Cybersecurity and Compliance

Cybersecurity risk is becoming harder for RIAs to separate from regulatory risk. Verizon’s analysis found that ransomware attacks rose 37% from 2024 to 2025, while vulnerability exploitation grew 34% year over year. Third-party involvement also appeared in 30% of incidents in 2025, up from 15% the year before. Those numbers raise concerns for investment advisory firms. Cybersecurity oversight now has…

Many organizations conduct cybersecurity assessments only after regulatory pressure or legal obligations arise. That’s because compliance requirements frequently trigger formal evaluations of cybersecurity practices and risk exposure. But waiting until a crisis arises before assessing cybersecurity risk is a mistake. In 2025, global enforcement of privacy and cybersecurity regulations reached $5.48 billion in penalties. That same year, three-quarters (76%) of…

Requests from legal or compliance teams often stem from a few key scenarios. A vendor may require proof of security controls before signing a contract, an auditor might need documentation for an upcoming review, or a cyber insurance carrier may demand evidence of risk management prior to policy renewal. Or even worse, something worse happens. A phishing attempt gets further…

Recently, Foster City declared a local state of emergency after a ransomware-related cyberattack forced the city to take its network offline, disrupting email and phones and limiting services while investigators and outside specialists worked on the incident. Bay Area communities like Oakland, Hayward, and St. Helena have faced similar attacks in recent years, reinforcing a hard reality for municipalities: cities…

The relentless pace of cyberattacks shows no signs of letting up. The fastest eCrime breakout time—the speed at which an attacker moves from initial access to lateral movement—dropped to just 27 seconds in CrowdStrike’s 2026 Global Threat Report. Also in the report, attacks by AI-enabled adversaries increased by 89% year over year, and 82% of detections involved no malware, making…

Law firms manage some of the most sensitive information in the business world. Client confidences. Intellectual property. Merger strategies. Litigation plans. Financial records. That mix of privileged data and high-stakes timelines makes law firms prime targets for cybercriminals. In fact, cyberattacks hit one in five US law firms (20%) surveyed by Proton in 2025. The stakes have never been higher.…

The California Privacy Rights Act (CPRA) is California’s data privacy law that expands consumer rights and imposes stricter obligations on businesses regarding the collection, use, and protection of personal information. As we showed with our example of an automaker’s hefty fine in our CCPA explainer, California’s privacy regulations have teeth. In this explainer on “what is CPRA,” we continue to…

Modern law firms face responsibilities that extend well beyond traditional legal ethics. Today, effective governance and cybersecurity maturity are equally essential—because protecting client data is no longer optional, it is an ethical obligation. To meet this standard, firms must implement strong technology controls aligned with established regulatory frameworks. Here’s how these pieces fit together—and how law firms can successfully navigate…

Financial services compliance governs how banks, investment firms, credit unions, insurance companies, and fintech platforms operate within regulatory boundaries. Compliance requirements exist to protect consumers, prevent financial crime, maintain market integrity, and reduce systemic risk across the financial system. This guide covers the fundamentals of financial compliance, major regulatory frameworks, core operational components, technology solutions, outsourced services, and recent trends…

Organizations face thousands of new security weaknesses each year. The challenge isn’t just finding these gaps, but also determining which pose the greatest risk and addressing them before attackers can exploit them. Attackers now exploit new vulnerabilities within hours of disclosure, making structured threat and vulnerability management essential for risk reduction. Threat and vulnerability management (TVM) provides a structured approach…

Imagine this: It’s a typical Wednesday morning when your systems suddenly go dark. Hackers have stolen your customer database, phones are ringing nonstop with panicked clients, and regulators are raising eyebrows. For many businesses, this nightmare is a reality. However, the good news is that most of these disasters are preventable through regular cybersecurity audits and regular checkups that identify…

Choosing the right cybersecurity framework can feel overwhelming. You’re juggling customer demands, regulatory requirements, and budget constraints while trying to build a security program that works. Three frameworks consistently rise to the top of most organizations’ consideration lists: ISO 27001, SOC 2, and NIST Cybersecurity Framework. Each framework serves different purposes and audiences. Pick the wrong one, and you may…

A Midwestern city declares a state of emergency after its systems are hacked. Tens of millions of health records are exposed in a healthcare company breach. A retail chain resorts to pen-and-paper recordkeeping at thousands of stores following a cyber-attack. Seemingly every day brings new headlines about cyber threats and their devastating consequences. Fortunately, the world’s most recognized security management…

On May 16, 2024, the SEC expanded the requirements of Regulation S-P to require covered financial institutions to take additional steps to detect, respond, and recover from unauthorized access, or use, of client information. Larger entities, such as Registered Investment Advisers (RIAs) with $1.5 billion or more in assets under management, will have until December 3, 2025, to comply. The…

In March 2025, Honda Motor Company got a $632,500 wake-up call. That’s when the California Privacy Protection Agency fined the automotive giant for violating the California Consumer Privacy Act (CCPA). The agency found that the company required customers to provide too much of their personal information, made it too hard for them to exercise their right to privacy, and shared…

The healthcare industry is in a tight squeeze when it comes to data security. It’s caught between rapid technological change, escalating cyber threats, and the fundamental need to protect patient data while maintaining quality care.

A company’s security is only as strong as its weakest third-party link. Fortunately, cybersecurity due diligence can help companies mitigate risks not only within their own organizations but across their supply chains.

Oracle’s 2025 data breach exposed millions of records and revealed gaps in the company’s incident response and regulatory compliance. This article explores how delayed disclosure under new SEC and CPRA rules can amplify the damage of a cyberattack—and offers best practices for organizations looking to strengthen their breach response strategy.

To combat an increasing number of breaches in healthcare organizations, a 393-page proposed update to the HIPAA Security Rule, titled “The HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information,” has been introduced