Notes, analysis, commentary, and research for financial institutions.
Written for the CCO, COO, and managing partner who carry the cybersecurity compliance obligation — not the MSP. Every article is anchored to a specific SEC rule and reflects what actually happens in examinations and engagements.
The insider threat at a financial firm is not usually a spy. Six attack patterns from the adversary point of view — grounded in the CISA framework and mapped to the rules an examiner will hold you to.
Google Workspace is a capable compliance platform for an RIA — but only at the right edition, and only when the security controls that ship switched off are deliberately switched on. The single most expensive mistake advisers make here is assuming a Business-tier plan is enough. It is not: the controls the safeguards rule effectively […]
Most RIAs already own Microsoft 365. Far fewer have configured it to do the one thing the SEC now expects it to do: enforce, evidence, and retain the safeguards your written policies promise. The gap between “we have M365” and “we can demonstrate the safeguards rule to an examiner” is almost entirely a deployment problem […]
One compromised employee mailbox at a wealth management firm reached a backup holding 27,076 clients’ Social Security and bank details. A breach teardown — and what amended Reg S-P now expects on identity, backup segmentation, and the 30-day notice clock.
A subscription phishing kit (FBI Alert I-052126-PSA) hijacks Microsoft 365 OAuth tokens with no password and no MFA prompt. Why it is a Reg S-P and 206(4)-7 problem, and the Conditional Access change to make this week.
A five-sign self-assessment for RIA compliance officers — when a fractional Remote CISO closes the cybersecurity accountability gap the amended Reg S-P now assumes, at a fraction of a full-time hire.
On June 12, 2026, a US government directive forced two AI models offline for every customer with no notice and no restoration date. For any firm that had built a workflow on one of them, the lesson is not that a model disappeared. The lesson is that AI governance has to operate in real time.
The June 3 compliance date for the amended Regulation S-P has passed for smaller firms. The five documents an examiner will request first — and the 30-day clock most incident response plans still don’t mention.
The Division of Examinations published its FY2026 priorities. Translated from priority language into evidence requests: governance, DLP, access controls, ransomware recovery, Reg S-ID, Reg S-P, and AI.
What reviewing cybersecurity actually means when you aren’t a technician: the evidence to pull, the three sentences every finding reduces to, and the calendar that makes year two take half the time.
More than $2 billion in penalties later, the off-channel communications sweep reached investment advisers. The violation is not using WhatsApp — it is conducting business in a channel the firm does not capture.
The fraudulent wire request arrives in a genuine thread, from the genuine address, referencing genuine details. The only control that catches it is one that never trusts email at all.
Every safeguards obligation shares one silent prerequisite: knowing where customer information actually lives. A five-column worksheet beats a data-governance platform — if it gets maintained.
Most departing employees take nothing. The procedure exists because you cannot know in advance which departure is the exception — and the window between resignation and access removal is where it goes wrong.
Type and period, scope, subservice organizations, exceptions, CUECs: the thirty-minute method that turns a vendor’s SOC 2 from a filed PDF into an operating control.
Your AI policy may say the firm doesn’t use generative AI. Your vendor stack disagrees. Five questions to send every vendor that touches client data — and the tenant audit that takes one afternoon.
The premium was priced on your application’s answers; the claim will be adjusted against them. An annual reconciliation closes the gap between what the firm represented and what the environment does.
Institutional-sized assets, household-sized security programs, and no SEC examination program forcing the issue. The five documents that cover the losses family offices actually take.
SPF, DKIM, and DMARC explained — and why the real weakness is inconsistent enforcement across providers. A practical tightening checklist for RIAs, plus how to use DMARC reporting as an intelligence tool.
The written risk and threat assessment is the single most-requested document in an SEC cyber exam. What a Cyber Risk Vulnerability Threat Assessment (CRVT) covers, how it is performed, and what it produces.
How a single stolen iPhone plus its unlock PIN can cascade into a corporate network compromise under BYOD — and the layered mitigations for both employees and institutional policy.
When an SEC examiner asks about cybersecurity, the answer should be a folder, not a conversation. The documents firms are actually asked to produce — and what each one proves.
The client mix has shifted from proactive audit work to reactive breach response. Why phishing still wins, why MFA so often has holes around it, and why the endpoint is where programs fall apart.
The November 2025 SEC order against M Holdings shows how the SEC evaluates cybersecurity programs today: enforceable baselines, evidence-based supervision, and incident response that works outside a binder.
When AI systems can autonomously find and exploit vulnerabilities at scale, the patch-and-respond timeline defenders have always relied on collapses. What that means for small RIAs — and why documenting your reasoning now matters.
A plain-language briefing on the 2024 Regulation S-P amendments: the written incident response program, the 30-day notification clock, 72-hour vendor breach standard, expanded definitions, and five-year recordkeeping.
Five recurring Microsoft 365 and Azure deficiencies I find in nearly every RIA assessment — half-enabled MFA, DLP in name only, unreviewed logs, untuned Defender, and exposed Azure workloads — and the benchmark that fixes them.
The amended Regulation S-P requires a workable incident response program — and the SEC judges incident response by how a firm reacts, not what is in the binder. What a tabletop exercise is, why it matters, and what evidence of testing looks like.
Regulation S-ID requires a written Identity Theft Prevention Program — but the SEC now treats identity theft as a cyber-first risk. Why most Red Flags programs are static documents that no longer survive an exam, and how to fix them.
AI does not trigger a new regulatory regime — it operates within the one that already exists. The ten questions RIAs ask about supervising AI under current SEC rules, answered.
Microsoft 365 already contains the controls an RIA needs to meet its SEC cybersecurity obligations. The gap is configuration, evidence, and the space between the MSP and the CCO.
In intelligence work you never rely on what a subject tells you — you validate the story through independent collection. The same discipline applied to RIA vendor oversight, using OSINT.
Three converging forces — vendor concentration, AI data absorption, and the quantum decryption threat — are reshaping RIA risk. The case for reclaiming control over mission-critical data.
A compliance-aligned guide to external visibility: using Shodan to document what the outside world can already see — without crossing into penetration testing — and turning it into the written risk assessment examiners request.
Cybersecurity has moved from a delegated IT function to a personal executive liability issue. What the SolarWinds action signals, why the MSP is usually the weakest link, and five ways executives protect themselves.
A vulnerability scan run remotely through a tunnel is not the same as one run inside the network. Why the difference matters for SEC compliance, and the questions executives should ask their IT team.
The January 2026 Betterment incident broke no encryption and hacked no infrastructure. An attacker socially engineered a third-party communications platform — the modern pattern every RIA should understand.
A practitioner framework for RIA executives making defensible AI decisions: five compliance pillars and the technical control stack that enforces them under existing SEC rules.