Case Study 02 · Financial / RIA IT · McKinney

Internal vs. outsourced IT for a McKinney investment advisory firm

8 min read·Updated June 2026·37 Forge · McKinney TX

A registered investment adviser (RIA) based in McKinney manages about $600M in assets for roughly 400 households, with offices in Frisco and Plano and around 18 staff. Technology was handled the way many small advisory firms handle it: an operations manager who doubled as the firm's "computer person," with a break-fix shop for the harder problems. The custodial portals, the CRM, the portfolio-management system, and email all worked, so no one pushed for more.

Two developments changed that. The SEC's amendments to Regulation S-P, finalized in 2024, now require RIAs to maintain a written incident-response program, oversee their vendors, and notify affected clients within 30 days of a breach of sensitive customer information, with smaller advisers expected to comply by June 2026. Around the same time, a phishing email impersonating a client nearly redirected a wire, and a routine mock exam surfaced gaps in email archiving and the books-and-records retention required under SEC rules.

For an advisory firm, these are not background IT tasks. A breach of client financial data is now a federal reporting event, exam deficiencies carry fines and reputational damage, and trust is the entire product. Leadership asked the question facing many growing McKinney firms: is one internal "tech person" still enough, or does the firm need an outsourced IT partner that understands financial-services compliance?

The short answer

For a very small advisory office, one capable internal person can keep the lights on. Once a McKinney RIA carries SEC Regulation S-P obligations and client financial data, an outsourced IT partner delivers security expertise, documented compliance, and around-the-clock coverage, usually at a lower total cost than a dedicated in-house hire.

Internal IT vs. outsourced IT, side by side

Internal IT1 Generalist
Strengths
Knows the team and how the firm runs day to day
On-site for quick, in-person help
Full control in-house, with no outside vendor involved
Where it strains
When that person is out sick or on vacation, there is no coverage
Security and SEC compliance get handled between other duties, with no dedicated owner
No after-hours monitoring, so intrusions can go unnoticed for weeks
One generalist can't specialize in security, networking, cloud, and Reg S-P at once
External / Outsourced ITManaged Provider
What changes
Round-the-clock monitoring that catches most issues before staff do
Separate specialists for security, networking, cloud, and compliance
Someone responds to after-hours security alerts the same night
Documented safeguards and email archiving that support SEC books-and-records rules
Coverage does not depend on any single person being available
Trade-offs
Support comes through a help desk rather than one person down the hall
An onboarding period to learn the firm's platforms and workflows

The verdict, dimension by dimension

Dimension
Internal IT
External IT
Total cost of ownership
Salary + benefits + tools
25–45% less
Security & SEC compliance
Side-duty
Reg S-P program + specialists
Scalability
Hire to grow
Add advisors or an office, no hire
After-hours coverage
Business hours
24 / 7 / 365
Day-one familiarity
Knows the firm
Short ramp
Net verdictExternal IT comes out ahead

Why the stakes are higher in financial-services IT

$5.9M
Average financial-sector data breach, 2024 (2nd only to healthcare)
30 days
SEC Reg S-P client breach-notification window
168 days
Average time to identify a finance-industry breach
78%
Of financial institutions reported a ransomware attack
The 37 Forge difference

How 37 Forge wins

An outside team only helps if it shows up like part of yours. 37 Forge gives a Collin County firm the depth of a specialist team while keeping the things people value about having someone in-house.

We actually pick up
A local Collin County team answers the phone and responds the same day, including after hours.
Built for financial firms
Experience with SEC Reg S-P safeguards, email archiving and books-and-records retention, and the custodial, CRM, and portfolio platforms advisers use.
Engineers who learn your firm
You work with the same people over time, so you keep the familiarity of in-house without the single-person risk.
Not sure where your firm stands? Get a free, no-obligation IT and SEC Reg S-P readiness assessment.
Request your assessment
Figures are drawn from published industry benchmarks and applied to a representative scenario. They illustrate the stakes and are not a guarantee of results.
[1] IBM Cost of a Data Breach 2024 (financial industry): ibm.com/think/insights/cost-of-a-data-breach-2024-financial-industry  ·  [2] SEC Regulation S-P amendments (2024): comply.com/resource/secs-regulation-s-p-amendments-what-organizations-need-to-know  ·  [3] Sophos State of Ransomware, financial services: sophos.com