Skip to main content
cybersecurity 8 min read

What a 10-Day Compliance Readiness Assessment Actually Looks Like

Solanasis Team |
Professional handing over assessment documents at a desk meeting

What You’re Really Signing Up For

Most firms we talk to have been told a cybersecurity assessment takes months. Some have been quoted six figures. Others have had a vendor wave a “free assessment” in their face that turned out to be a 90-minute sales pitch for a platform they didn’t need.

So here’s what actually happens when you work with us. This walkthrough is based on composite findings from typical wealth management firms (details changed, patterns real). If you’re considering the assessment, this is the clearest picture we can give you of what those 10 business days look like.

Note. This is a composite example drawn from common patterns we see across wealth management firms. No single firm is described here; the gaps and findings represent what’s typical across the industry.

The Firm Before We Showed Up

Imagine a 12-person RIA, SEC-registered, managing roughly $400M in client assets. They had what most firms have:

  • A WISP that was last updated two years ago
  • Backups “configured” but never actually tested with a full restore
  • Microsoft 365 with MFA (multi-factor authentication) enabled for most accounts (but not all)
  • Three vendors with access to client data, none with documented security reviews
  • An incident response plan that existed in a binder somewhere

Here’s the thing: none of this is unusual. This is what “pretty good” looks like for firms this size. The problem isn’t that they were negligent; the problem is that “pretty good” doesn’t hold up when an examiner starts asking specific questions.

Day by Day

Day 1: Intro Call

30 minutes. We learn about the firm’s regulatory situation, tech stack, and what’s keeping the principal up at night. We explain exactly what the assessment covers and what “done” looks like. No jargon, no upselling.

Your time: 30 minutes.

Day 2: Kickoff and Scope Lock

We define the scope in writing: which systems, which vendors, which regulatory frameworks apply. For this firm, that meant SEC cybersecurity examination priorities, Regulation S-P requirements, and their state’s data protection rules. The firm signs off on scope so there are no surprises.

Your time: 45 minutes.

Days 3-4: Configuration Review

We use read-only access to review the firm’s Microsoft 365 configuration, email security settings, access controls, and endpoint protections. This is where the AI-native approach pays off; we can correlate configurations across systems and flag gaps that a manual review would miss.

What we found (composite). MFA was enabled for 10 of 12 accounts. The two exceptions were a shared admin account (a classic blind spot) and a former employee’s account that hadn’t been deprovisioned.

Email forwarding rules were sending copies of certain messages to a personal Gmail account. That’s a quiet failure that no one had noticed.

Days 5-6: Disaster Recovery Test

This is the part most firms skip, and it’s the part that matters most. We don’t just confirm that backups are configured. We run an actual restore.

What we found (composite). Backups were configured correctly in Veeam. The restore completed successfully for email and file storage.

But the firm’s CRM data (held by a third-party vendor) had no backup arrangement at all. If that vendor had a catastrophic failure, the firm would lose years of client relationship data. That’s risk debt that accumulates silently until the day it doesn’t.

Days 7-8: Vendor Risk and Documentation Review

We review vendor agreements, access inventories, and security documentation for each third party that touches client data.

What we found (composite). Three vendors had active access to client systems. One had a documented security review from the previous year. The other two had no security documentation on file.

Under the updated Regulation S-P, the firm needs expanded oversight of these service providers, including contractual provisions for breach notification within 72 hours. None of the existing vendor agreements included this requirement.

Day 9: Analysis and Report Assembly

We pull findings together into the deliverables: gap analysis with regulatory mapping, risk register, readiness maturity scorecard, disaster recovery report, and the 90-day roadmap. Each finding includes the specific regulatory reference (not generic best practices) and a severity rating.

Your time: 0 minutes. We handle this day.

Day 10: Readout Session

We walk through everything with the principal and whoever else needs to be in the room (often the compliance consultant and IT contact). No surprises; the readout is a conversation, not a presentation.

Your time: 60-90 minutes.

The Firm After: What They Received

By the end of day 10, the firm had:

  1. Gap analysis with regulatory mapping. 14 findings, each tied to a specific SEC examination priority or Regulation S-P requirement. Not a list of everything theoretically wrong; a focused set of what actually matters for their next examination.
  2. Risk register. Prioritized by severity and regulatory impact. The shared admin account and missing vendor oversight were flagged as critical. The email forwarding rule was flagged as high.
  3. Readiness maturity scorecard. An honest picture of where they stood across five domains. Useful for tracking improvement over time.
  4. Disaster recovery report and restore runbook. Documentation that the email and file restore worked, and a clear gap documented for the CRM vendor situation.
  5. 90-day readiness roadmap. Each item had an owner, a deadline, and the regulatory context explaining why it mattered.

Total Time From the Firm’s Team

Approximately 3-4 hours over 10 business days:

  • Intro call: 30 minutes
  • Kickoff meeting: 45 minutes
  • Access provisioning: 30 minutes
  • Readout session: 60-90 minutes

We handle everything else.

What Happened Next

The firm chose to run the first 30 days of the roadmap themselves (deprovision stale accounts, enable MFA everywhere, update vendor agreements). They brought us back for a focused remediation sprint to handle the CRM backup gap and build out their incident response capability. Their compliance consultant used the gap analysis to update the firm’s Form ADV disclosures.

Which is exactly how it’s supposed to work. The assessment gives you a clear picture and a plan. What you do with it is up to you.

How Solanasis Approaches This Differently

We built this assessment specifically for wealth management firms because the gap between what regulators expect and what most firms have in place is where the real risk lives. Every finding maps to what your examiners will actually ask about, not a generic framework applied indiscriminately.

The AI-native workflow means we cover more ground in 10 days than most providers cover in weeks. You get the same depth of analysis at a price that makes sense for your firm’s size.

Key Takeaways

  • A cybersecurity assessment should take days, not months. If someone quotes you half a year, they’re solving a different problem.
  • The disaster recovery test is the most valuable part. Most firms have false comfort from backups that have never been tested.
  • Vendor oversight is the gap regulators care about most right now. Regulation S-P’s updated requirements make this urgent.
  • Your team’s time commitment is minimal. 3-4 hours over the 10 days. We handle the rest.
  • The roadmap should stand on its own. Whether you bring us back or handle it yourself, the documentation is yours.

Not sure where your firm stands? Start with our free 35-point compliance checklist or book a 30-minute intro call to talk through your situation. No pressure, no sales pitch.

Share this article

Related Posts

How to Stop Phishing Emails Your Filter Missed (2026)

82% of phishing emails now use AI content. Configure Google and Microsoft admin settings, plus free tools that catch what built-in filters miss.

What to Expect From a Security Assessment (Without the Fear-Mongering)

Security assessments don't have to be scary. Here's what actually happens, what you'll get, and how to tell a useful assessment from a sales pitch.

Has Your Password Been Leaked? How to Find Out in 2 Minutes

Billions of passwords have been exposed in data breaches. Here's how to check yours for free, and what to do if you find a match.