Compliance 101: A Guide to Mastering the new SEC Cybersecurity Regulations; 206(4)-9

Are you a Registered Investment Adviser (RIA) concerned about how to comply with the new SEC 206(4)-9 Cybersecurity regulations?

Don’t worry, MTradecraft has you covered! Learn more in our latest video.

Our team of experts will explain the operational challenges posed by the new regulation and show you how MTradecraft can help ensure your RIA is compliant with these tough new rules.

Watch now and get ahead of the game when it comes to meeting SEC cybersecurity requirements.

Policies and Procedures Manuals for SEC Registered Firms

In this video, we will discuss the essential items that the SEC expects to see covered in your policies and procedures manual for SEC registered firms.

One crucial aspect that the commission looks for is how you manage user access rights. It is vital to ensure that employees only have access to the systems they need to perform their specific roles. This prevents unauthorized access and maintains data integrity.

Protecting sensitive information is another critical factor that the SEC focuses on.

Cybersecurity and threat vulnerability management solutions are also areas of interest for the SEC. It is crucial to have a robust plan in place to respond to and recover from cyber events such as attacks and prolonged internet outages.

In addition, it is important to include your annual risk and threat assessment reports, providing a comprehensive overview of potential risks and threats faced by your firm. Furthermore, outlining an employee cybersecurity training program is paramount. If you do not already have a program in place, we highly recommend considering our training program called Fieldcraft. It can be set up in less than 10 minutes and is available for free for firms with less than 10 employees.

By addressing these points in your policies and procedures manual, you will demonstrate your commitment to regulatory compliance and strengthen your firm’s cybersecurity posture.

How to Prevent Hackers From Spoofing Your Email

In this comprehensive tutorial, we’ll empower you with the knowledge and tools to protect yourself and your organization against email spoofing attacks. Email spoofing can lead to phishing scams, data breaches, and compromised security. But fear not, as we unravel the mystery behind SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) records.

Join us as we delve into the fundamental concepts of these email authentication protocols and demonstrate step-by-step how to implement them effectively. Discover how SPF validates the sender’s IP address, how DKIM adds a digital signature to your outgoing emails, and how DMARC combines both to provide a robust defense against spoofed emails.

By following this video tutorial, you’ll learn how to set up SPF, DKIM, and DMARC records in your DNS settings, ensuring that your emails are authenticated and protected from being spoofed. Gain the confidence to detect and prevent malicious emails from infiltrating your inbox or deceiving your recipients.

Don’t let email spoofing compromise your security. Watch this video now and take control of your email authentication to safeguard yourself, your organization, and your valuable information. Stay one step ahead of cyber threats with SPF, DKIM, and DMARC – the powerful trio that secures your email communications.

Don’t forget to like, share, and subscribe to our channel for more informative videos on cybersecurity and protecting your digital assets.

How to Conduct Vendor Due Diligence

In this Vendor Due Diligence video, we share the essential questions you need to ask vendors to ensure the security of your sensitive data. Protecting your information is crucial in today’s digital landscape, and it’s important to select vendors with robust security controls in place.

In this video, we cover topics such as:

Security controls for protecting sensitive data

Certifications and accreditation for information security

Employee training on security best practices

Security measures for detecting and responding to incidents

Incident response plans and speed of response to breaches

Third-party security assessments and audits

Business continuity and disaster recovery plans

Access management and control of sensitive data

Data retention and destruction policies

By asking these questions, you can make informed decisions when selecting vendors and ensure the safety of your data.

Stay informed and safeguard your business by watching this Vendor Due Diligence video today! Don’t forget to like, share, and subscribe for more valuable insights in our series.

Preventing Cybersecurity Breaches: The Story of Sharon, an RIA Employee Who Lost $748MM in Client Assets to Hackers.

MTradecraft was recently hired to perform a penetration test against an RIA. Our top objective was to find any sensitive or leaked data from the company and assess if an external attacker could access the portfolio management software (PMS). We also aimed to conduct a human risk assessment to evaluate the effectiveness of our employee training program (there wasn’t one) by attempting to trick the employees into compromising their firm.

If we have access to the PMS and the custodian’s portal, we could potentially manipulate the trading and the cashiering processes to transfer client assets into our own accounts. A situation no firm wants to face.

It should terrify you how easy it was for us to destroy this firm.

