De-risking vs. Risk Management | SMBs Leverage the vCISO Advantage | Should Banks Trust Third-Party Vendors?

🛟 De-Risking or Managing Risk: What’s the Difference?

De-risking and risk management are foundational concepts in IT security, but they are often misunderstood or used interchangeably. Clarifying the distinction — and the synergy — between these approaches is essential for guiding clients toward a resilient, business-aligned security posture.

📖 Read the Article from NTM Advisory: De-risking vs. Risk Management: A Strategic Comparison

💵 Vendor Risk: Are Banks and Credit Unions Being Exposed?

As third-party breaches surge and regulatory scrutiny mounts, vendor risk management is no longer a “check-the-box” exercise — it’s a strategic imperative. Regional banks and credit unions that invest in robust, real-time vendor oversight will be best positioned to protect their customers, reputations, and bottom lines in the current financial ecosystem.

📖 Read the Article from NTM Advisory: Vendor Risk Management: The Weakest Link in Regional Bank Security?

Compliance Updates

⏹️ New York Amended Cybersecurity Regulations

Starting May 1, 2025, New York Department of Financial Services (NYDFS)-regulated entities must comply with new cybersecurity requirements. These include enhanced access management (such as limiting and reviewing privileged accounts), mandatory automated vulnerability scans, and risk-based controls to protect against malicious code. These changes are part of the phased amendments to the NYDFS Cybersecurity Regulation, with additional requirements coming in November 2025.

⏹️ Cybersecurity Information Sharing Extension Act Introduced

On April 16, 2025, bipartisan legislation was introduced in the U.S. Senate to extend the Cybersecurity Information Sharing Act of 2015, which is set to expire in September. This act encourages businesses to share cyber threat information with the federal government by providing legal protections and has been credited with improving real-world cybersecurity collaboration, especially in response to major incidents like the SolarWinds attack.

⏹️ CISA Adds Actively Exploited Vulnerabilities to Mandatory Remediation List

On April 17, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including two critical Apple product flaws and a Microsoft Windows NTLM hash disclosure vulnerability. These vulnerabilities are being actively exploited and are considered significant attack vectors for both public and private sector organizations.

Learn how to make AI work for you

AI won’t take your job, but a person using AI might. That’s why 1,000,000+ professionals read The Rundown AI – the free newsletter that keeps you updated on the latest AI news and teaches you how to use it in just 5 minutes a day.

Sign up to start learning.

💡Cost-Effective Risk Management in a Tight Talent Market

For SMBs, a vCISO offers a practical path to enterprise-grade risk management — without breaking the budget. As cyber threats and regulatory demands continue to grow, partnering with a vCISO can help your organization stay secure, resilient, and competitive in a challenging digital landscape.

📖 Read the Article from NTM Advisory: SMBs and the vCISO Advantage: Cost-Effective Risk Management

👇 Reader Survey 👇

🤔 Questions or Concerns?

We’re happy to listen! Just reply to this email and we’ll be in touch!