ELTENI’S CYBER SCOOP
Latest News
In this newsletter, we focus on retraction of the proposed cybersecurity rules for investment advisers, the continued requirement for disclosure and transparency of cyber incidents and building trust through effective cybersecurity.
REGULATORY CORNER
SEC withdraws cyber rules for investment companies, advisers
The Securities and Exchange Commission is pulling back cybersecurity regulations for investment companies and investment advisers proposed under the Biden administration.
In a notice in early June 2025, the SEC said it was withdrawing pending rules requiring those companies and advisers to develop written policies to address cybersecurity risks and report significant cybersecurity incidents to the commission. It also would have required them to report on the last two fiscal years’ cyber incidents and risks in a publicly available registration form.
In 2023, the commission re-opened the public comment period on the rule, saying that it “will allow interested persons additional time to analyze the issues and prepare comments in light of other regulatory developments, including whether there would be any effects of other Commission proposals related to cybersecurity risk management and disclosure that the Commission should consider. “
Notes
The SEC’s quiet retreat from its proposed cybersecurity rule for investment advisers and funds is a step backward. While other industries have baseline standards—PCI-DSS for payments, HIPAA for healthcare, CMMC for federal contractors—finance remains exposed. Financial professionals handle sensitive investor data and assets; as such, cybersecurity should not be optional—it should be a core part of fiduciary duty. Without minimum controls like MFA, vendor risk assessments, or incident reporting, firms are left vulnerable to phishing, ransomware, and supply chain attacks.
The SEC is falling out of sync with regulators like The New York Department of Financial Services (NYDFS) and global efforts like the EU’s Digital Operational Resilience Act (DORA), which promote proactive risk-based approaches to cyber governance. This lack of standardization increases investor risk and drives up breach-related costs that ultimately fall on clients. The SEC’s decision sends the wrong message: that cybersecurity is a “nice to have.” It’s not. It’s essential.
SEC Withdraws cyber rules for investment companies, advisers | CyberScoop
ENFORCEMENT NEWS
Hotel asset manager settles with SEC over cyber breach misreporting
The SEC stated in its complaint that Ashford, a Dallas based investment adviser, was the victim of a cyberattack in September 2024, instigated by an unnamed “foreign threat actor.” That attack exfiltrated 12 terabytes of data from Ashford’s servers, and locked servers containing data for at least 22 of its hotel clients.
The SEC accused Ashford of negligence in its failure to perceive the customer information leak, stating that it knew, or should have known, that the data had been compromised. The agency based that determination on a finding that Ashford could have easily verified that customer information was stolen had it reviewed the file trees for the compromised data
Notes
The SEC’s enforcement action against asset manager Ashford for misrepresenting the scope of a ransomware breach affecting over 46,000 individuals was, on the surface, a necessary step. However, the mere $115,231 penalty feels incongruent with the severity of the infraction. Given the persistence of cybersecurity incidents and the heightened sensitivity to data protection, the Commission has made it clear that timeliness and transparency in breach notification are not optional. Ashford’s delayed and incomplete disclosure violated that mandate, potentially depriving clients, investors, and regulators of critical information needed to assess risk. While the enforcement action reaffirms the SEC’s commitment to cyber transparency, the nominal fine sends a conflicting message: that underreporting a cyber event might be met with a regulatory slap on the wrist rather than a meaningful deterrent. For alternative investment firms—often lean on compliance staff and heavy on sensitive client data—this is the wrong incentive structure.
Real deterrence requires real consequence. The SEC should pair regulatory clarity with enforcement teeth. Otherwise, firms may see breach disclosure as a cost-benefit calculation rather than a fiduciary obligation.
Hotel asset manager settles with SEC over cyber breach misreporting | Grip
CYBER NEWS
Coinbase warns of up to $400 million hit from cyberattack | Reuters.com
The company received an email from an unknown threat actor on May 11, claiming to have information about certain customer accounts as well as internal documents. Hackers had paid multiple contractors and employees working in support roles outside the U.S. to collect information. The company had fired those involved, it said. While some data — including names, addresses and emails — was stolen, the hackers did not get access to login credentials or passwords, Coinbase said. It would, however, reimburse customers who were tricked into sending funds to the attackers.
Building Trust Through Effective Cybersecurity | Forbes.com
When cybersecurity measures are correctly implemented, they mitigate risks like data breaches, ransomware and unauthorized access. This protection creates confidence among users, partners and stakeholders, trusting that their private and sensitive information is safe and systems will function securely. Cybersecurity is not just about protection; it’s about empowerment. It transforms risk from a source of fear and uncertainty into a foundation for trust and resilience.
Financial deepfake scams targeted in bipartisan Senate bill | CyberScoop
According to Federal Trade Commission data, fraudsters stole more than $12.5 billion from consumers last year, a 25% jump from 2023. AI tools are increasingly being used by scam artists to craft emails, text messages and phone calls that trick people into thinking their loved ones are in danger and that payment is the only way to guarantee their safety.
Citrix users hit by actively exploited zero-day vulnerability | CyberScoop
Citrix has disclosed an actively exploited zero-day vulnerability affecting multiple versions of NetScaler products, an alarming development from a vendor that’s been widely targeted in previous attack sprees. The zero-day (CVE-2025-6543) was disclosed by Citrix nine days after it issued a security bulletin for a pair of defects (CVE-2025-5777 and CVE-2025-5349) in the same products. All three vulnerabilities affect the company’s networking security appliance NetScaler ADC and its virtual private network NetScaler Gateway.
DECODE THE TERMS
C2 (Command and Control) – Infrastructure used by attackers to remotely control compromised systems.
DLL Injection – A technique for executing malicious code within another process by injecting a Dynamic Link Library (DLL).
Sinkhole – A security mechanism to redirect malicious traffic away from a targeted system.
