Executive Orders

Decoding the Administration’s First Cyber Executive Order


A new cybersecurity executive order (EO) issued by President Trump in early June 2025 rescinds an entire section on digital identity and softens several detailed requirements set forth in former President Joe Biden’s last-minute Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity (Biden EO 14144) from January. Yet, the EO retains many of Biden’s directives for agencies and businesses that work with them.

“The Trump administration is not veering so much from established policy objectives, except with a couple of exceptions,” said Holland & Knight partner Bart Huffman. In many areas, “it is same policy, same objective, but fewer actual requirements,” he told the Cybersecurity Law Report.

The EO, with the two-part title, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144,” sets 2025 deadlines for actions in several cyber policy areas, including those addressing patching, the management of AI vulnerabilities, secure software development and post-quantum cryptography.

The EO’s one major rollback is gutting an entire section in the Biden EO 14144 that sought to strengthen protection of individuals’ digital identities. The accompanying White House fact sheet (Fact Sheet) warned of potential abuse of those provisions by illegal immigrants, though the warning has been criticized as misleading.

This article highlights the EO’s key changes, the areas where it could influence private sector cybersecurity through government procurement practices and the administration’s cyber policy priorities that businesses should heed, with insights from cyber practitioners at Goodwin, Holland & Knight, the Linux Foundation and Venable.

See “Implications of the Trump AI Executive Order” (Mar. 26, 2025).

EO Covers a Large Set of Issues

The six-page EO addresses a wide range of cyber policies and standards, ranging from leading-edge challenges (like AI vulnerabilities and quantum-powered encryption), third-party cyber risk mitigation (like secure software development and supply-chain transparency) and policymaking aspects (like business-government collaboration and the federal line of command for cyber issues).

The Fact Sheet criticizes some of the prior administration’s actions as “micromanaging technical cybersecurity decisions better handled at the department and agency level, where budget tradeoffs and innovative solutions can be more effectively evaluated and implemented.” The EO removes obligations on providers to use phishing-resistant authentication and post-quantum cryptography (PQC), and to provide evidence to validate that software is securely developed.

The power of some eliminations is tempered by remaining requirements from earlier EOs, federal guidance or law, noted below. The dominant effect in several policy areas is that the administration will issue “guidance, and then department and agency CIOs will make the risk management decisions to implement as they see appropriate,” Venable cyber services director Caitlin Clarke told the Cybersecurity Law Report.

See “Reference Guide to 2025 Executive Orders for Compliance Professionals” (Apr. 9, 2025).

Digital Identification Section Entirely Cut

Actions to secure digital identity fell victim to a West Wing political agenda, cyber professionals have commented. The EO revokes the Biden EO 14144’s entire Section 5, “Solutions to Combat Cybercrime and Fraud,” which sought to reduce billions of dollars of identity theft by expanding use of digital identification. The EO ends the obligation for federal benefit programs to accept digital IDs, which the Biden EO 14144 asserted would limit “use of stolen and synthetic identities by criminal syndicates to systematically defraud public benefits programs.”

The Fact Sheet claims that the Biden EO 14144’s anti-fraud measure “risked widespread abuse by enabling illegal immigrants to improperly access public benefits.” A Better Identity Coalition (Coalition) statement expressed disappointment over this section’s repeal, clarifying that “nothing in January’s EO included a mandate for the U.S. government to issue digital IDs to anybody – immigrants or otherwise.”

Section 5 of the Biden EO 14144 “had strong bipartisan support and was praised by cybersecurity and fraud experts,” the Coalition said. The U.S. lags many other countries in adoption of mobile driver’s licenses or government IDs. This repeal also halts development of an “early warning system” to alert Americans if their identity data is used to apply for a government benefit (which cost over $100 billion in unemployment fraud during the COVID-19 pandemic).

The administration has declined to explain the cuts to at least two news organizations, and did not provide replacement provisions addressing digital identity fraud. Given the benefits of digital IDs for national security and for individuals, Huffman noted, “it’d be interesting to know if there are specific risks that they’re concerned about.”

The EO removes the deadline by which the National Institute of Standards and Technology (NIST) must provide voluntary guidance to states to secure use of digital IDs and protect privacy, but “we don’t see any reason that any of that work should be suspended, [as it] was specifically authorized by Congress in the 2022 Chips and Science Act,” Coalition coordinator Jeremy Grant, a Venable managing director of cybersecurity, told the Cybersecurity Law Report.

See our two-part series on legal and ethical issues in the use of biometrics: “Modality Selection, Implementation and State Laws” (Feb. 21, 2024), and “FIDO, Identity-Proofing and Other Options” (Feb. 28, 2024).

Four EO Priority Areas Focus on Procurement

In four federal cyber policy areas, the EO highlights procurement practices to boost wider security precautions, establishing deadlines for each between August and the end of 2025.

See “How the 2025 Cybersecurity Executive Order Affects Business” (Feb. 5, 2025).

1) Attestation of Secure Software Development

Since 2024, federal agencies have had to collect attestation forms from their software suppliers verifying that they comply with the Secure Software Development Framework (SSDF). Reinforcing this obligation, the EO directs NIST to establish by August 1, 2025, an industry consortium at the National Cybersecurity Center of Excellence to update the SSDF before 2026. That measure shows “the Administration’s understanding that supply chain security and secure software development remain areas needing more guidance,” Clarke said.

