ELTENI’S CYBER SCOOP
Latest News
In this newsletter, CCPA releases new cybersecurity regulations, Incident response employees implicated in ransomware attacks and Salesforce, F5 and Anthropic are the subjects of recent cyberattacks.
REGULATORY CORNER
New CCPA Cyber Regulations Released
The California Privacy Protection Agency (CPPA) released new regulations in September 2025 that mandate annual cybersecurity audits for high-risk businesses. These new rules also require risk assessments, provide new consumer rights regarding automated decision-making technology (ADMT), and detail what businesses must include in their cybersecurity programs, such as encryption and incident response planning. These regulations begin to take effect on January 1, 2026. Key requirements of the new rules:
Cybersecurity audits: Businesses that present a “significant risk” to consumer data must conduct an annual cybersecurity audit.
Risk assessments: Companies must conduct risk assessments for certain high-risk processing activities, including selling or sharing personal information, using ADMT for significant decisions, and processing sensitive personal information.
Automated decision-making technology (ADMT): Businesses must provide consumers with the ability to opt out of ADMT when it replaces or substantially replaces human judgment.
Audit scope: The regulations specify that audits must assess the cybersecurity program’s components, such as authentication, access controls, encryption, and incident response planning. Businesses must create a detailed audit report and have an executive certify its completion
Notes
With similar timing to Reg S-P updates on cyber, California’s newly adopted CCPA regulations move privacy into evidence-based governance for investment advisers: they mandate annual cybersecurity audits for “significant risk” processing with independent reporting lines, documented risk assessments for high-risk activities, and transparency/opt-outs for automated decision-making (ADMT). Firms must expand privacy policies, honor browser-based opt-outs, and be able to fulfill access requests back to Jan 1, 2022. Audits should be performed annually and the audit reports must be retained (typically five years); risk assessments must be updated at least every three years (or upon material change) and retained for five years; and certain businesses will have to begin submitting annual certifications/risk assessments to California regulators on a staggered schedule starting in 2028, moving to an annual cadence thereafter. For RIAs, the to-dos are clear: stand up an audit program aligned to the rule’s enumerated controls, build a repeatable risk-assessment playbook, maintain an ADMT register with human-in-the-loop and appeal paths, and update Data Subject Access Requests (DSAR) operations and vendor contracts ahead of 2026.
New CCPA Rules are here: Is Your Business Ready for What’s Next? | JDSupra
ENFORCEMENT NEWS
Prosecutors allege incident response pros used ALPHV/BlackCat to commit string of ransomware attacks
Federal prosecutors allege that three cybersecurity professionals, whose job was to help companies respond to ransomware attacks, instead carried out their own ransomware schemes against five U.S. businesses in 2023. Ryan Clifford Goldberg, Kevin Tyler Martin and an unnamed co–conspirator — all U.S. nationals — began using ALPHV, also known as BlackCat, ransomware to attack companies in May 2023, according to indictments and other court documents in the U.S. District Court for the Southern District of Florida. Victims impacted by the attacks over a six-month period in 2023 included a medical company based in Florida, a pharmaceutical company based in Maryland, a California doctor’s office, an engineering company based in California and a drone manufacturer in Virginia.
Notes
Although these alleged intrusions may have happened from outside of the victim’s networks, the bad actors had material knowledge of the inner workings of those companies. That information could be valuable in launching a successful ransomware attack. This case is a gut-check for RIAs: insider threat isn’t just a disgruntled employee—it can be the incident responders you hire. This highlights why vendor oversight must go beyond SOC 2s and glossy creds: require named-personnel vetting and background checks, conflict-of-interest attestations, least-privilege/Just in Time (JIT) access with session recording, and immutable activity logs you can review. Baking into MSAs the right to audit, rapid personnel substitution on suspicion, breach-of-trust termination clauses, and liability that survives subcontracting. Operationally, rotate credentials after every engagement, segregate incident-response environments, and monitor for exfil/API anomalies tied to vendor accounts. Treat third-party Incident Response like privileged insiders—trust but verify.
Prosecutors allege incident response pros committed a string of ransomware attacks | CyberScoop
CYBER NEWS
FBI Warns of Threat Actors Hitting Salesforce Customers| DarkReading
The FBI warned that two threat actors are targeting Salesforce customers for opportunities to steal data from and extort them. The advisory, published in early September, comes courtesy of the FBI’s Internet Crime Complaint Center (IC3) and concerns two threat actors: UNC6040 (also known as ShinyHunters) and UNC6395. UNC6040 is a threat actor that specializes in voice phishing or vishing and recently was observed using social engineering to pose as IT support staff to get into Salesforce environments. UNC6395, meanwhile, is best known for using stolen OAuth tokens from Salesloft’s Drift application, which has a Salesforce integration, to steal sensitive data from hundreds of Salesforce environments earlier this year.
F5 discloses breach tied to nation-state threat actor | CyberScoop
F5, a company that specializes in application security and delivery technology, disclosed Wednesday that it had been the target of what it’s calling a “highly sophisticated” cyberattack, which it attributes to a nation-state actor. The announcement follows authorization from the U.S. Department of Justice, which allowed F5 to delay public disclosure of the breach under Item 1.05(c) of Form 8-K due to ongoing law enforcement considerations.
The Cybercrime Tsunami: How Firms Can Stay Afloat in an Age of Digital Predation | FinExtra
The current wave of cybercrime is unlike anything we have seen before. It is not merely about hacking websites or stealing credit card numbers—it is about organized, AI-enhanced, and deeply adaptive adversaries exploiting every weakness, from software vulnerabilities to human psychology. The “bad actors” of the past have evolved into professionalized syndicates, leveraging automation, artificial intelligence (AI), and machine learning (ML) to scale their attacks at unprecedented speed and sophistication.
AI firm claims Chinese spies used its tech to automate cyber attacks | BBC
The makers of artificial intelligence (AI) chatbot Claude claim to have caught hackers sponsored by the Chinese government using the tool to perform automated cyber-attacks against around 30 global organizations. Anthropic said hackers tricked the chatbot into carrying out automated tasks under the guise of carrying out cyber security research.
DECODE THE TERMS
Greylisting – A technique in spam filtering that temporarily rejects suspicious emails and only allows them through after a delay.
Steganography – Hiding malicious code within images or other media.
Malvertising – The use of online advertisements to spread malware.
