Security Assessment — Four Layers. One Picture of Your Exposure.

"What would your firm find if it ran a full security assessment today — and would you be confident showing the results to a regulator?" Most firms cannot answer that question. They have been told their environment is secure. They have received monthly reports from their IT provider. They have paid for antivirus and firewalls. None of that is evidence of security — it is evidence of spending.

The aha moment for most prospects comes from an actual incident, a potential incident, or a near-miss. Suddenly the gap appears between what IT has been claiming and what is actually true. If the IT firm cannot secure itself, how can it secure a regulated financial services firm — and produce evidence of compliance?

The Perimeter Assumption

Most firms have only tested the outside of the network. Regulators are now asking what happens when an attacker is already inside — moving laterally, escalating privileges, reaching sensitive data. Firms subject to NYDFS must now perform internal testing. For the rest, it is coming.

The Cloud Blind Spot

Microsoft 365 holds most of the firm's sensitive data and communications. The average organization scores 30–45% on Microsoft Secure Score — and most firms do not know their number. If IT cannot tell you the score or explain what is driving it down, that is the gap.

What the Insurer Sees

Cyber insurance carriers now use automated tools to evaluate a firm's external attack surface before underwriting or renewing a policy. Open ports, weak email authentication, exposed services — the insurer sees it all. Most firms have never looked at themselves from the outside.

Snapshot, Not Improvement

Firms that have gone through a security assessment usually received a report and nothing else. The vendor ran the scans, delivered the findings, and moved on. The firm is left alone with a list of problems — not a path to resolution, and nothing to show that progress was made.

If you had to produce a security assessment this week — one that covers the inside of your network, your cloud configuration, and what the outside world can see — could you? And would you be comfortable showing the result?

A complete security assessment begins with understanding what the firm has in place today and ends with a verified view of its exposure from the outside. Each layer addresses a different dimension of risk — and builds on the previous one. The gap analysis is diagnostic. It tells the firm where it stands, what is missing, and which layers of the full assessment it needs. In 30 minutes, the firm knows the shape of the problem.

FCI performs all four layers — internal and external. Most assessment vendors do a subset and stop there. FCI is built to run the full picture, and to do it with the regulatory and organizational audiences in mind. The gap analysis covers six areas of the firm's security posture, and for each area FCI evaluates both what controls are in place and whether the firm has the evidence to prove it.

"Evidence is what the firm would need to produce during a regulatory exam, a home office audit, a cyber insurance claim, or in the aftermath of a breach. FCI looks for it before any of those events require it."

Firm Endpoint User Network Cloud App Data

Layer 01

Gap Analysis

The foundational layer. FCI evaluates the firm's security posture across six areas — firm, endpoint, user, network, cloud app, and data — and for each, checks two things: what controls are in place, and whether the firm has the evidence to prove it.

The gap analysis is diagnostic before prescriptive. In 30 minutes, the firm knows exactly where its gaps are, what is missing, and which of the next three layers it needs.

Layer 02

Network Penetration Testing & Vulnerability Scanning

Penetration testing asks "can someone break in?" Vulnerability scanning asks "what exposures exist right now?" FCI performs both — internal and external — simulating real-world attacks and producing a prioritized list of every missing patch, misconfigured service, and open port.

For firms subject to NYDFS, internal testing is explicitly required. For the rest, it is where regulation is heading — and where real attackers operate today.

Layer 03

Cloud Application Hardening

Microsoft 365 is where most firms store sensitive client data, communicate, and collaborate. It is a primary attack surface. FCI reviews the firm's Microsoft 365 configuration — email security, data sharing, conditional access, multi-factor authentication — against the settings that actually matter.

Microsoft measures this directly with the Microsoft Secure Score. The average organization scores 30–45%. Improving the score is a measurable outcome of the assessment, not an aspiration.

Layer 04

External Attack Surface Assessment

Everything visible from the outside — public-facing servers, open ports, DNS records, email authentication, SSL certificates, the corporate website. What an attacker or an automated scanner would see when looking at the firm.

This layer is critical because cyber insurance carriers use the same automated tools to evaluate a firm's external posture before underwriting or renewing a policy. A weak external profile affects insurability and premium directly.

Penetration testing and vulnerability scanning are moving from recommended to required. Internal testing — testing from inside the network, not just the perimeter — is the clearest inflection point. Here is where each regulator sits today.

NYDFS

23 NYCRR 500.5 — Internal Testing Required

The New York Department of Financial Services requires annual penetration testing from both inside and outside the information systems' boundaries. Effective April 29, 2024. For firms subject to NYDFS, internal testing is no longer optional.

SEC

Regulation S-P — Testing Expected

Amended Regulation S-P requires written policies and procedures for safeguarding customer records. Penetration testing is expected as part of demonstrating compliance. It is not prescribed by name — but examiners know what the absence of testing looks like.

FINRA

Cybersecurity Practices — Testing Recommended

FINRA's Report on Selected Cybersecurity Practices recommends penetration testing, particularly for customer-facing systems and sensitive data stores. Annual cybersecurity risk assessments are expected. The bar is rising every year.

NAIC

Insurance Data Security Model Law — Testing Implied

Adopted in 24+ states and expanding. The Model Law requires annual assessment of safeguards, key controls, systems, and procedures. The model is flexible on method, but penetration testing is the accepted standard for meeting it.

Every assessment engagement follows the same four-step process. The difference from a typical vulnerability scan: the firm gets a remediation window between the initial findings and the final report. What you hand to a regulator, home office, or cyber insurer reflects your firm's remediated posture — not a list of open issues.

