The threat landscape · 2026

The ground has shifted under regulated firms. Most leaders haven't been told how far.

A plain-language briefing for managing partners, principals, and leadership teams. What has actually changed in the last twenty-four months, what your peers are getting wrong, and what it costs to wait another year.

Written for boards, not CTOs · Read-time: 8 minutes
$500B committed
Project Stargate — U.S. AI infrastructure buildout
Jan 2025 · White House announcement
€109B
France's parallel sovereign AI commitment — same month
Feb 2025 · AI Action Summit, Paris
80%+
Of phishing now AI-assisted; personalization is near-free
Multiple industry reports, 2025
18 months
Average MSP tenure. Nine-year relationships are outliers.
Industry benchmark, 2024
— What actually changed

Six structural shifts that make the last playbook obsolete.

Shift 01 · Regulatory velocity

Your frameworks are no longer slow-moving.

SEC Reg S-P was rewritten with breach notification in hours, not weeks. New York's DFS 500 added MFA mandates and governance requirements. CMMC 2.0 moved from voluntary to contract-gating. HIPAA is being updated for the first time in a decade. The pace of change has compressed from years to months.

What it meansA compliance framework that was "current" 18 months ago probably isn't. Evidence you collected last year may no longer be sufficient.
Shift 02 · Attack economics

The economics of attack have collapsed.

What used to take a sophisticated actor a week — a convincing spear-phish, a fake voice call, a deepfake from a partner — now takes a teenager and an LLM. The pool of people who can attack your firm has grown by orders of magnitude, and the cost per attempt is close to zero.

What it meansUser-training alone is not a defense anymore. The bar is now structural: identity, device posture, access design, and out-of-band verification.
Shift 03 · The supply-chain surface

The risk is no longer only yours.

Your fund administrator, your case-management vendor, your billing platform, your e-signature tool — each of them is a door. SEC Reg S-P now names vendor oversight explicitly; CMMC flows down to subcontractors; HIPAA holds you responsible for your BAs. You inherit the weakest vendor in your chain.

What it meansVendor-risk programs are not optional. "Paper" diligence is not sufficient. The regulator will ask what you tested, not what you filed.
Shift 04 · AI in the stack

AI is already in your firm. The question is on whose terms.

Most regulated firms now have partners using ChatGPT, Copilot, Claude, and Gemini — often without governance, logging, or data-handling review. The upside is real: research, drafting, diligence, and client communication have leapt forward. The downside is also real: privileged data walking out the door.

What it meansThe choice isn't "adopt AI or don't." It's "govern it or let it govern itself." The second option is where breaches and malpractice claims live.
Shift 05 · Partner liability

The exposure names partners individually.

In RIAs, the CCO is now personally named in Reg S-P and Marketing Rule actions. Law firms carry cyber exposure through their malpractice carrier. Accounting partners face AICPA inspection and state-board review. The days of "IT was the MSP's job" as a shield are over.

What it meansLeadership can no longer treat technology as delegated. The partner whose name is on the filing is the partner whose name is on the finding.
Shift 06 · Client expectation

Your clients are asking questions they didn't last year.

Institutional allocators send cyber diligence questionnaires. Corporate clients require SOC 2 reports. Counterparties ask where their data sits and who sees it. The firms that can answer quickly are winning mandates. The firms that can't are losing them — quietly, without a complaint.

What it meansSecurity posture is now a commercial asset, not a back-office expense. It shows up in RFP responses, not IT budgets.
— The clock you can't see

What a bad year actually looks like, sequenced.

Day 0

The event.

A compromised vendor credential, a convincing deepfake, a missed patch, a laptop in an Uber. It doesn't matter which — they all start the same way. Quietly. On a Thursday afternoon. Nobody notices.

Day 4

Discovery.

Someone spots an anomaly. Maybe a client. Maybe the bank. Internal team pulls logs and realizes the window is older than they thought. Leadership is told. The weekend disappears.

Day 7

The 72-hour clock.

Under new Reg S-P, SEC notification is triggered. DFS has its own clock. HIPAA has its own clock. The CCO and outside counsel are in a room. Nobody has slept. The insurance carrier is informed.

Day 14

The client calls.

Material clients have to be told. Some of them will leave. Some of them will ask for a written remediation plan by end of week. The firm is now running two businesses in parallel: the actual business, and the incident.

Day 60

The deficiency letter.

The examiner arrives. The finding is not actually the breach — it's what the breach revealed. Policies that weren't followed. Controls that weren't tested. Evidence that wasn't kept. The finding goes on the firm's record for years.

Day 365

The renewal.

Cyber insurance renews with a premium increase of 2–4×, new exclusions, and a sub-limit on ransomware. The IT provider is terminated. The replacement has a 90-day onboarding. Leadership is in its second year of the incident.

— The math of getting it wrong

What a breach actually costs a mid-market regulated firm.

Regulatory fines & settlements
$1.8M
Forensics & remediation
$1.5M
Legal & disclosure costs
$1.3M
Client loss & AUM runoff
$1.1M
Insurance premium escalation (5 yr)
$780K
Leadership & partner time
$680K
Reputational repair
$420K
Illustrative figures for a 50–150 person regulated firm · Based on IBM Cost of a Data Breach 2024, Ponemon, and incident-response case data · Does not include partner individual liability or personal penalties
— The cost of delay

The most expensive decision is the one you keep not making.

Every quarter a regulated firm runs without a current technology strategy, an independent audit, and a named partner on the outcome is a quarter of accumulated risk that doesn't go away — it compounds. Unpatched systems age. Former-employee access lingers. Shadow IT grows. The roadmap slips further from reality. The regulator's window widens.

The firms that get hit the hardest are almost never the ones who "didn't know." They're the ones who knew, intended to act, and kept pushing the project to next quarter. Next quarter is how most bad years start.

The breach didn't cost us the money. The six quarters of "we'll get to it" cost us the money. The breach just sent the invoice. — Managing partner, RIA, after a 2023 incident

The alternative is unglamorous: an operational OS, run on purpose. A 30-day discovery. A 90-day stabilization. A written strategic plan. A quarterly independent audit. The kind of steady, boring work that makes the loud year never happen. With an OS in place, technology spending stops being insurance against bad outcomes and starts being the only form of spending that reliably pays for itself — usually several times over.

The firms that start it this year will look, in 2028, exactly the way the firms that started it in 2020 look today: quietly ahead, quietly defensible, and quietly unworried about the next regulator letter.

— A 30-minute conversation, not a sales pitch

The first quarter of clarity starts with one call.

Tell us what you have and what you're worried about. If we're the right fit, we'll scope a discovery. If we're not, we'll say so — and usually point you to someone who is.

Start the conversation Request the book
One business-day response · Chris personally