ELTENI’S CYBER SCOOP
Latest News
In this newsletter, we focus on delays in the implementation of the proposed cybersecurity reporting rules for investment advisers, emphasis on strong proactive cyber programs that align with Reg S-P and awareness of secondary attack vectors related to vendors or counterparties.
REGULATORY CORNER
CISA pushes final cyber incident reporting rule to May 2026
The Cybersecurity and Infrastructure Agency is delaying finalization of a rule until May of next year that will require critical infrastructure owners and operators to swiftly report major cyber incidents to the federal government, according to a recent regulatory notice.
Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, CISA was supposed to produce a final rule enacting the law by October of this year. But last week, the Office of Management and Budget’s Office of Information and Regulatory Affairs published an update that moved the final rule’s arrival to May 2026.
“CIRCIA will have a significant impact on the U.S. cyber landscape, so it’s critical to get it right. CISA should use this extended timeline to meaningfully incorporate industry input and realign the rule with Congress’s original intent. At the same time, efforts to streamline incident reporting and harmonize requirements across the federal government must move forward to drive better security outcomes.” said Leopold Wildenauer, director of cybersecurity policy for the group.
Notes
The delay of CIRCIA’s final rule to May 2026 is more than a procedural change—it’s a signal. From a regulatory oversight perspective, the delay suggests that the government is wrestling with balancing tail-risk and national security needs against industry harm from over-regulation. For funds, this reflects a broader trend: Regulators (federal, state, or international) are moving from voluntary best practices toward legally binding rules. Tightening expectations around visibility (what happened/when), timeliness (how quickly you report), and transparency (what you pay in ransomware, etc.). Greater emphasis on harmonization so that entities aren’t pulled in multiple directions. Also, in the future, this kind of rule may influence other rulemaking (e.g., SEC, Treasury) so that what CIRCIA does may become a baseline for what other regulators expect. For financial funds and asset managers, it’s a last chance to ensure that internal processes, legal posture, and risk frameworks are aligned with what is coming. Waiting until the rule is finalized to start preparing may risk surprise costs, exposure, and reputational harm. Those who use the time wisely can convert regulatory compliance into a competitive advantage: better resilience, better disclosures, stronger trust among investors.
CISA pushes final cyber incident reporting rule to May 2026 | CyberScoop
ENFORCEMENT NEWS
RapperBot Botnet Disrupted, American Administrator Indicted
The US Department of Justice (DOJ) announced charges against a US national for his alleged role in operating a distributed denial-of-service (DDoS) botnet. The man, Ethan Foltz, 22, of Eugene, Oregon, was the alleged administrator of the botnet known as RapperBot, Eleven Eleven Botnet, and CowBot, which abused ensnared IoT devices, mainly DVR devices and Wi-Fi routers, to launch massive DDoS attacks against victims in more than 80 countries.
According to the indictment, Foltz and his co-conspirators sold access to the botnet’s capabilities. Between April and August 2025, RapperBot was allegedly used to launch over 370,000 DDoS attacks against 18,000 unique victims. A US government network, US tech companies, and a social media platform were among the targeted organizations, documents presented in court show. Foltz has been charged with aiding and abetting computer intrusions and faces up to 10 years in prison if found guilty.
Notes
While not directly targeting investment advisers, the case highlights how vulnerable third-party networks and connected devices can fuel attacks that disrupt client-facing systems. Regulators increasingly expect RIAs to treat service disruptions—not just data breaches—as material cyber incidents subject to reporting obligations (e.g., Reg S-P amendments). Availability, resilience, and vendor oversight are now central to a strong compliance posture. Key Risks include Operational: Client portals, trading systems, and communications could be disrupted if vendors or service providers are affected. Regulatory: Service outages may trigger reporting or exam scrutiny under new SEC rules. Reputational: Even temporary downtime can erode client trust and investor confidence.
Recommended actions include Vendor Oversight: Confirm that third-party providers patch IoT/network devices promptly and notify us of security events. Resilience Planning: Ensure incident response plans address DDoS and availability attacks, not just data theft. Monitoring: Evaluate current detection tools for network anomalies; consider layered DDoS protection. Disclosure Readiness: Review policies for reporting cyber incidents to regulators and clients.
RapperBot Botnet Disrupted, American Administrator Indicted | SecurityWeek
CYBER NEWS
The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft| KrebsonSecurity
The recent mass-theft of authentication tokens from Salesloft, whose AI chatbot is used by a broad swath of corporate America to convert customer interaction into Salesforce leads, has left many companies racing to invalidate the stolen credentials before hackers can exploit them. Now Google warns the breach goes far beyond access to Salesforce data, noting the hackers responsible also stole valid authentication tokens for hundreds of online services that customers can integrate with Salesloft, including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI
Sebi’s cybersecurity framework to ease burden, say experts | Economic Times
The Securities and Exchange Board of India’s (SEBI) recent clarifications on its Cybersecurity and Cyber Resilience Framework (CSCRF) has introduced graded compliance norms to ease the burden on smaller intermediaries, experts however, caution that challenges remain, particularly for smaller and mid-sized firms. The core tension, according to experts, lies between strengthening resilience and avoiding a compliance-heavy, paperwork-driven regime. At the same time, the framework is seen as progress in aligning India with globally recognized practices, such as those set by the National Institute of Standards and Technology (NIST).
JSON Config File Leaks Azure ActiveDirectory Credentials | DarkReading
A publicly accessible configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD), potentially allowing cyberattackers to authenticate directly via Microsoft’s OAuth 2.0 endpoints and infiltrate Azure cloud environments. And while the specific company affected closed the loophole, the discovery showcases a whole class of critical cloud misconfiguration that enterprises need to watch out for.
Gucci, Balenciaga and Alexander McQueen private data ransomed by hackers | BBC
Cyber criminals have stolen the private details of potentially millions of Balenciaga, Gucci and Alexander McQueen customers in an attack. The stolen data includes names, email addresses, phone numbers, addresses and the total amount spent in the luxury stores around the world. Kering, the parent company of the luxury brands, has confirmed the breach and says it disclosed the incident to the relevant data protection authorities. It said no financial information, such as card details, were stolen.
DECODE THE TERMS
SOAR (Security Orchestration, Automation, and Response) – A platform that automates security operations.
Pass-the-Hash (PtH) – An attack that uses hashed passwords to authenticate without cracking them.
Threat Hunting – The proactive search for threats that have bypassed security defenses.