What the EO jettisons as “micromanaging” is the Biden EO 14144 measure requiring software companies to submit compliance artifacts to the Cybersecurity and Infrastructure Security Agency (CISA) along with their attestation. Under the Biden EO 14144, CISA was required to sample the submissions and verify whether the evidence reflected the software provider’s attestation.

“That would have made CISA a quasi-regulator because it would make a finding” about the attestation’s accuracy, Clarke observed. The Fact Sheet said the artifact submissions to CISA were “burdensome software accounting processes that prioritized compliance checklists over genuine security investments.”

However, the accountability step of CISA submissions addressed the fact that only some government contractors are conscientious enough “to seriously analyze their processes and improve them as necessary,” noted Linux Foundation director of open-source supply chain security David A. Wheeler. “Contractors will all say they take something like this seriously because they must, but that isn’t always borne out in reality,” he told the Cybersecurity Law Report.

Federal pressure on software companies to adhere to the SSDF remains important for the broader swath of private companies, said Huffman, because business supplier contracts often lack terms on software development. “Companies say ‘thou shalt not engage subcontractors without my approval, shalt not ship data to jurisdictions without my approval,’” but only rarely demand verification that “this software was built in a responsible and secure manner,” he reported.

The imperative for SSDF compliance recordkeeping is unlikely to fade despite the EO’s rollback, Goodwin partner Kaitlin Betancourt told the Cybersecurity Law Report. “Other factors are at play, like the False Claims Act, like third-party [due diligence] pressure,” she said.

2) Post-Quantum Cryptography Adoption

The EO includes directives to prepare software providers for the risk that quantum computing, sooner or later, will be able to break the current generation of encryption keys. By December 1, 2025, CISA must update a list of products that support PQC. The list will help companies because “it can be daunting to switch out all their public key cryptography,” Clarke observed.

Also retained was a deadline to issue requirements for agencies to use Transport Layer Security protocol version 1.3 or a successor version, Betancourt noted. “That is critical to making sure that organizations will have the ability to adopt post-quantum cryptography,” she said.

The EO, however, ends the need for all agency technology solicitations to request PQC capabilities. Being less prescriptive about “post-quantum cryptography makes sense because of the fast-evolving nature of the technology,” Betancourt opined.

“The EO also removes efforts to encourage foreign partners to adopt NIST-standardized PQC algorithms,” Wheeler pointed out. The “issue will be if other countries consider U.S.-recommended algorithms as subverted” and spurn them, he said.

A Biden national security memorandum also remains in effect to push vendors and agencies to upgrade to PQC, Clarke noted.

See “Six Steps to Address the SEC’s Trump Era Cyber Enforcement Priorities” (Apr. 9, 2025).

3) IoT Cyber Trust Mark

One widely applicable regulation that the EO surprisingly keeps is “the requirement to amend the Federal Acquisition Regulation so that, by January 4, 2027, federal vendors of consumer [IoT] products must display the U.S. Cyber Trust Mark,” Wheeler observed.

See “A Guided Tour of Enterprise IoT Device Hazards” (Nov. 4, 2020).

4) AI Integration Into Vulnerability Management

The EO gives federal agencies until November 1, 2025, to incorporate management of their AI operations into their overall vulnerability management programs, “including through incident tracking, response, and reporting, and by sharing indicators of compromise for AI systems.”

“It is a very critical issue because it affects the supply chain,” Betancourt highlighted. The administration’s attention to AI vulnerabilities harmonizes with other regulators’ actions, like guidance from the New York Department of Financial Services, she added.

The EO’s retention of a wide mandate around AI vulnerabilities and compromises is appropriate – as is the flexibility the EO gives companies on how to tackle the challenge, Huffman offered. Generally, “AI and vulnerability management is front and center in terms of reasonable security practices these days,” he said. Yet, how to continuously monitor for AI vulnerabilities “requires a lot of thought,” he noted. The proliferation of non-human users in companies’ clouds and AI identities across the internet are key security risks drawing attention but lacking easy remedies.

The EO preserves existing directives for the sharing of datasets for cyber defense research into AI, and interagency coordination on AI software vulnerabilities. Yet, it eliminates four other AI-related programs, including an energy sector initiative to use AI to drive cyber defense, and research into the security of AI coding and AI system design.

Cumulatively, the changes straddle prioritizing AI risk management and “letting the departments and agencies determine their own way ahead” in how to protect their AI use, Clarke said.

See “Restricting Super Users and Zombie IDs to Increase Cloud Security” (Jul. 31, 2024).

Other Administration Cyber Priorities

In multiple areas, the EO modifies existing obligations but dials back or alters specific expectations or programs.

See “Checklist for Building an Identity-Centric Cybersecurity Framework” (Nov. 3, 2021).

Patching

The NIST Director faces one early EO deadline of September 2, 2025, for updating Special Publication 800–53. The directive for “guidance on how to securely and reliably deploy patches and updates to software was a specific response to the CrowdStrike outage of a year ago,” Clarke explained, and companies have been seeking more guidance on what is reasonable for this operationally demanding task.

“The EO’s continuation of that effort shows that patching’s still a priority for this administration,” to help shrink supply chain risks, Clarke observed.

Multi-Factor Authentication

The EO eliminates investments in “innovative identity technologies” pilots to expand use of commercial phishing-resistant standards such as FIDO Web Authentication.

However, the Federal Zero Trust Strategy remains in effect, so agency staff, contractors and partners must all move to using phishing-resistant multi-factor authentication.

