Introduction
Most SEC-registered firms believe they have a clear understanding of which systems are exposed to the public internet. In reality, many firms do not.
Forgotten test systems, legacy hardware, MSP misconfigurations, vendor-hosted services, and shadow IT routinely create internet-facing exposure that never appears in internal documentation. Regulators do not care whether that exposure was intentional — only whether the firm identified it and took reasonable steps to manage the associated risk.
The rest of this article is available to members of the MTradecraft community.