A recent in-person event (simulcast as a webinar) brought together cybersecurity experts to discuss emerging threats and upcoming regulatory changes affecting organizations. Litigation partner Charu Chandrasekhar from Debevoise & Plimpton and Xantrion’s CTO Christian Kelly shared insights on proposed SEC cybersecurity rules, cloud security challenges, the security risks that artificial intelligence tools bring, and the most effective ways to respond to incidents.
With cyber incidents this year costing organizations between $50,000 and $1.5 million plus remediation costs, the speakers emphasized how proper preparation can help minimize a breach’s financial and operational impacts.
Regulatory Framework and Reporting Requirements
The proposed SEC rules include several provisions affecting how organizations — including registered investment advisors, broker-dealers, exchanges, and other market participants — approach cybersecurity. Chandrasekhar shared that businesses must report significant cybersecurity incidents within 48 hours, implement enhanced policies and procedures, and meet new disclosure obligations. Firms must also perform annual cybersecurity reviews and expand recordkeeping.
Additionally, the SEC’s recently finalized Reg S-P changes establish new federal minimum data breach standards. Businesses with natural person investors must notify affected parties within 30 days of an incident causing significant harm and ensure their service providers inform them within 72 hours of relevant breaches. While these requirements are now final, firms have between 18 and 24 months to achieve compliance, depending on their size.
Changing Threats and Technical Responses
Xantrion’s CTO explained that while large companies with significant on-site infrastructure still face traditional perimeter attacks, the threat has changed for many small- and mid-sized businesses with cloud-based operations. The shift to cloud operations means traditional firewall monitoring has given way to identity and usage pattern monitoring. Attackers have commoditized their ability to bypass even strong multi-factor authentication through sophisticated phishing and man-in-the-middle attacks.
Kelly emphasized the importance of proper cloud configuration and monitoring. To protect against identity-based attacks, organizations should actively monitor usage patterns and implement controls on cross-system API connections. Kelly demonstrated this through a tabletop exercise featuring a ransomware attack scenario. Limited log retention (30 days) prevented security teams from effectively investigating a breach that began weeks earlier. The exercise highlighted the technical need for ongoing monitoring and logging, along with the regulatory challenges of meeting reporting requirements with incomplete information.
Artificial Intelligence and Cloud Security Risks
Kelly addressed the growing risks of generative AI tools in the workplace. One major security concern is that default cloud platform settings let users connect AI tools directly to company email and file systems. This kind of activity can expose sensitive data to external services, demonstrating how standard cloud configurations often prioritize convenience over security.
To address these risks, businesses need updated acceptable use policies and stronger controls around AI tools and data sharing. Kelly also emphasized the importance of vendor management and contractual compliance when evaluating AI service providers, noting that sharing certain data types — particularly investor information — may violate existing agreements.
Incident Response and Insurance Coordination
Insurance providers often take the lead on making decisions during incident response situations, meaning companies need to engage with their cyber insurance providers before a breach occurs to understand coverage triggers, approved vendors, and notification requirements. Organizations should conduct detailed discussions with insurance providers, including understanding which forensics firms are approved and at what threshold they expect to be notified. For smaller firms especially, insurance providers will dictate many aspects of the incident response process, from choosing forensics partners to managing communications.
The speakers also recommended including insurers in tabletop exercises, as this helps all parties understand their roles and responsibilities before a crisis occurs. By practicing scenarios together, organizations can ensure their technical response capabilities, compliance obligations, and insurance coverage requirements are all aligned.
Integrating Both Perspectives
Kelly and Chandrasekhar emphasized that businesses shouldn’t consider cybersecurity a purely technical challenge or a compliance exercise — instead, they should adopt security programs that integrate both perspectives. As demonstrated in the tabletop exercise, this kind of integrated approach helps identify gaps in technical response and compliance procedures before a real incident occurs. Companies that take this comprehensive approach will be better positioned to prevent breaches while meeting ever-shifting regulatory requirements.