See “Amendment to NYDFS Cyber Regulation Brings New Mandates: Governance Provisions” (Dec. 13, 2023).

Securing Federal Communications

Beyond encouraging PQC implementation, the EO preserves several measures to better protect the government’s online environment by promoting federal agencies’ and vendors’ use of internet routing security technologies across different layers of architecture and hardware.

See “Cloud Attacks and Six Other Cybersecurity Dangers for 2023 and 2024” (Apr. 26, 2023).

Developing Regulations Downloadable As Code

The EO gives NIST, CISA and the Office of Management and Budget a year to launch a pilot program creating a machine-readable version of cyber regulations and guidance for organizations to upload, called “rules as code.”

This is helpful, Huffman offered. Compliance processes for employees are essential, but with AI and other technology developing, embedding compliance into companies’ software and systems “is at least equally important,” he said.

National Cyber Director and Policy Leadership

The business community “should pay attention to the section about aligning policy to practice,” which directs the Office of National Cyber Director (ONCD) to consult on EO actions, Clarke advised. “The EO positions ONCD to take a leadership role in cyber policy,” which shifts “the center of gravity on cyber policy within the Executive Office of the President,” she added.

In the Biden-Harris administration, the National Security Council and Deputy National Security Adviser often led cyber policymaking, blurring ONCD’s role. The EO offers “more clarity,” making it known to those who work in this space that they can go to ONCD with questions or to engage on cyber policy, Clarke pointed out.

Foreign and Election Policy Messages

The EO includes three foreign policy messages and one note concerning criticism of elections.

First, the EO expressly names the People’s Republic of China as the “most active and persistent threat to United States Government, private sector, and critical infrastructure networks,” and warns of “Russia, Iran, North Korea, and others who undermine United States cybersecurity.”

Second, the EO rescinds NIST’s requirement to evaluate international standards bodies’ guidelines when issuing guidance on minimum cybersecurity practices for contractors and subcontractors.

Third, it amends the sanctions policy for malicious cyber-related activities set forth in Executive Order 13694, issued in 2015. The Secretary of the Treasury previously could block any person qualifying as a threat actor, but the EO restricts sanctions to “any foreign person.” The Fact Sheet describes the change as “preventing misuse against domestic political opponents.” However, it does not rule out treating permanent legal residents or naturalized citizens as “foreign.”

Additionally, in a nod to election-denial supporters, the Fact Sheet also clarifies that “sanctions do not apply to election-related activities.”

The EO does not address other measures in the Biden EO 14144 regarding ransomware, cloud security, outer space-related cybersecurity and government-wide threat visibility, among other topics.

The EO indicates that the Trump administration is likely to take more action to adjust cybersecurity policy. It provides that its directives are meant to defend digital infrastructure, secure “the services and capabilities most vital to the digital domain,” and build the national capability to address key threats – all of which are evolving tasks.

See “How Designating TCOs As Terrorist Organizations Creates Risks for Financial Institutions and Beyond” (Jun. 4, 2025).

Cyber Crime

Leading Attack Vectors and Other Key Findings From Verizon 2025 Data Breach Investigations Report


Malicious attackers are increasingly turning their attention to system vulnerabilities, devices at the perimeter of an organization’s network and third-party service providers, according to Verizon’s most recent data breach study. Additionally, ransomware and human error remain significant concerns. The Verizon 2025 Data Breach Investigations Report (Report or DBIR) is based on the analysis of more than 22,000 security incidents and more than 12,000 confirmed breaches. This article distills the key takeaways from the DBIR and a related Verizon webinar that examined the findings and offered guidance on mitigating the identified risks.

See “Stolen Credentials, Phishing and Vulnerability Exploits Are Key Attack Vectors, According to Verizon Data Breach Report” (Jul. 12, 2023).

Demographics and Key Concepts

This is the eighteenth annual DBIR, noted Chris Novak, a Verizon vice president. It includes data from “incidents” and/or “breaches” in 139 countries, up from about 93 last year. Verizon analyzed 22,052 incidents and 12,195 breaches that occurred between November 1, 2023 and October 31, 2024. Certain year-over-year changes discussed in the DBIR may be attributable in part to changes in Verizon’s data sources, explained Verizon senior managing director Kris Philipsen.

As used in the DBIR, an “incident” is “a security event that compromises the integrity, confidentiality or availability of an information asset.” A “breach” is “an incident that results in the confirmed disclosure – not just potential exposure – of data to an unauthorized party.” As in past studies, Verizon used the Vocabulary for Event Recording and Incident Sharing framework for consistent collection of security incident details.

See “Verizon Report Details Evolution of Threats and Provides Cybersecurity Program Advice” (Apr. 5, 2023).

Big Picture

Roughly four-fifths of breaches involved external actors. Most of the rest involved internal actors. External breaches were effected via:

  • system intrusions (65%);
  • social engineering (22%);
  • basic web application attacks (BWAAs) (14%); and
  • other (9%).

The overwhelming majority of breaches (89%) were driven by financial motives. Seventeen percent were fueled by espionage. Some involved both motives.

The incidents occurred in:

  • Europe, the Middle East and Africa (9,062);
  • North America (6,361);
  • Asia and the Pacific (2,687); and
  • Latin America and the Caribbean (657).

Incidents commonly impacted data confidentiality (68%), availability (61%) and/or integrity (51%).

