compliant with these tough new rules.

Watch now and get ahead of the game when it comes to meeting SEC cybersecurity requirements.

Policies and Procedures Manuals for SEC Registered Firms

In this video, we will discuss the essential items that the SEC expects to see covered in your policies and procedures manual for SEC registered firms.

One crucial aspect that the commission looks for is how you manage user access rights. It is vital to ensure that employees only have access to the systems they need to perform their specific roles. This prevents unauthorized access and maintains data integrity.

Protecting sensitive information is another critical factor that the SEC focuses on.

Cybersecurity and threat vulnerability management solutions are also areas of interest for the SEC. It is crucial to have a robust plan in place to respond to and recover from cyber events such as attacks and prolonged internet outages.

In addition, it is important to include your annual risk and threat assessment reports, providing a comprehensive overview of potential risks and threats faced by your firm. Furthermore, outlining an employee cybersecurity training program is paramount. If you do not already have a program in place, we highly recommend considering our training program called Fieldcraft. It can be set up in less than 10 minutes and is available for free for firms with less than 10 employees.

By addressing these points in your policies and procedures manual, you will demonstrate your commitment to regulatory compliance and strengthen your firm’s cybersecurity posture.

How to Prevent Hackers From Spoofing Your Email

In this comprehensive tutorial, we’ll empower you with the knowledge and tools to protect yourself and your organization against email spoofing attacks. Email spoofing can lead to phishing scams, data breaches, and compromised security. But fear not, as we unravel the mystery behind SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) records.

Join us as we delve into the fundamental concepts of these email authentication protocols and demonstrate step-by-step how to implement them effectively. Discover how SPF validates the sender’s IP address, how DKIM adds a digital signature to your outgoing emails, and how DMARC combines both to provide a robust defense against spoofed emails.

By following this video tutorial, you’ll learn how to set up SPF, DKIM, and DMARC records in your DNS settings, ensuring that your emails are authenticated and protected from being spoofed. Gain the confidence to detect and prevent malicious emails from infiltrating your inbox or deceiving your recipients.

Don’t let email spoofing compromise your security. Watch this video now and take control of your email authentication to safeguard yourself, your organization, and your valuable information. Stay one step ahead of cyber threats with SPF, DKIM, and DMARC – the powerful trio that secures your email communications.

Don’t forget to like, share, and subscribe to our channel for more informative videos on cybersecurity and protecting your digital assets.

How to Conduct Vendor Due Diligence

In this Vendor Due Diligence video, we share the essential questions you need to ask vendors to ensure the security of your sensitive data. Protecting your information is crucial in today’s digital landscape, and it’s important to select vendors with robust security controls in place.

In this video, we cover topics such as:

Security controls for protecting sensitive data

Certifications and accreditation for information security

Employee training on security best practices

Security measures for detecting and responding to incidents

Incident response plans and speed of response to breaches

Third-party security assessments and audits

Business continuity and disaster recovery plans

Access management and control of sensitive data

Data retention and destruction policies

By asking these questions, you can make informed decisions when selecting vendors and ensure the safety of your data.

Stay informed and safeguard your business by watching this Vendor Due Diligence video today! Don’t forget to like, share, and subscribe for more valuable insights in our series.

Preventing Cybersecurity Breaches: The Story of Sharon, an RIA Employee Who Lost $748MM in Client Assets to Hackers.

MTradecraft was recently hired to perform a penetration test against an RIA. Our top objective was to find any sensitive or leaked data from the company and assess if an external attacker could access the portfolio management software (PMS). We also aimed to conduct a human risk assessment to evaluate the effectiveness of our employee training program (there wasn’t one) by attempting to trick the employees into compromising their firm.

If we have access to the PMS and the custodian’s portal, we could potentially manipulate the trading and the cashiering processes to transfer client assets into our own accounts. A situation no firm wants to face.

It should terrify you how easy it was for us to destroy this firm.