For this particular attack against Sharon, I had already located a username and password that one of the firm’s employees used to access their custodian. The username and password, which I obtained, were mistakenly published on the firm’s website because of a wrongly configured Office365 setting. We discovered it using a set of “Google Dorks”. The CEO was also careless in not checking the “sharing” privileges for that specific document. This is a frequent problem, and in my experience, I generally look for such misconfigured sensitive documents when analyzing these types of attacks.

For this attack, I targeted “Sharon”. She caught my attention because she had identified herself as the “portfolio assistant” for the company on LinkedIn and was highly active on various social media platforms. Her PMS credentials were also on the document I was able to discover from my Google Dorks.

The company’s PMS requires 2-factor authentication for all users, which means that Sharon’s credentials are linked to a rotating 2-factor authentication code that I needed to obtain to access the PMS. Through phishing Sharon, I was able to gain access to the company’s PMS in less than a day. Please note that the names of the firm and employees have been altered or obscured to maintain confidentiality and to protect the guilty.

Call #1 – I dialed Sharon and said my name was Dave.

Dave Hi Sharon – I am interested in opening an account with you folks. If I do, where do you keep my money?

SharonWe use [REDACTED] as the custodian for our accounts.

Dave Ah! [REDACTED]! I already have an account with them, so great. My current advisor uses them, so will it be an easy transition if I move my accounts? Since the accounts are already there, how do I switch them over to be managed by your firm?

SharonIt is pretty easy. I will send you some paperwork to fill out and then I will fax those up to [REDACTED].

Dave Excellent! And in the meantime, I can email you my PDF statement so that you can get the ball rolling with onboarding.

Note: Here, I am setting Sharon up to open a PDF containing key-logging malware that I will send her if need to get access that way. At this point, I am still not sure how I am going to get into the system so I am planting this seed. This is a great option as I have yet to have a client not open a malicious PDF when they think inbound assets just fell into their lap.

SharonSounds great. My email address is [***@***.com)

DaveGreat. I will send that over soon.

Now, I must do some more research to figure out how I will get in. So I call another advisor that is completely unrelated to the firm but I have found uses the same advisor. This was conducted by researching the FOIA data that is released by the SEC each quarter. The Form ADV data gives us significant and intimate insights into how a firm operates. We have covered why this is extremely problematic for registered firms in several videos that you can find on YouTube.

Call #2 –

I called [REDACTED]…another firm that I found uses [REDACTED] as the custodian so that I can get some background information on how [REDACTED] operates.

The phone was answered by a young lady named Allison. Judging from her LinkedIn profile, Allison was around 24-26 years old, a recent graduate working her first job as a trade desk assistant in NYC. She was a film school dropout and she frequently posted her critiques of movies on numerous social media platforms.

DaveHi Allison you might not be the right person and I am sorry for the distraction, but I am hoping you can help me out for 5 minutes. I found you on LinkedIn and saw you went to film school which is why I am reaching out. I am a movie director and I am working on a film and I am needing someone to interview for some background. The film involves an investment firm that experiences a cyber attack and loses the client’s assets to North Korea. I need someone’s expertise to make sure my movie fits the real-life scenario since I know very little about cybersecurity. I know you are very busy, but would you perhaps have a few minutes to answer some simple questions for my project?

AllisonSure, I would love to help. What kinds of questions do you have?

Dave Well, I know what it means to balance a portfolio. That means sometimes you have to sell some holdings and buy others to make the portfolio balance. I get that. But what I don’t understand is HOW you make the trades in those portfolios.

Allison Well…it’s not that complicated….

(Allison goes on for 15 minutes telling me everything I need to know about how she uses [REDACTED]’s PMS. I made sure to avoid asking any personal or firm-related questions to not raise suspicion and constantly referred to firm production. I took detailed notes on the operations at [REDACTED] and then called Sharon back.

Call #3 – I called Sharon once more. This time acting as Chris Johnson, a customer service rep from [REDACTED].

ChrisHi Sharon – This is Chris Johnson with [REDACTED]. I am conducting a customer satisfaction survey and wanted to see if you had 4 minutes to answer some questions about your satisfaction with our service. We are sending all respondents a coupon for a free lunch at Chick-fil-A. Would it be OK if I ask you a few questions?

Sharon Sure thing.

[Sharon was enthusiastic to help…and sounded excited about the break in her routine]

ChrisFirst off, I need to speak with someone who uses our system. Are you authorized to use the [REDACTED] PMS system?

Sharon Yes.


-Okay, what hours are you guys in the office?

-How many employees dial into [REDACTED]?

-How often do you call us?

