FAQ | Solanasis

10 business days from kickoff to readout. Your team's time commitment is approximately 3-4 hours total (one intro call, one kickoff meeting, access provisioning, and a readout session). We handle the rest.

We look at access controls, backup and recovery (including a real restore test), vendor access and risk, breach detection and response capabilities, credential management, and documentation. Every finding maps to your specific regulatory requirements.

Most IT security reviews check the box without verifying what's behind it; that creates false comfort. We run a real disaster recovery restore test, not just a checkbox that says 'backups exist.' You get proof that your recovery actually works, a risk register mapped to your specific regulatory requirements, and a 90-day roadmap you can actually use.

Depends on firm size and what you're dealing with. For foundations, typically $5,000-$7,500. Book an intro call and we'll give you a specific number. No runaround, no 'it depends on synergies.' We price fairly and we're transparent about it.

Absolutely. That's how we're designed to work. Your compliance consultant handles regulatory strategy and examination prep. Your IT provider handles day-to-day operations. We fill the gap between them: the cybersecurity assessments, disaster recovery testing, and technical remediation that neither typically covers. We coordinate with everyone and replace no one.

Yes. We coordinate with your IT provider on access provisioning, configuration review, and any remediation handoffs. We need their cooperation during the assessment but we handle the cybersecurity-specific work they don't typically cover.

That's exactly who this is for. So many firms treat the lack of IT staff as a reason to postpone; it's actually a reason to start. We coordinate directly with your team and any vendors you use.

Most executive directors and managing partners can approve this without a full board vote. We provide a one-page scope summary you can share with your board if needed.

You choose the path that makes sense. Take the deliverables and execute independently, bring us in for a 2-4 week remediation sprint (fixed scope, fixed fee), or engage us as an ongoing Fractional Cybersecurity Partner so your posture doesn't drift.

Yes. Our security remediation sprint closes the top gaps in 2-4 weeks. We can also stay on as your Fractional Cybersecurity Partner for ongoing oversight, quarterly testing, and documentation maintenance.

The SEC's updated Regulation S-P requires a written incident response program, expanded oversight of service providers handling customer data (including a 72-hour breach notification requirement), and notification to affected clients within 30 days of discovering unauthorized access. The compliance date is June 3, 2026 for smaller entities.

Yes, and most small advisory firms are state-registered. We work with firms regulated by any state securities authority, including Colorado's Division of Securities under DORA. The cybersecurity expectations are similar regardless of your regulator.

ABA Model Rules require 'reasonable efforts' to protect client information (Rule 1.1 Competence, Rule 1.6 Confidentiality). Our assessment helps you define and document what 'reasonable' looks like for your firm, with evidence rather than assumptions.