For this particular attack against Sharon, I had already located a username and password that one of the firm’s employees used to access their custodian. The username and password, which I obtained, were mistakenly published on the firm’s website because of a wrongly configured Office365 setting. We discovered it using a set of “Google Dorks”. The CEO was also careless in not checking the “sharing” privileges for that specific document. This is a frequent problem, and in my experience, I generally look for such misconfigured sensitive documents when analyzing these types of attacks.

For this attack, I targeted “Sharon”. She caught my attention because she had identified herself as the “portfolio assistant” for the company on LinkedIn and was highly active on various social media platforms. Her PMS credentials were also on the document I was able to discover from my Google Dorks.

The company’s PMS requires 2-factor authentication for all users, which means that Sharon’s credentials are linked to a rotating 2-factor authentication code that I needed to obtain to access the PMS. Through phishing Sharon, I was able to gain access to the company’s PMS in less than a day. Please note that the names of the firm and employees have been altered or obscured to maintain confidentiality and to protect the guilty.

Call #1 – I dialed Sharon and said my name was Dave.

Dave Hi Sharon – I am interested in opening an account with you folks. If I do, where do you keep my money?

SharonWe use [REDACTED] as the custodian for our accounts.

Dave Ah! [REDACTED]! I already have an account with them, so great. My current advisor uses them, so will it be an easy transition if I move my accounts? Since the accounts are already there, how do I switch them over to be managed by your firm?

SharonIt is pretty easy. I will send you some paperwork to fill out and then I will fax those up to [REDACTED].

Dave Excellent! And in the meantime, I can email you my PDF statement so that you can get the ball rolling with onboarding.

Note: Here, I am setting Sharon up to open a PDF containing key-logging malware that I will send her if need to get access that way. At this point, I am still not sure how I am going to get into the system so I am planting this seed. This is a great option as I have yet to have a client not open a malicious PDF when they think inbound assets just fell into their lap.

SharonSounds great. My email address is [***@***.com)

DaveGreat. I will send that over soon.

Now, I must do some more research to figure out how I will get in. So I call another advisor that is completely unrelated to the firm but I have found uses the same advisor. This was conducted by researching the FOIA data that is released by the SEC each quarter. The Form ADV data gives us significant and intimate insights into how a firm operates. We have covered why this is extremely problematic for registered firms in several videos that you can find on YouTube.

Call #2 –

I called [REDACTED]…another firm that I found uses [REDACTED] as the custodian so that I can get some background information on how [REDACTED] operates.

The phone was answered by a young lady named Allison. Judging from her LinkedIn profile, Allison was around 24-26 years old, a recent graduate working her first job as a trade desk assistant in NYC. She was a film school dropout and she frequently posted her critiques of movies on numerous social media platforms.

DaveHi Allison you might not be the right person and I am sorry for the distraction, but I am hoping you can help me out for 5 minutes. I found you on LinkedIn and saw you went to film school which is why I am reaching out. I am a movie director and I am working on a film and I am needing someone to interview for some background. The film involves an investment firm that experiences a cyber attack and loses the client’s assets to North Korea. I need someone’s expertise to make sure my movie fits the real-life scenario since I know very little about cybersecurity. I know you are very busy, but would you perhaps have a few minutes to answer some simple questions for my project?

AllisonSure, I would love to help. What kinds of questions do you have?

Dave Well, I know what it means to balance a portfolio. That means sometimes you have to sell some holdings and buy others to make the portfolio balance. I get that. But what I don’t understand is HOW you make the trades in those portfolios.

Allison Well…it’s not that complicated….

(Allison goes on for 15 minutes telling me everything I need to know about how she uses [REDACTED]’s PMS. I made sure to avoid asking any personal or firm-related questions to not raise suspicion and constantly referred to firm production. I took detailed notes on the operations at [REDACTED] and then called Sharon back.

Call #3 – I called Sharon once more. This time acting as Chris Johnson, a customer service rep from [REDACTED].

ChrisHi Sharon – This is Chris Johnson with [REDACTED]. I am conducting a customer satisfaction survey and wanted to see if you had 4 minutes to answer some questions about your satisfaction with our service. We are sending all respondents a coupon for a free lunch at Chick-fil-A. Would it be OK if I ask you a few questions?