See “Strengthening Cyber Defenses in an Ever-Evolving Threat Landscape” (Jun. 4, 2025).

System Intrusions

As used in the Report, “system intrusions” are “complex attacks that leverage malware and/or hacking to achieve their objectives, including deploying ransomware.” There was a dramatic year-over-year increase in system intrusions, noted Novak. Perimeter and edge devices are providing new entry points for attackers.

Ransomware accounted for 75% of breaches involving system intrusions. Espionage was also a common motivator for such attacks.

See “Ransomware and Incident Response Considerations for Global Companies” (Nov. 29, 2023).

Social Engineering

There were relatively small drops from the prior year in social engineering. Although phishing is still a threat, organizations have been getting better at educating their staff on avoiding it. People are generally now more cautious about following links than they were a decade ago.

The most common social engineering incidents involved:

  • phishing (57%);
  • pretexting (30%); and
  • prompt bombing (14%).

Even after regular security training, a median 1.5% of employees continued to “click” in phishing tests. On the other hand, a median 21% of employees who had recent security training reported simulated phishing emails, versus a median 5% of those who had not had recent training. “User awareness does matter,” stressed Philipsen.

See “Go Phish: Employee Training Key to Fighting Social Engineering Attacks” (Aug. 9, 2023).

Basic Web Application Attacks

BWAAs “frequently play out very quickly with few steps required for the attacker to gain access and abscond with their data prize,” explains the DBIR. They are “all about bad actors accessing our key data with the least amount of effort expended.”

BWAAs usually involved one or more of:

  • use of stolen credentials (88%);
  • brute force (56%);
  • other (51%); and
  • backdoors or command and control (42%).

Notably, espionage was a motive in 62% of the breaches resulting from BWAAs. In contrast, attacks driven by that motive “hovered around 10% to 20%” in recent years, according to the Report.

Key Findings and Risk Mitigation Steps

Ransomware Attacks Up, Payments Down

On a positive note, even though there was a roughly 30% year-over-year increase in ransomware attacks, just 36% of the victims paid ransom, down from 46% last year, Philipsen contributed. The median ransom in the current DBIR was $115,000, versus $150,000 last year. With fewer companies are paying ransom, attackers may seek to develop new, more effective tactics. This could be one reason for the increase in exploitation of vulnerabilities, he opined.

Additionally, 44% of breaches involved ransomware, up from 32% last year. Similarly, ransomware was involved in 31% of incidents, surpassed only by denial of service (35%). Although each organization must assess its own situation, cyber response experts generally counsel companies not to pay ransom, noted Novak. Moreover, many organizations are focusing on cyber resilience, putting them in a better position to recover from an attack without paying.

See “Navigating Ransomware’s Challenges” (May 1, 2024); and “Ransomware Incident Response Checklist” (Apr. 26, 2023).

Human Error Remains a Significant Risk

About 60% of breaches involved a human element, consistent with last year, reported Novak. Common components of those breaches included credential abuse (32%), social engineering (23%), errors (14%) and interacting with malware (7%).

To mitigate the risk of human error, organizations should take a layered approach, including security awareness training and implementation of a zero-trust access control environment, which limits the ability of an attacker who does gain access to a network to move within it, explained Verizon director Tristen O’Brien. They should also use multi-factor authentication (MFA), he added. “You’d be surprised how many businesses aren’t there yet.”

“The layered approach is absolutely the right approach,” Novak agreed. There is no “magic bullet” that will solve all cyber challenges – and the human element will always play a role. Consequently, even companies that have comprehensive and robust cybersecurity must also invest in response and recovery.

“Having MFA enabled continues to be the gold standard to help protect against authentication abuse, but having it enabled should not make your detection and monitoring processes complacent,” cautioned Verizon in the Report.

Security awareness training is essential. “We know that our employees are the first line of defense. We know that we all make some errors,” said O’Brien. Thus, organizations should use simulated attacks and phishing tests. Breach simulations for the C‑suite and board are also important, added Novak.

See our three-part series “Rethinking Click-Through Training”: The Pluses and Minuses (Mar. 26, 2025), Maximize Effectiveness With Customization (Apr. 16, 2025), and Integration Into a Comprehensive Training Program (May 7, 2025).

Increase in Exploitation of Vulnerabilities

The top three initial access vectors for breaches that do not involve human error or misuse of organizational resources were abuse of credentials (22%), exploitation of vulnerabilities (20%) and phishing (16%). Exploitation of vulnerabilities has replaced phishing as the second most common vector for data breaches, noted Philipsen. Moreover, internet-facing “edge” devices, such as VPNs, have been key targets of attackers exploiting zero-day vulnerabilities.

See “Staying Ahead of Rising Identity-Based and Cloud Intrusions” (Mar. 19, 2025).

Attackers Targeting Edge Devices

Both ransomware and espionage groups have been targeting edge devices, according to Philipsen.

Notably, in 22% of the breaches where exploitation of vulnerabilities was the initial access vector, the vulnerabilities were found on VPN and edge devices. That is an eight-fold year-over-year increase, noted Philipsen. Key drivers of that increase were zero-day vulnerabilities and configuration errors.

“Know your assets,” urged Philipsen. The top controls in major cybersecurity frameworks are usually hardware and software inventories. An organization must know what it is protecting. It must conduct continuous scanning and asset discovery.