-Is there anyone, in particular, you like to talk to when you have service issues?

-Did we ever fail to meet your expectations?

-How is our response time to your issues?

-Do you have any suggestions on how we can improve?

[Sharon answers them all and is very pleasant and happy throughout. ]

Chris: Thanks, Sharon. I really appreciate your help and your time. Let me save your answers in my survey and get that gift certificate over to you in an email. One second, please…

Chris(Pausing….) Hmm…that is interesting. Are you sure you are an authorized employee on [REDACTED]’s PMS system? I don’t see your name here.

[I Asked in a puzzled/questioning way because victims are always happy to provide clarity or prove themselves right when challenged. It blinds them when you ask them to “prove” themselves]

Sharon– Yes, I am authorized on all accounts.

Chris – OK, that is strange because I don’t see your name listed on the account.

Sharon(acting somewhat insulted and annoyed)– Well, there is something wrong there because I have been here for 7 years and call the [REDACTED] team every day; usually for several hours each day.

Chris – There is no doubt from me Sharon. This is a frequent problem and one of the side reasons for my call. I want to make sure we have the most accurate records so let me research and get that updated for you. Give me one second to get you added here. I am going to go and pull the physical paperwork from our archive and then get you added back in. I am so sorry for the inconvenience here.

Sharon – {laughs and sighs}

[I allow 45 seconds of no talking with lots of typing in the background. I have an extra loud mechanical keyboard that I use for this work to make sure the victim can hear. The overall goal here is to have Sharon swing from an agreeable state of mind, to a confrontational mindset, back to a passive mindset. Essentially, we want to wear her out mentally so that her guards go down on this call.]

Dave – OK, I see your authorization paperwork right here. Sharon Smith, right? I found it. No problem. Let me get you added to the official record again. I’m not sure how it was removed because I see where you were authorized previously. Honestly, It may have been a mistake I made when I pulled your record up so I am sorry for that. They call me “Fat fingers” with the way I accidentally delete records so thanks for your patience on this.

[20 second pause]

Dave – OK, all set. Let me get your 2FA code set back up now. Can you please read me the current 6 digits from your 2FA device so that I can get that added back in and synced with the system?

Sharon reads the 2FA code as I act like I am typing them into my login screen.



Chris – This is Brian @ MTradecraft.

At that moment, I could sense Sharon became aware of the seriousness of the situation after a prolonged silence accompanied by a deep sigh indicative of her defeat and anxiety.

With that, the pentest was over and I had gained full control of the firm’s $748MM portfolio in less than a day. Having that 2FA code allowed me to access to firm’s PMS system and take a screenshot to prove I was there. Sharon was upset. She had just destroyed her employer.

Without proper cybersecurity threat training, this type of mistake happens frequently.

Background and Lessons here:

MTradecraft was hired to conduct a penetration test within a month’s timeframe, but the specific dates were not decided. Sharon initiated contact with MTradecraft to arrange an introductory call for the test, having also attended the initial meeting where it was specified that phishing tests would be carried out.

Sharon’s warning and knowledge were not enough to prevent the compromise of the client’s assets, as it was easy for someone to lift the 2FA codes. She admitted that she did not anticipate the attack and did not suspect anything during the phone call.

Two things ultimately lead to this epic and devastating compromise:

  • The CCO had previously made a mistake and accidentally publicly published sensitive information using the “Share” features found within Office365. That led to the discovery of Sharon’s login and password information using a series of intelligence-gathering techniques known as “Google Dorks”
  • Sharon did not follow basic cyber security hygiene that should be covered in the employee’s cybersecurity awareness training program. Sharon did not follow the basic principle of never giving your 2FA code to anyone. There is never an exception to this rule. Period.

206(4)-9: An Update On the SEC’s Cybersecurity Regulations From Hell

Our latest webinars have been focusing on the new cybersecurity regulations, 206(4)-9, for over a year now as I have been mainly helping companies to understand and comply with the new regulations.

Thus, I think it’s crucial to keep our audience informed about this topic.

The SEC has postponed the RIAs’ new cybersecurity regulations, Rule 206(4)-9, until October 2023, according to the SEC’s Spring Agenda.

The upcoming regulation is significant because it will shift us from a phase of receiving information on cybersecurity best practices observed during examinations by the commission, to a phase where the SEC will impose strict regulations on what RIAs are required to do to meet cybersecurity regulations.  Heavy fines are being enforced now and more will follow as regulations become stricter.

