The written risk and threat assessment is, in my experience, the single most-requested document in an SEC cybersecurity examination. Rule 206(4)-7 requires advisers to identify risks and review the adequacy of their controls. Regulation S-P requires written safeguards reasonably designed to protect customer information. Neither obligation can be satisfied by a policy that asserts the firm is secure. Both require evidence that the firm looked, found what was actually there, and acted on it.
That evidence is what a Cyber Risk Vulnerability Threat Assessment — what MTradecraft calls a CRVT — is built to produce. This article explains what the assessment covers, how it is performed, and what a firm walks away with, so that a CCO or executive evaluating this kind of work knows what a complete engagement looks like.
Why a Single Comprehensive Assessment
Most firms have fragments. The MSP ran a scan once. Someone checked the email records. A vendor questionnaire went out and came back. The problem is that fragments do not map to the rules, are not dated and organized as evidence, and rarely connect external exposure to internal vulnerability to documented remediation. An examiner asking “show me your written risk and threat assessment” is not asking for fragments. They are asking for one coherent document that demonstrates the firm understands its own attack surface and manages it deliberately.
A CRVT is that document. It combines external reconnaissance, internal vulnerability scanning, OSINT, and policy review into a single assessment, mapped to the regulatory obligations it supports, with an evidence archive behind it.
The Five Phases
1. External Reconnaissance
The assessment begins where an attacker begins: outside the perimeter, looking in. This phase maps the firm’s true internet-facing footprint — domains and subdomains, exposed services, login and administrative portals, certificate records, and DNS and email-authentication configuration. The goal is to find what the firm exposes to the entire world, including the systems it has forgotten it owns: legacy hardware, vendor-hosted services, abandoned test environments, and shadow IT. External visibility tools such as Shodan are part of this phase, used strictly for observation rather than exploitation. Recurring high-risk findings here include exposed Remote Desktop services and internet-facing cameras and devices, both of which are well understood by attackers and difficult to justify during an exam.
2. Internal Vulnerability Scanning
The next phase moves inside the network, where attackers operate after initial access. This is credentialed vulnerability scanning performed from a position that is genuinely adjacent to the environment being assessed — not routed in remotely through a tunnel, which breaks the discovery and enumeration mechanics internal scanning depends on. Performed correctly, this phase surfaces unpatched software, misconfigurations, exposed management interfaces, and entire device classes — printers, switches, cameras, NAS devices — that remote scans routinely miss. The difference between a properly positioned internal scan and a remote one is frequently the difference between seeing the internal attack surface and missing it entirely.
3. Policy and Compliance Review
Technical findings are only half the picture. This phase reviews the firm’s written program against how it actually operates: the cybersecurity policies and procedures manual, the incident response plan, the employee technology use agreement, vendor risk procedures, network maps, and asset inventories. The objective is to find the gaps between what the documentation claims and what the environment shows — because those gaps are exactly what an examiner interprets as a governance failure rather than a paperwork error.
4. Risk Analysis
Raw findings are not yet useful. A vulnerability scanner will produce hundreds of results, most of which are noise. This phase filters out the low-value findings and identifies the risks that actually matter for this firm: exposed remote access, insecure email authentication, vulnerable web services, outdated software, and breach exposures tied to the firm’s people and infrastructure. Each meaningful risk is assessed for business impact — does it touch client data, is authentication in place, are critical operations affected — and prioritized accordingly.
5. The Written CRVT Report
The assessment culminates in a written report that synthesizes everything. A complete report includes an executive summary written for non-technical leadership, an attack surface overview, the vulnerability analysis, a plain-language explanation of business risk, and a prioritized remediation roadmap. It is mapped to the specific rules each finding implicates — Rule 206(4)-7, Regulation S-P, Rule 204-2, and Regulation S-ID — so the document does double duty as both a security deliverable and a compliance artifact.
What the Firm Walks Away With
The output of a CRVT is not just a report; it is a defensible evidence position. Specifically:
- An executive summary leadership can actually read and act on
- A technical appendix documenting findings and methodology
- A remediation roadmap an MSP can execute against and a CCO can track
- An evidence archive — scan outputs, reconnaissance findings, configuration evidence — referenced clearly within the report
That evidence archive matters as much as the conclusions. The governing principle is simple: if it cannot be demonstrated to an SEC examiner with evidence, it did not happen. A CRVT exists to make sure the firm can demonstrate it.
Independence Is the Point
One last thing worth stating plainly. A CRVT performed by the same party that operates the firm’s environment is compromised by design — it is asking a vendor to grade its own work. MTradecraft does not sell hardware, resell MSP services, or receive vendor commissions. The assessment is independent: it tells the MSP what to fix and tells the CCO what to document, without a financial interest in the answer. That independence is what makes the resulting evidence credible to a regulator.
How Often
For most firms, a comprehensive CRVT on an annual cadence, with event-driven reassessment after significant infrastructure or vendor changes, is the right rhythm. Firms that want continuous oversight between full assessments typically move to an ongoing arrangement that layers scheduled scanning, external monitoring, and documented review on top of the annual baseline.
The CRVT is MTradecraft’s flagship assessment. If your firm needs a written risk and threat assessment that maps to your SEC obligations and is backed by real evidence, that is the work we do.