Vulnerabilities arise daily, cautioned Philipsen. Moreover, because vulnerabilities are not all created equal, an organization must understand the relevant risks and deploy resources to address the greater risks. It can leverage application programming interfaces to improve the speed of collecting information and AI to speed analysis, freeing humans to work on mitigating the identified risks. Edge devices must be monitored continuously, as they are the “front door” of the organization.

Verizon examined a group of 17 edge vulnerabilities added to the Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerability (KEV) catalog across seven vendors. “There is a clear indication of organizations fully remediating those edge vulnerabilities more often (54%) over this past year when compared with all vulnerabilities listed on the CISA KEV list (38%) or even all vulnerabilities identified in their scans (a measly 9%),” according to the DBIR. It took the sample companies a median 32 days to fully remediate the vulnerabilities. There is still “a median of five days for a CISA KEV vulnerability to be mass exploited,” notes the Report.

See “Getting Board Buy-In for Edge Cybersecurity Initiatives Post COVID19” (Jul. 8, 2020).

Spike in Breaches Involving Third Parties

Notably, the proportion of breaches involving a third party or vendor jumped to 30% from 15% last year, said Novak. Approximately four-fifths of those breaches included system intrusions.

Here, too, a layered approach is essential, said Philipsen. When organizations held all their own data, the prototypical defense model was a castle with a moat. Now, because organizations often share data with multiple third parties – some of which may have access to the organizations’ systems – they need “multiple castles with multiple moats.” Consequently, organizations must understand where their data is located and who has access to it. Doing an asset inventory seems “so basic,” but it is a foundational element of risk quantification, implementation of controls, monitoring and breach simulations, added Novak.

Zero trust is an important element of an organization’s defense, stressed Philipsen. There should be security enforcement points not only for initial access to a system, but also across the entire session within the system. Organizations should ring fence their data.

Additionally, organizations must implement appropriate governance and risk management of third parties, as well as the fourth parties with which third parties interact, continued Philipsen. That involves:

  • building a strong relationship between information security teams and third parties’ risk management functions;
  • ensuring contractual requirements are met;
  • managing the lifecycle of the data to which third parties have access;
  • understanding onboarding and offboarding of relevant personnel at third parties;
  • staying on top of regulatory changes; and
  • third-party risk monitoring.

Many organizations have hundreds or thousands of vendors, noted Philipsen. Those organizations may benefit from automated third-party risk management processes. Regardless of approach, organizations should determine which third parties present the highest risk and focus their attention accordingly. For example, if an organization determines a vendor poses a high risk, the organization may decide to exercise available audit rights. Finally, organizations should conduct tabletop exercises simulating breaches involving one or more third parties.

The Report should be a wake-up call for small and medium-size businesses (SMBs), which often rely on vendors and other third parties, cautioned O’Brien. Organizations should not be too quick to trust third parties. “You can’t trust anything. Always verify,” he emphasized.

See “2025 LRN Effectiveness Survey Finds Lags in Third-Party Diligence” (Apr. 2, 2025); and “Considerations for Managing Third-Party Cyber Risks” (Oct. 4, 2023).

Industries

The DBIR provides granular industry-specific data on incidents and breaches across 20 industries. There were more than 1,000 incidents in seven of the industries covered, accounting for about 70% of the total incidents and 64% of total breaches in the study. Key industries included:

  • education – 1,075 incidents/851 breaches;
  • finance – 3,336 incidents/927 breaches;
  • healthcare – 1,710 incidents/1,542 breaches;
  • manufacturing – 3,837 incidents/1,607 breaches;
  • public administration – 1,422 incidents/946 breaches.

System intrusions and social engineering were among the top attack patterns across the board. BWAAs and miscellaneous errors were also common.

Businesses of All Size Are at Risk

Many SMBs think that attackers will not target them because they are too small. But “they do. They’re not discriminating,” O’Brien cautioned. Ransomware groups target entities of all sizes. In fact, ransomware appears to be more common among SMBs than larger organizations. Moreover, some SMBs support large entities, which makes them attractive targets.

O’Brien compared the top attack patterns for organizations with less than 1,000 employees with those with more than 1,000. System intrusion was among the top patterns for both. System intrusions, social engineering and BWAAs were involved in 96% of breaches of small organizations, according to the DBIR. In contrast, system intrusions, BWAAs and miscellaneous errors accounted for 79% of breaches at large organizations. Financial motivations were involved in virtually all breaches of both small (99%) and large (95%) organizations. However, espionage and ideology motivated 4% of attacks on large organizations.

Notably, ransomware is involved in about 90% of attacks on small organizations, versus just 40% of attacks on large ones. The same was true with respect to malware, according to the DBIR. On the other hand, human error accounted for about one-fifth of breaches in large organizations but only 1% of breaches at small ones, according to O’Brien.

BYOD

Many organizations moved to “bring your own device” (BYOD) regimes to save expenses, noted Novak. Many, however, did not consider their ability to monitor such devices and the added risk they create. Financial services firms have been moving away from BYOD, due in part to regulatory compliance concerns. Other industries are starting to follow suit.

Verizon found that many stolen credentials appear to have come from unmanaged or BYOD devices, according to Philipsen. Organizations should consider whether BYOD is the right strategy and, if so, what compensating controls they can implement. There is a limited range of things an organization can do with respect to personal devices. For example, it is much easier to implement protections against malicious QR codes on corporate devices.

