ELTENI’S CYBER SCOOP
Latest News
In this newsletter, SEC cybersecurity amendments to Regulation S-P, continued enforcement for inadequate cybersecurity procedures, and the underinvestment in cybersecurity and ransomware trends.
REGULATORY CORNER
ICYMI: Rollout of the SEC amendments to Reg S-P has begun
On May 15, 2024, the SEC amended Regulation S-P to require covered institutions to maintain a written incident response program designed to detect, respond to, and recover from unauthorized access to or use of customer information. The program must include procedures to:
- assess incident scope and contain/control impacts,
- oversee service providers through due diligence and monitoring, and
- notify affected individuals when sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.
Notices must be issued as soon as practicable, but no later than 30 days after the institution becomes aware of the actual or likely unauthorized access/use, and must describe the incident, the data involved, and steps individuals can take to protect themselves.
Compliance deadlines for the new amendment are December 3, 2025, for large institutions ($1B+ in AUM) and June 3, 2026, for small institutions (under $1B in AUM).
Notes
These amendments establish a federal baseline, reducing variation across state privacy and breach-notification regimes. They can also be viewed as a pivot from the SEC’s previously proposed cybersecurity rulemaking that was later withdrawn. While shifting oversight through a different regulatory framework may seem mixed, the SEC’s enforcement message is clear: examination priorities include governance and controls for data loss prevention, access controls, account and identity management, third-party risk oversight, and incident response and recovery (including ransomware). Exams are also expected to focus on training and controls to identify and mitigate AI-related risks, including the accuracy of registrants’ statements about AI use and capabilities. The Division will evaluate whether firms have adequate policies and procedures to oversee AI use and operationalize threat-intelligence information.
ENFORCEMENT NEWS
M Holdings charged for deficient cybersecurity procedures
M Holdings Securities, Inc., a Portland, Oregon-based broker-dealer and investment adviser, agreed to settle charges that, from July 2019 through March 2024, it failed to maintain reasonably designed policies and procedures for cybersecurity, safeguarding customer information, and identity theft prevention.
During that period, several branch offices experienced email account takeovers that exposed records and personally identifiable information for approximately 8,500 individuals, including many customers. The order states that M Holdings had no written, firmwide information security policies governing its member firms until September 2020, when it adopted an information security policy requiring member firms to implement their own controls.
The order further finds that the policy was not reasonably designed because M Holdings knew many member firms, including those impacted by the takeovers—still lacked required controls through March 2024, such as multi-factor authentication, annual security awareness training, and written incident response policies.
Notes
Cybersecurity governance, particularly well-designed, effectively implemented policies and procedures to protect sensitive firm and client information—remains a core regulatory focus. In this case, gaps in governance and oversight allowed unauthorized access and exposure of sensitive data to persist over an extended period. Attempting to remediate those deficiencies reactively, under the pressure of an active incident, proved insufficient: the firm lacked clear, enforceable guidance to manage the immediate event and did not establish durable controls to reduce the likelihood or impact of future incidents. There is no silver bullet, but proactively strengthening governance provides a structured framework for continuous improvement over time.
CYBER NEWS
Study Reveals Business Continue to Underinvest in Cybersecurity | Cybersecurity Insiders
Research conducted by cybersecurity firm Guardz highlights this concerning trend. The study found that many SMBs are still underinvesting in strengthening their IT infrastructure against cyber threats. This includes insufficient spending on modern security tools, outdated systems, and a lack of proactive measures to identify and remediate emerging vulnerabilities. Even more alarming is the finding that over 50% of SMBs continue to assign critical cybersecurity responsibilities to underqualified personnel and 69% of surveyed organizations lack a well-defined incident response plan or cyber insurance coverage.
Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites | The Hacker News
Cybersecurity researchers have discovered two malicious Google Chrome extensions with the same name and published by the same developer that come with capabilities to intercept traffic and capture user credentials. The extensions work as advertised to reinforce the illusion of a functional product. They perform actual latency tests on proxy servers and display connection status, while keeping users in the dark about their main goal, which is to intercept network traffic and steal credentials.
Most Parked Domains Now Serving Malicious Content | KrebsOnSecurity
A new study finds the vast majority of “parked” domains — mostly expired or dormant domain names, or common misspellings of popular websites — are now configured to redirect visitors to sites that foist scams and malware. In 2014, researchers found that parked domains redirected users to malicious sites less than five percent of the time — regardless of whether the visitor clicked on any links at the parked page. But in a series of experiments over the past few months, researchers at the security firm Infoblox say they discovered the situation is now reversed, and that malicious content is by far the norm now for parked websites.
Ransomware Payments Surpassed $4.5 Billion: US Treasury | SecurityWeek
FinCEN’s new Financial Trend Analysis report shows that more than $2.1 billion was paid to ransomware groups between 2022 and 2024, with $1.1 billion paid in 2023 alone. Between January 2022 and December 2024, 4,194 ransomware incidents were reported to FinCEN, with the highest number of attacks reported in 2023, at 1,512. In 2024, 1,476 ransomware incidents were reported, and the ransomware payments totaled approximately $734 million. This trend seems to imply that while payments may be decreasing, the number of ransomware incidents remain mostly unchanged.
DECODE THE TERMS
TTPs (Tactics, Techniques, and Procedures) – Behavioral patterns used to classify cyber threats.
IaC (Infrastructure as Code) Security – Security controls applied to infrastructure provisioning automation.
CWPP (Cloud Workload Protection Platform) – A security solution for cloud-based workloads.