01

Initial Assessment

FCI runs the tools — external and internal penetration testing, vulnerability scanning, endpoint checks, cloud configuration review — to validate the firm's current cyber posture across the assessment dimensions that were scoped. The firm provides access as needed; FCI performs the technical work. This is the baseline from which remediation will be measured.

02

Findings & Draft Report

FCI consolidates the results into a draft report with severity rankings and remediation recommendations. The firm sees exactly what was found — and what to do about it — before anything is finalized.

03

Remediation Window

The firm fixes and improves what the draft report surfaced. FCI can provide remediation help on request — scoped separately and not included in the assessment price. This is the stage that makes the final report clean.

04

Second Assessment & Final Report

FCI runs the same tools a second time against the remediated environment and delivers the final written report — formatted for direct submission to regulators, home offices, and cyber insurance carriers. The report reflects current posture, not the list of issues found during the first assessment.

FCI's Differentiator

The final report reflects the firm's remediated posture — not a list of open issues. It is the report the firm hands to a regulator, home office, or cyber insurance carrier with confidence.

Typical Vendor Assessment

A single point-in-time scan. The vendor tests the perimeter, maybe the cloud, rarely the inside. Findings are delivered in a PDF and the relationship ends. The firm is left with a list of problems and no clear path to resolution. If the next examination or insurance renewal comes before the firm can act on the findings, the report is already out of date — and the document says only that problems existed, not that they were fixed.

With FCI

Four layers — inside the network, the cloud, and the outside view — delivered in three phases. FCI finds the problems, helps resolve them during a remediation window, and re-tests to produce a final report that reflects the improved posture. The firm holds a document that proves not just that problems were identified, but that they were closed. That is what an examiner, an insurer, or a home office wants to see.

Which version of the assessment would you rather hand to a regulator, a cyber insurer, or the home office: a snapshot of problems — or evidence that they were resolved?

An assessment is only as valuable as the improvement it produces. FCI is built for the improvement, not just the report.

Mastery

30+ years serving financial services exclusively. FCI knows which settings matter, which defaults fail, and what regulators actually ask for — because FCI has been through hundreds of examinations with clients.

Automation

Scans, testing, and configuration checks run through consistent tooling — not ad-hoc processes. Findings are prioritized automatically. Remediation steps are templated. The assessment produces a repeatable, comparable result.

Consistency

All four layers, every time — applied the same way to the home office, every branch, and every agency. No piecemeal assessments that leave parts of the environment unlooked at.

Persistent Compliance

The assessment is not a one-time event. FCI's managed cybersecurity services keep the controls enforced after the remediation window closes — so the next assessment starts from a stronger position, not from scratch.

There are four primary reasons a firm initiates a security assessment. Understanding the motivation shapes the scope, urgency, and audience for the results. FCI's assessment is structured to serve each case — from validating an internal claim to satisfying an acquirer.

01 — Self-Validation

Know where you actually stand.

The firm wants to confirm that its security posture is solid — or identify weaknesses and build the budget case to address them. In both outcomes, the firm is better off than not knowing. The result is confidence for leadership, the board, and clients.

02 — Regulatory Requirement

The examiner is going to ask.

The SEC, FINRA, NYDFS, and state insurance departments ask for copies of security assessments during examinations. Having a current, comprehensive assessment ready is a compliance expectation. Firms without one face harder questions and increased scrutiny.

03 — Home Office Requirement

Annual oversight — or enforcement triggered.

The home office, carrier, or broker-dealer above the sales office requires annual security assessments as part of its oversight. This can be a standing calendar item built into the affiliation agreement — or triggered by enforcement after an incident or audit finding.

04 — Mergers & Acquisitions

Seller credibility. Buyer diligence.

On the sell side, a strong assessment adds to credibility and negotiating position. On the buy side, the acquirer needs to understand and reduce liability. A poor assessment can directly reduce acquisition value — or introduce conditions and holdbacks into the deal.

SEC FINRA NYDFS State Insurance Departments Cyber Insurance Home Office Oversight

A security assessment is not a separate product — it is a diagnostic over the same six domains that FCI enforces every day. The layers of the assessment map directly to the domains. When FCI finds gaps, the remediation happens within the managed cybersecurity services that address those domains in the first place.

Endpoint Security

Device inventory, encryption, patching, and EDR controls — verified during the gap analysis and tested during penetration testing.

User Security

MFA enforcement, access provisioning, and credential exposure — tested across the gap analysis, cloud hardening, and attack surface layers.

Network Security

Firewall configuration, internal segmentation, and penetration paths — the focus of Layer 2, internal and external penetration testing.

Data Security

Data classification, DLP enforcement, encryption, and exfiltration controls — verified across the gap analysis and cloud hardening layers.

Cloud App Security

Microsoft 365 configuration, Secure Score, conditional access, and shadow IT — the full focus of Layer 3, cloud application hardening.

Firm Security

Incident response readiness, 24×7 SOC integration, FCI Portal evidence, and the coordination that ties every assessment finding into a single picture.

Start with a 30-minute gap analysis.

FCI works with broker-dealers and branch offices, insurance carriers and agencies, and RIAs. The gap analysis tells the firm where it stands today — and which of the four assessment layers it actually needs. In 30 minutes you will have a clear picture, not a guess.

Request a Gap Analysis Talk to FCI

Four layers. One picture of your exposure.

Most firms cannot answer the question.

A layered process, not a single test.

Each layer addresses a different dimension of risk.

What each regulator expects — and where testing is no longer optional.

A structured engagement — designed to produce a report that stands up to scrutiny.

Two versions of the assessment.

Most vendors deliver findings. FCI delivers resolution — and the evidence to prove it.

Four reasons — and the one you're in shapes the scope.

The assessment touches every domain FCI manages.

Start with a 30-minute gap analysis.