So, while cyber awareness is a problem, the Securities and Exchange Commission is withdrawing proposed cybersecurity regulations for investment companies and advisers that were introduced during the Biden administration. This decision aligns with a broader trend of deregulation under the current SEC leadership, which includes the withdrawal of rules related to artificial intelligence and outsourcing. The now-canceled regulations would have required investment firms to establish written policies addressing cybersecurity risks and to report significant incidents to the SEC. This move comes after notable data breaches at major firms like Fidelity Investments and Prudential, highlighting the pressing need for robust cybersecurity measures. Industry groups argued that the proposed rules could potentially expose sensitive information to adversaries, detracting from actual cybersecurity efforts.
The National Institute of Standards and Technology has released new guidance on developing zero-trust architectures, offering practical examples to enhance organizational defenses. The guidance, known as Special Publication 1800-35, outlines 19 example implementations designed using commercial technologies, emphasizing that each zero-trust architecture should be tailored to individual organizational needs. This initiative follows the 2020 release of Special Publication 800-207, which provided a conceptual overview of zero trust. According to Alper Kerman, a computer scientist at NIST, these new examples serve as a foundational starting point for organizations looking to construct their own zero-trust systems. The report also highlights the importance of continuously evaluating user and device access, particularly in an era of cloud computing and remote work, to minimize risks associated with compromised credentials.
The Cybersecurity and Infrastructure Security Agency has issued a warning about the SimpleHelp ransomware, which has been exploiting a vulnerability in the remote access software during a series of attacks targeting utility billing software customers. This specific vulnerability, identified as CVE-2024-57727, has been actively leveraged by ransomware gangs since January 2025, according to federal cybersecurity officials. Ransomware operations, including those linked to the DragonForce ransomware, have targeted large retail chains in both the United Kingdom and the United States.
Why do we care?
We care because this convergence of regulatory retreat, technical vulnerability, and public-private divergence on cybersecurity reveals an unstable environment where responsibility is being offloaded to the market—while the threat landscape is escalating. Instead of requiring incident reporting and proactive security policies, the SEC appears to be betting on industry self-regulation—a gamble that rarely ends well in security. Especially in sectors where reputational risk is high but long-term liability is diffuse, we’ve seen historically that minimum compliance doesn’t equate to effective defense.
Cybersecurity is entering a fragmentation phase: public agencies signal risk escalation, technical guidance is improving, but political will to enforce accountability is evaporating. That leaves IT service providers and SMBs in a risky middle ground—more exposed but less supported.
Smart IT providers will step in where the SEC stepped back: offering managed compliance, risk mitigation, and incident response capabilities as part of broader resilience offerings. Providers who can distill NIST’s practical zero trust into customer-ready implementations will win.
Regulatory gaps create advisory space—and those MSPs willing to own that space can position themselves not just as technical partners, but as business-critical allies in an era of shifting risk.