ELTENI’S CYBER SCOOP
Latest News
In this newsletter, we focus on the financial industries’ quest for a more balanced regulatory reporting requirement with CISA’s CIRCIA rule, landmark enforcements highlighting the intersectionality of cyber and operations in financial institutions and more cyber breaches hit the news
REGULATORY CORNER
Financial Organizations Advocate for Revisions to CIRCIA Implementation
CIRCIA, which was signed into law in March 2022, requires covered entities to report any major cybersecurity incident within 72 hours, and to report ransomware payments within 24 hours of making the payment. CISA’s proposed rules to implement CIRCIA are set to enter effect in October 2025, but the American Bankers Association, Bank Policy Institute, Institute of International Bankers, and the Securities Industry and Financial Markets Association believe that it would have detrimental repercussions in its current form.
The coalition of financial organizations has urged the Cybersecurity and Infrastructure Security Agency (CISA) to reconsider the proposed implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The groups express concerns that the current proposal may impose undue burdens on financial institutions and seek a more balanced approach to incident reporting requirements.
Notes
The dissenting opinions reflect concerns that the agency may be overreaching in its pursuit of transparency, potentially penalizing companies for not disclosing details that may not have been materially relevant to investors. This case underscores the evolving nature of cybersecurity compliance and the increasing pressure on organizations to provide clear, defensible disclosures. As regulatory expectations grow, companies must refine their incident response strategies to ensure they not only comply with SEC rules but also communicate cyber risks in a way that genuinely informs investors without unnecessary speculation or over-disclosure. If the SEC begins enforcing a stricter disclosure standard, companies may struggle with the balance between timely, relevant reporting and avoiding excessive regulatory scrutiny.
Financial Organizations Urge CISA to Revise Proposed CIRCIA Implementation | SecurityWeek
ENFORCEMENT NEWS
SEC Charges Two Sigma for Failing to Address Known Vulnerabilities in its Investment Models
In January 2025, The Securities and Exchange Commission announced settled charges against New York-based investment advisers Two Sigma Investments LP and Two Sigma Advisers LP (collectively, Two Sigma) for breaching their fiduciary duties by failing to reasonably address known vulnerabilities in their investment models.
According to the SEC’s order, in or before March 2019, Two Sigma employees identified and recognized vulnerabilities in certain Two Sigma investment models that could negatively impact clients’ investment returns, but Two Sigma waited until August 2023 to address the issues. Despite recognizing these vulnerabilities, Two Sigma failed to adopt and implement written policies and procedures to address them and failed to supervise one of its employees who made unauthorized changes to more than a dozen models, which resulted in Two Sigma making investment decisions that it otherwise would not have made on behalf of its clients.
Notes
The SEC’s $90 million penalty against Two Sigma marks a pivotal moment for financial firms, signaling tougher scrutiny of cybersecurity governance beyond breaches or ransomware. The case centers on the firm’s failure to address known internal vulnerabilities that harmed trading performance—highlighting that cybersecurity is now seen as a fiduciary duty, not just an IT issue. For hedge funds and asset managers, the message is clear: ensure transparency around algorithmic and data-driven process risks, act swiftly on internal cyber findings, and review disclosures to regulators and investors. This case reflects a broader SEC shift toward treating cyber negligence as investor harm, pushing firms to better align CISOs, legal, compliance, and risk teams.
CYBER NEWS
Financial Fraud Claims Surge Due to Third-Party Breaches | Dark Reading
A recent report indicates that while ransomware remains the costliest cyber threat, incidents of financial fraud have become more prevalent, often resulting from security failures at third-party firms. These breaches underscore the need for robust third-party risk management strategies within financial institutions.
Finastra Investigates Significant Data Breach | Krebs on Security
Financial software firm Finastra is investigating a data breach involving the alleged theft of over 400 gigabytes of data from its internal file transfer platform. The breach, which came to light in November 2024, raises concerns about the security of sensitive financial data managed by third-party vendors.
Treasury Bureau Reports Major Cybersecurity Incident | CyberScoop
The Office of the Comptroller of the Currency (OCC) notified Congress of a significant cybersecurity incident in February 2025, involving the theft of highly sensitive information related to federally regulated financial institutions. The breach highlights ongoing vulnerabilities in government agencies overseeing the financial sector.
SAP Zero-Day Vulnerability Under Active Exploitation | CyberScoop
A critical zero-day vulnerability in SAP NetWeaver (CVE-2025-31324) is currently under widespread exploitation. This flaw allows attackers to upload files directly to the system without authorization, posing significant risks to organizations using SAP software. The vulnerability has a base score of 10 on the CVSS scale, indicating its severity. Security researchers have observed active exploitation of this vulnerability, emphasizing the need for immediate patching and mitigation measures.
DECODE THE TERMS
IAM (Identity and Access Management) – Policies and technologies to manage user access in cloud environments.
LOTL (Living off the Land) – Attacks that use legitimate system tools to perform malicious activities.
IOC (Indicators of Compromise) – Evidence or artifacts of an intrusion.