Organizations that permit employees to use mobile devices for access must not give them access to everything, said O’Brien. First, they must protect devices at the hardware level. Second, they must consider the devices’ access to the organization’s network and how data is protected while moving across the network. Various technological solutions enable companies to control what apps employees can use and how they use them.

See “Crafting Effective Mobile Device Policies to Satisfy Regulatory Expectations” (Apr. 3, 2024).

For Now, Employees Present Greatest AI Risk

In light of the dramatic spread of generative AI, people believed “it must also be hacking us, too,” observed Novak. To date, that is not necessarily true to any significant extent. Although it appears AI has been used to create more convincing phishing emails, most issues involving AI have involved misuse by employees. Cyber experts are still exploring the possibility that attackers may use AI during an attack to analyze the victim’s system and guide their movement within the system.

Verizon found that 14% of employees routinely accessed generative AI systems on their corporate devices, and that most of them used a non-corporate email as the identifier on the account (72%) or a corporate email without an integrated authentication system (17%). This suggests “accessing those systems may not be a part of the sanctioned applications allowed in their corporate environment,” the DBIR opines.

Employees who use AI should use “enterprise” versions, which generally will not use uploaded information to train the system, advised O’Brien. Companies should have a clear AI use policy, conduct training, and deploy data loss prevention or CASB [cloud access security broker] tools to flag when users share sensitive information with AI.

“AI systems live and die off data,” noted Philipsen. Consequently, organizations need acceptable use policies. They must address the integrity and accuracy of data and the risk of hallucination. They should implement ways for people to anonymously report potentially malicious or risky uses of AI. Organizations that build their own AI systems should ensure they conduct penetration testing and red teaming exercises.

See “Benchmarking AI Governance Practices and Challenges” (May 7, 2025); and “Assessing and Managing AI’s Transformation of Cybersecurity in 2025” (Mar. 19, 2025).

General Counsel

GCs’ Increasingly Critical Role in Managing Risk and Ensuring Compliance


As compliance requirements evolve rapidly, the GC role becomes more critical for avoiding regulatory entanglements and operational risks. Increasingly, in-house legal personnel are grappling with risk assessments, internal investigations, liaisons with regulators, strategic advice to executive staff and other areas not traditionally within the GC’s domain. In-house lawyers can also play a prominent role in litigation on behalf of the industry, as in banking organizations’ recent lawsuit against the Federal Reserve over stress testing models. Those new and expanded responsibilities factor into the increased importance of in-house legal staff in their firms’ efforts going forward.

Those points were expressed at the Compliance & Legal 2025 Annual Seminar hosted by the Securities Industry and Financial Markets Association in a panel moderated by Steven R. Peiken, partner at Sullivan & Cromwell, which featured Cynthia B. Adams, head of U.S. legal and GC, TD Bank; Roberto Braceras, GC at Fidelity Investments; Eric F. Grossman, executive vice president and chief legal officer at Morgan Stanley; and Stefan Simon, CEO of the Americas and chief legal officer at Deutsche Bank. This article presents key takeaways from the discussion.

See “Top Tips for Effective GC Succession Planning and Training” (Nov. 8, 2023).

Expanding Internal Role of GCs

The role of in-house legal staff has been in flux for many years, but its evolution has vastly accelerated since the 2008 global financial crisis (GFC), Grossman asserted. The GFC was a “galvanizing moment” in which it became evident to many in the industry how devastating failures of legal and regulatory compliance could be, he said. With that awareness has come a corresponding growth in the responsibilities of in-house legal counsel as to many varied areas including anti-money laundering, operational risks and other critical compliance issues, he added.

“The remit of the GC role has expanded,” Grossman summarized. “All those things have completely transformed the role.”

Managing Risk

The siloing of the GC within a discrete area of an organization is a thing of the past, as there is now a broad overlap among the roles of CCOs, chief risk officers and lawyers within organizations, Adams stated. “There is an interlock that is now expected, whereas historically our function was more siloed and we were consulted under a different model,” she said. “You cannot do the job now with a single focus,” she continued. “We’re risk managers who happen to bring legal and regulatory expertise. We own the risk and we own the accountability on behalf of the entire enterprise.”

From dealing with a narrowly defined range of legal matters, GCs have broadened their remit to include intensive daily engagement with global macroeconomic events that can impact asset valuations, Simon concurred. The GC increasingly plays a role in forward-looking strategic work, supporting the CEO and other senior management with expert counsel about the legal and reputational risks that geopolitical scenarios and crises pose, he said. Further, asset managers with exposures to far-flung currencies and asset classes require highly specialized risk assessments by GCs, he emphasized.

Recent examples of geopolitical events include Russia’s invasion of Ukraine and the ongoing possibility of Chinese military action against Taiwan, Simon acknowledged. “When the Russian sanctions packages were announced, firms needed to adapt their exposure. Similarly, do firms need to think about potential threats or impacts from sanctions packages against China? What does that mean for the business proposition – e.g., where to grow, what exposure to take?” he posited. “I think that strategic advisory angle to the business sits much more, over the last three to four years, with the legal department,” he summarized.

GCs often possess the highly specialized knowledge needed to make sense out of those issues, particularly compared to the markedly different backgrounds and areas of specialization of personnel and other senior executives, Adams argued. “Our industry has an interest in making sure that our markets are conducted on an orderly basis, and that there is transparency as needed,” she said. “There are collateral consequences and issues that may not be apparent to non-legal specialists when grappling with these imperatives.”