The implementation of the SEC’s new regulation 206(4)-9 will be an expensive and complex task for many firms. Given the requirement to perform vulnerability scans, threat and risk assessments, network and domain mapping, and employee training, the costs associated with these security measures can quickly add up.  According to the SEC, “Our survey found that firms spent an average of 0.5% of revenue – or $2348 per employee…while spending is considerable, it may non the less be inadequate.” (SEC Proposed Rule 206(4)-9 | Pages 71-72)

And just FYI, we charge clients significantly less to tackle this work for them.

We are not fans of the new regulations and think they bring more problems than they solve.  We covered that topic in our webinar titled “The SECs New Cybersecurity Reporting Rules Are Extremely Dangerous for RIAs” (video on YouTube linked below)

The Investment Adviser Association recently wrote a letter to the SEC criticizing the overall impact of the agenda on RIAs and other market participants. Despite the delayed timeline, some individuals are still concentrating on ensuring that they will meet the requirements of the proposed regulations, according to Karen Barr, the president and CEO of the industry association, as reported by Financial Advisor IQ.

“No one is feeling that comfortable,” said Barr. “Firms are trying to prepare for the onslaught of a suite of new regulations and trying to analyze what they know, what resources they might need and trying to make their best guesses in their budgeting as to what the final proposals might look like and what the timelines might be.”

According to a 2022 report by Cerulli Associates, about 68% of RIAs viewed uncertainty regarding RIA regulation and oversight in the future as a major or moderate challenge, indicating that regulatory pressure continues to be a significant issue for the industry.  I can assure you, here at MTradecraft, just about everyone we talk to is confused.

The SEC’s new regulation 206(4)-9 will be an expensive and complex task for many firms. With heavy fines in place, it is important to make sure you are compliant with the regulations as soon as possible. If all of this sounds daunting or like a lot to handle on your own, don’t worry! Our team at MTradecraft has extensive experience helping companies understand and comply with these cybersecurity regulations. We offer comprehensive solutions that cover everything from vulnerability scans and threat assessments to network mapping and employee training – so let us help take some of the burden off your shoulders. Reach out today to learn more about how we can assist you in meeting regulatory requirements while keeping your data safe and secure.

How SEC Registered Firms Can Build a Security Fortress that Would Make the NSA and CIA Jealous.

In this webinar, we discuss the actions that we take to build insanely secure financial institutions using the kind the same technologies and ideas deployed by the NSA and the CIA.

It’s time to face the truth: moving clients to the cloud and relying on third-party vendors does not make your firm’s data more secure. In fact, it can lead you down a path of extreme vulnerability.

Because we do not sell these types of services (MTradecraft is a Braintrust), we are free to share the facts with you and help you build true cybersecurity into your firm.

Reviewing a Cybersecurity Documentation Request List from the SEC

In this video, we take a deep dive into the latest SEC regulations on cybersecurity documentation, including a detailed examination of a recent letter the SEC sent to an RIA prior to an examination.

We will explore this Examination Information Request Letter from the SEC in detail during this webinar.

Here is a link to download a copy of the letter:

Through practical tips and best practices, we’ll explore how RIAs, Hedge Funds, B/Ds, and family offices can protect their firms against cyber threats.

Our presentation will cover the key elements necessary for compliance with the latest regulations and safeguarding your investments, clients, and business. As the SEC continues to scrutinize firms and their cybersecurity practices, it’s more important than ever to stay informed and ensure your firm is implementing the necessary measures for protection.

Cybersecurity Incident Response Plans for SEC Registered Firm

In this video, we explore why it is important for SEC registered firms to have a comprehensive cybersecurity response plan in place.

A good plan should include preparation and awareness initiatives to help prevent incidents, containment processes so that the attack can be contained with minimal damage, remediation steps to restore systems, and proper incident reporting to the relevant authorities.

These steps are critical for any organization that wants to be prepared for a cyber security incident.

How to Conduct A Cybersecurity Risk and Threat Assessment for SEC Registered Firms

Keep your financial organization safe and compliant with the SEC. In this webinar, you’ll learn how to conduct a comprehensive cybersecurity risk assessment designed specifically for SEC registered firms.

Discover what cyber risks may haunt your organization, uncover weaknesses in your system, identify potential liabilities and develop mitigation strategies to create a secure and reliable environment for conducting business.

With actionable steps throughout the webinar, you can take proactive measures to protect your organization’s assets and ensure regulatory compliance.

Make sure you’re prepared for any possible cyber threats by joining us for this insightful session!