A 28-advisor registered investment advisory firm was facing new SEC cybersecurity rules with no documented controls and advisor data scattered across personal laptops. VulcanCloud solved both problems in a single migration.
Meridian Wealth Advisors (name changed) manages approximately $1.4 billion in client assets across 28 advisors and a 12-person operations team. When the SEC finalized its new cybersecurity risk management rules in 2023, the firm's compliance officer recognized they had a significant documentation gap — and a bigger infrastructure problem.
Advisors had long operated with a high degree of autonomy around their own devices and work habits. Many used personal MacBooks for client meetings. Some had locally installed copies of the firm's portfolio management software. The compliance officer could not truthfully document that client data was isolated from personal devices — because it wasn't.
An upcoming FINRA examination was scheduled for Q2. The compliance officer and CCO knew the examiner would ask about cybersecurity controls — including whether client records were retained in accordance with FINRA Rule 4511 and SEC Rule 17a-4, which require records preserved for 6+ years in a format that cannot be altered or overwritten. The honest answer — "we have VPN, we trust our advisors" — was no longer an acceptable response in a post-SEC-rule environment. Firms facing similar gaps had received substantial multi-million dollar fines; the compliance officer knew the risk was not theoretical.
VulcanCloud deployed a managed DaaS environment for all 28 advisors and the operations team. The firm's portfolio management platform, CRM, and document management system were configured inside the virtual desktop environment. Advisors access everything through a managed virtual session — whether in the office, at a client's office, or at home.
MFA was enforced at the session level — no user, including partners and the CCO, can access the environment without completing multi-factor authentication. Access is logged with full audit trails: user, timestamp, application accessed, duration. Session recording is available for high-risk sessions.
VulcanCloud provided a written security architecture summary for the firm's compliance team — a document describing data isolation, access controls, monitoring, and incident response procedures in terms structured for regulatory examination. The compliance officer used it directly in FINRA exam preparation.
"The FINRA examiner asked about our cybersecurity controls and I had a written document in hand. That conversation was five minutes instead of the half-day fishing expedition I'd been dreading." — Chief Compliance Officer, Meridian Wealth Advisors
The FINRA examination produced no cybersecurity findings. The firm's SEC annual filing included documented cybersecurity risk management procedures for the first time. Advisors adapted to the virtual desktop environment within two weeks — and several noted that the consistency across devices actually improved their workflow. No client data has been identified on any personal device since the migration. New advisor onboarding, which had previously required two weeks of IT setup, now takes two days from offer acceptance to productive first session. The compliance officer estimates the VulcanCloud environment effectively eliminated what would have been at least a six-figure remediation project if the FINRA examination had surfaced findings — and provides ongoing protection against the rapidly expanding SEC cybersecurity enforcement posture.
More Case Studies
Talk to VulcanCloud about building cybersecurity documentation that holds up under examination — backed by an architecture that actually delivers the controls you're documenting.
Talk to VulcanCloud →