It is also important to note that sudden changes to asset valuations resulting from geopolitical events and turmoil – and the legal implications of those changes – have increasingly drawn regulators’ attention. As a result, it is important for GCs to ensure their firms have proper internal policies and procedures any time it may be necessary to gauge the impact of external events on asset valuations.

See our three-part series on the first 100 days as GC/CCO: “Preparing for the Role and Setting the Tone” (Apr. 14, 2021), “Developing Knowledge and Forging Key Relationships” (Apr. 21, 2021), and “Managing Daily Work, Performing Risk Assessments and Looking Ahead” (Apr. 28, 2021).

Building Internal Networks

GCs’ responsibilities have grown dramatically, Adams said. As a result, there is increasingly close collaboration between in-house legal staff and other divisions within an asset manager, requiring personnel to cultivate successful interpersonal relationships, she said.

“It’s important to have good and productive working relationships with your fellow control partners, so they will know to call you as a trusted advisor – not because you’re a lawyer, but because you’re accessible, available and a friend in the office,” Adams asserted. “Cultivating those relationships means that when somebody is contemplating doing something that introduces an unacceptable level of risk, they will know to call you first.”

See “Tips From Lockheed and Groupon on Developing GC-CISO Partnerships to Improve Security and Incident Response” (Jun. 19, 2019).

Growing External Role of GCs

The external role of GCs is also evolving rapidly to include, among other things, fortifying relations with investors, navigating ever-shifting regulations, deciding when to rely on external counsel and pursuing litigation. The panelists agreed that few individuals within an organization can be said to have such broad responsibilities.

Maintaining Investor Confidence

It is difficult to overstate GCs’ role in promoting robust compliance, avoiding and mitigating reputational problems and keeping a financial institution afloat, Grossman argued. In-house lawyers are a last line of defense to averting compliance failures and bad practices that erode relations with investors that feel the firm has not carried out its fiduciary duties. Investors have no shortage of choices when it comes to selecting fund managers to invest with, he noted. Hence, delivering excellence is critical for a firm’s “reputation with clients and their confidence in the firm’s ability to manage their money.”

For example, Grossman made reference to the fact that Credit Suisse experienced sharp drops in its share price and revenues in 2022 amid the fallout from investments that went awry. Then, in November 2022, it agreed to sell off a bulk of its portfolio of securitized assets to Apollo Global Management. UBS Group subsequently acquired Credit Suisse in March 2023 and completed the sale of $8 billion worth of securitized assets. The unravelling of Credit Suisse was an example of a phenomenon in which “a culture that compromised client confidence” steadily alienates investors until things reach a point where “the money starts going away, and before you know it, you’re gone,” he asserted.

Citing another example, Peiken drew a distinction between fund managers that play a “long game” with investors and those that play a “short game.” Recalling his time at the SEC, he said that he frequently interacted with highly regulated financial institutions in the expectation that they would be eager to retain customers and hence would play a “long game” by empowering GCs to carry out vital compliance functions. “They should behave, in every investigation, as if they are coming back to see me again soon,” he recommended.

Interactions With Regulators

Expanding on the importance of GCs in dealing with regulatory entities about compliance issues, Braceras emphasized how necessary it is to know when to be amenable to regulators' requests and when to be firm. After all, in-house lawyers are not there just to placate the SEC and other enforcement agencies. The proper stance toward – and message for – regulators can be summarized as follows: “You can trust us, and if you identify some area of exposure, we will acknowledge it and will work with you. But if we think you are overreaching, we are going to dig in, and we are not afraid to go to court if necessary,” he asserted.

Asset managers should be aware of the danger of coming across to regulators as soft targets that will not stand up for themselves when there are material factors in their favor in an investigation or enforcement matter, Braceras clarified. Here, the role of the GC is increasingly critical. “They can make a phone call and insist upon some degree of settlement,” he noted. “If the press release would say that we’ve done something wrong, then we’re absolutely going to have that conversation. But if we believe that we’ve done nothing wrong, we’re going to defend ourselves.”

It is important, however, not to confuse intensive activity during an investigation with progress toward achieving some level of resolution and implementing effective policies and procedures to avoid compliance and regulatory issues, Adams said. “Don’t confuse activity with progress, because you will find yourself in an investigation or an enforcement landscape where you witness all that activity, and then when you peel away the clouds and the smoke, the policy wasn’t adhered to, drafted or finished,” she cautioned. “That’s a really important lesson regardless of where you sit in the organization.”

See “State Privacy Regulators Share Enforcement Agenda and How to Ensure a Smoother Investigation” (May 14, 2025).

Relations With Outside Counsel

Another area in which the GC has grown more essential is in seeking out external counsel and maintaining the proper balance between in-house and outside legal teams, Grossman emphasized. All GCs must deal with “high-boil matters” at points in their careers, hence they must understand the need to achieve “the balance of advocacy between outside lawyers and in-house experts,” he stated. It is important for GCs to resist the temptation to pass sensitive and critically important legal matters to outside counsel, no matter how skilled they may be, he continued.

The tug of war that can take place between outside and internal legal counsel is something to watch out for, Simon stressed. “I want outside counsel to be mindful not to take the matter out of the hands of in-house lawyers,” he said. It is particularly problematic when the latter end up basically trying to manage the outside law firm without having proper oversight of the actual legal matter, he continued. “Outside counsel, obviously, try to take the matter in their own hands and own it. However, GCs can’t forget that it needs to be owned by the in-house legal department,” he added.