Sharon Sure thing.

[Sharon was enthusiastic to help…and sounded excited about the break in her routine]

ChrisFirst off, I need to speak with someone who uses our system. Are you authorized to use the [REDACTED] PMS system?

Sharon Yes.


-Okay, what hours are you guys in the office?

-How many employees dial into [REDACTED]?

-How often do you call us?

-Is there anyone, in particular, you like to talk to when you have service issues?

-Did we ever fail to meet your expectations?

-How is our response time to your issues?

-Do you have any suggestions on how we can improve?

[Sharon answers them all and is very pleasant and happy throughout. ]

Chris: Thanks, Sharon. I really appreciate your help and your time. Let me save your answers in my survey and get that gift certificate over to you in an email. One second, please…

Chris(Pausing….) Hmm…that is interesting. Are you sure you are an authorized employee on [REDACTED]’s PMS system? I don’t see your name here.

[I Asked in a puzzled/questioning way because victims are always happy to provide clarity or prove themselves right when challenged. It blinds them when you ask them to “prove” themselves]

Sharon– Yes, I am authorized on all accounts.

Chris – OK, that is strange because I don’t see your name listed on the account.

Sharon(acting somewhat insulted and annoyed)– Well, there is something wrong there because I have been here for 7 years and call the [REDACTED] team every day; usually for several hours each day.

Chris – There is no doubt from me Sharon. This is a frequent problem and one of the side reasons for my call. I want to make sure we have the most accurate records so let me research and get that updated for you. Give me one second to get you added here. I am going to go and pull the physical paperwork from our archive and then get you added back in. I am so sorry for the inconvenience here.

Sharon – {laughs and sighs}

[I allow 45 seconds of no talking with lots of typing in the background. I have an extra loud mechanical keyboard that I use for this work to make sure the victim can hear. The overall goal here is to have Sharon swing from an agreeable state of mind, to a confrontational mindset, back to a passive mindset. Essentially, we want to wear her out mentally so that her guards go down on this call.]

Dave – OK, I see your authorization paperwork right here. Sharon Smith, right? I found it. No problem. Let me get you added to the official record again. I’m not sure how it was removed because I see where you were authorized previously. Honestly, It may have been a mistake I made when I pulled your record up so I am sorry for that. They call me “Fat fingers” with the way I accidentally delete records so thanks for your patience on this.

[20 second pause]

Dave – OK, all set. Let me get your 2FA code set back up now. Can you please read me the current 6 digits from your 2FA device so that I can get that added back in and synced with the system?

Sharon reads the 2FA code as I act like I am typing them into my login screen.



Chris – This is Brian @ MTradecraft.

At that moment, I could sense Sharon became aware of the seriousness of the situation after a prolonged silence accompanied by a deep sigh indicative of her defeat and anxiety.

With that, the pentest was over and I had gained full control of the firm’s $748MM portfolio in less than a day. Having that 2FA code allowed me to access to firm’s PMS system and take a screenshot to prove I was there. Sharon was upset. She had just destroyed her employer.

Without proper cybersecurity threat training, this type of mistake happens frequently.

Background and Lessons here:

MTradecraft was hired to conduct a penetration test within a month’s timeframe, but the specific dates were not decided. Sharon initiated contact with MTradecraft to arrange an introductory call for the test, having also attended the initial meeting where it was specified that phishing tests would be carried out.

Sharon’s warning and knowledge were not enough to prevent the compromise of the client’s assets, as it was easy for someone to lift the 2FA codes. She admitted that she did not anticipate the attack and did not suspect anything during the phone call.

Two things ultimately lead to this epic and devastating compromise:

  • The CCO had previously made a mistake and accidentally publicly published sensitive information using the “Share” features found within Office365. That led to the discovery of Sharon’s login and password information using a series of intelligence-gathering techniques known as “Google Dorks”
  • Sharon did not follow basic cyber security hygiene that should be covered in the employee’s cybersecurity awareness training program. Sharon did not follow the basic principle of never giving your 2FA code to anyone. There is never an exception to this rule. Period.