See “How In-House Expertise Can Help Outside Counsel” (Nov. 10, 2021).

Deciding Between Firms

It is hard to generalize about when and where to use external counsel, Adams reasoned. Sometimes, in-house lawyers must draw upon personal experience and connections to make the best assessments about which counsel should handle a given matter. “We use auctions, and we also do direct placement, so it depends,” she said. “We’re being exposed to a talent and depth that may be outside the scope of the folks that we’re using, and I’m open to that.”

Given those realities, internal counsel need to decide on a case-by-case basis when it is appropriate to retain new counsel or to rely on tried-and-true external legal relationships, Simon acknowledged. “A law firm that has been handling a case for years can know every angle and avenue, so let’s not switch horses,” he said. “But there are also cases where the counter-argument is true – you want a fresh pair of eyes, or a case takes a twist in a different direction.”

Cost Considerations

A further consideration is that outside counsel fees can often go far beyond what seems reasonable for the matter in question, Braceras said. If a fund manager has multiple engagements with different outside counsel at the same time, the legal bills can become somewhat overwhelming, he acknowledged. That underscores the importance of having a solid bench of in-house legal staff fully capable of handling as many matters as may be appropriate for their resources and expertise.

That reality in no way obviates the need for external counsel, Braceras clarified. “I like to hear from three or four law firms on our biggest matters,” he said, adding that he appreciates hearing different ideas and perspectives on a complex legal matter. Nonetheless, runaway billing can be a source of frustration. “My team gets frustrated because we have so many – I can’t tell you how many – law firms billing us. It is absurd. We’ve got to reduce that,” he emphasized. “Then, on the other hand, I say, ‘Look, we don’t want the same firm to get every big case,’” he conceded. “I like to have a small group that we can really rely on.”

Pursuing Litigation

An example of another burgeoning responsibility for GCs is illustrated in the lawsuit the Bank Policy Institute filed against the Federal Reserve in December 2024 on behalf of a consortium of banking organizations that challenged the use of the comprehensive capital analysis and review stress test to gauge available capital and manage risk, Grossman said. Many in-house lawyers began to grow significantly more emboldened about pursuing such litigation toward the end of President Joe Biden’s term, which is when the litigation in question began, he explained.

“At the end of the Biden administration, I think that banks took the view that they no longer had to just ‘take it,’” Grossman said. “That doesn’t mean file senseless litigation,” he clarified. “The industry no longer felt that we were ‘on the curb,’ but that the industry is critically important to the success of the U.S.”

See “Understanding the Fiduciary Exception to Attorney-Client Privilege” (Oct. 4, 2023).

People Moves

Former TikTok Privacy Counsel Joins Squire Patton Boggs in Sydney


Squire Patton Boggs has welcomed data protection and regulatory lawyer Tanvi Mehta Krensel as a partner in its data privacy, cybersecurity and digital assets practice group in Sydney. She arrives from TikTok, where she was product privacy lead for Asia-Pacific and emerging markets.

Mehta Krensel’s practice focuses on data protection and commercialization, cybersecurity, tech-led innovation and procurement, and other regulatory matters. She works extensively with multinational clients across the media, communications, technology and retail sectors, guiding them through the complexities of their cross-border regulatory compliance requirements. Her recent work has centered around issues including the handling of the personal data of employees and children, digital marketing strategy and consents, the use of facial recognition technology, AI use risk management, and the growing intersection between privacy and consumer law.

In her role at TikTok, Mehta Krensel advised on privacy, e-marketing, child safety and AI laws in countries like Australia, Korea, Japan, Singapore and Vietnam. She has also previously advised U.K. and Australian clients on the GDPR’s application to their business, and has substantial experience in matters related to IT contracting and technology, media and telecom, as well as data security incident response.

For insights from Squire Patton Boggs, see “Advertising Opt‑Outs Drive New Privacy Strategies in 2025” (Dec. 18, 2024); and “Navigating Government Investigations of Privacy Practices” (Sep. 4, 2024).

People Moves

Flaster Greenberg Expands Privacy and Cybersecurity Group to Include AI and Welcomes New Leader


Flaster Greenberg has welcomed Peter Wakiyama as a shareholder in the firm’s intellectual property department and leader of the artificial intelligence, privacy, and cybersecurity practice group, which was recently expanded to include AI. He arrives from Troutman Pepper Locke and will be based in West Conshohocken, PA.

For more than three decades, Wakiyama has been advising clients in all areas of intellectual property, technology transactions, privacy, cybersecurity and emerging technologies, including AI, for both domestic and international clients. He counsels on a wide range of AI-related matters, including the development, adoption and use of AI tools; emerging AI-generated intellectual property and licensing issues; and transactions that involve AI intellectual property and data assets used to train AI models. Wakiyama also develops strategies around issues related to new-to-market and emerging technologies, advising on the effective use of data, and helps clients mitigate the potential risks associated with the commercialization of data assets. In addition, he regularly assists clients with their assessment of, and compliance with, federal and state privacy and security laws (including the GDPR, Children's Online Privacy Protection Rule, Telephone Consumer Protection Act, Federal Tort Claims Act, the Gramm-Leach Bliley Act and HIPAA), as well as privacy policies, terms of use, information security policies, data governance agreements, data privacy and security investigations, due diligence, and M&A support.

Prior to joining Flaster Greenberg, Wakiyama was a partner at Troutman Pepper Locke.