Click here to access subscription content at The RTJ Bridge - The Premium Version of The RiskTech Journal
〰️
Click here to access subscription content at The RTJ Bridge - The Premium Version of The RiskTech Journal 〰️
The RiskTech Journal
The RiskTech Journal is your premier source for insights on cutting-edge risk management technologies. We deliver expert analysis, industry trends, and practical solutions to help professionals stay ahead in an ever-changing risk landscape. Join us to explore the innovations shaping the future of risk management.
Where Autonomous IRM Begins—And Where It Must Go Next
The Quiet Rise of Autonomous IRM—From the Middle Out
Autonomous IRM is no longer theoretical. AI-powered platforms are starting to deliver tangible value: agentic systems that simulate attacker behavior, validate control effectiveness, and recommend mitigation actions—often autonomously.
The June 5 announcement from Tuskira, integrating directly with ServiceNow’s Vulnerability Response and SecOps modules, is a prime example. By embedding simulation-backed scoring and posture-aware mitigation into operational workflows, Tuskira is delivering intelligence in real time.
But there’s something missing: the announcement doesn’t mention Integrated Risk Management (IRM) at all.
That silence is a signal. Tuskira operates in what Wheelhouse Advisors defines as Layer 3: Intelligence & Validation—the middle of the risk architecture. And while this layer is where automation is gaining traction, it’s also where many organizations are managing in isolation, without input from either end of the enterprise risk stack.
Inside the Hack: Why Social Engineering Exposes the Limits of Cyber Defense and Demands Integrated Risk Management
The recent cyberattack on Marks & Spencer (M&S), perpetrated by the notorious hacking group Scattered Spider, vividly underscores the evolving sophistication of cyber threats—and the alarming vulnerability of even well-protected enterprises. Despite significant investments in cybersecurity defenses, M&S faces an estimated loss of up to £300 million in operating profits and a plunge of £600 million in market capitalization following the breach.
As detailed recently by the Financial Times, Scattered Spider’s methods illuminate a stark reality: technical cybersecurity solutions alone are not enough. The group’s expertise lies in a blend of digital deception and human manipulation, a practice known as social engineering. Unlike traditional cybercriminals reliant solely on technical exploits, Scattered Spider meticulously researches employee identities, simulates convincing interactions, and leverages human psychology to circumvent cyber defenses.
Beyond the Firewall - Why Integrated Risk Management Is the Missing Layer in Cyber Defense
The recent revelation that Marks & Spencer—one of Britain’s most iconic retailers—suffered a cyberattack that could cost it up to £300 million in annual operating profit is a reminder that no amount of cybersecurity spending can fully inoculate a company from human error. The attack, reportedly traced to a third-party vendor and facilitated by social engineering, underscores a hard truth: cybersecurity is necessary, but not sufficient.
Despite boosting its cyber investment by 75% and quadrupling its team over the past two years, M&S was not spared. Nor were other well-known retailers like Harrods and the Co-op grocery group. These incidents reflect a deeper problem in the digital defense playbook—one that requires a broader, integrated approach to risk.
From Code to Conduct: UK Cyber Mandate and Tech Disruption Signal a Governance Reckoning
Two significant announcements this week—one from the UK government and the other from Deloitte—highlight a rapidly converging future in which cybersecurity, advanced technology, and corporate governance are no longer siloed concerns but integrated imperatives for the boardroom. While distinct in origin and focus, both developments send a clear signal: the pressure on executive leaders to govern technology risks with discipline, foresight, and accountability is mounting.
When Encryption Isn't Enough—A Sidewalk Interview and a Global Wake-Up Call
I was in Washington, D.C., when the story broke. Reports surfaced that U.S. officials had used Signal—a consumer-grade encrypted messaging app—to coordinate sensitive military operations in Yemen. I was finishing a dinner meeting after a full day of engagements when my phone rang. It was the BBC reaching out for immediate commentary on a fast-developing national security story.
What Happens When Risk Protocols Fail - Lessons from the Signal App Incident
When BBC News investigated a recent national security communications breach, they reached out to Wheelhouse Advisors for expert analysis. The incident highlighted a growing risk not just for governments—but for every organization managing sensitive information in a digital world.
HIPAA 2.0 — How Risk Management Evolves Under HIPAA’s Cybersecurity Overhaul
In the face of escalating cyber threats, the U.S. healthcare sector is on the brink of its most dramatic regulatory transformation in more than a decade. The Department of Health and Human Services’ recent Notice of Proposed Rulemaking (NPRM) for the HIPAA Security Rule doesn’t just update a long-standing framework—it signals a revolutionary shift in how organizations must guard patient data. The stakes are higher than ever, with compliance costs set to soar and the consequences of non-compliance more severe than ever imagined.
Security Complexity Is Strangling Your Bottom Line—IRM Platforms Can Save It
By now, it’s obvious: complexity has become the Achilles’ heel of cybersecurity and enterprise risk management (ERM). In a recent study from the IBM Institute for Business Value—Capturing the Cybersecurity Dividend: How Security Platforms Generate Business Value—researchers found that companies juggle an average of 83 different security solutions, sourced from 29 distinct vendors. Beyond the technology overload lies a crucial lesson for risk leaders: more point solutions do not necessarily translate into better protection.
NIS2 and the Global Risk Landscape: Harnessing Integrated Risk Management to Stay Ahead
The EU’s NIS2 Directive represents a significant evolution in cybersecurity governance, and its ripple effects are set to transform compliance landscapes for companies worldwide. Despite uneven transposition across EU member states, NIS2's broader implications underscore the urgency for proactive risk management strategies. Companies can leverage Integrated Risk Management (IRM) solutions to turn these regulatory challenges into competitive advantages.
How S&P 100 Leaders Drive Cybersecurity Excellence Through Integrated Risk Management
Recent insights from the Gibson Dunn report, Cybersecurity Overview: A Survey of Form 10-K Cybersecurity Disclosures by the S&P 100 Companies, highlight key trends and practices among public companies. Integrated Risk Management (IRM) is increasingly recognized as the critical approach enabling organizations to meet these requirements while driving strategic value. In this analysis, we'll explore the evolving regulatory landscape, key trends in cybersecurity disclosures, and how IRM empowers organizations to align their cybersecurity strategies with enterprise-wide governance frameworks.
Cyber-Attacks and Corporate Ruin: The Ripple Effects Leading to Bankruptcy
In today's hyperconnected world, cyberattacks have become existential threats capable of reducing even the most established businesses to insolvency. Recent high-profile cases, such as the collapse of National Public Data and the bankruptcy of Stoli Group's U.S. subsidiaries, highlight how cyber breaches and ransomware attacks devastate systems and create cascading impacts that extend far beyond the initial compromise. These incidents serve as cautionary tales about the interconnected nature of operational, financial, and reputational risks in the digital age.
The Rising Tide of Cyber Threats: How Integrated Risk Management Can Combat AI-Driven Attacks
The cyber threat landscape is changing rapidly, with artificial intelligence (AI) serving as both a powerful tool for defense and a formidable weapon for attackers. In a recent interview with The Wall Street Journal, Amazon's Chief Information Security Officer, CJ Moses, revealed a staggering increase in daily cyber threats faced by the company. Over the past six to seven months, Amazon has witnessed an escalation from 100 million to an average of 750 million cyber-attack attempts per day. This exponential rise underscores the urgent need for organizations to implement Integrated Risk Management (IRM) strategies to protect their assets in an increasingly complex digital environment.
Cyberattack on Grocery Giant Exposes Global Risk Management Gaps
As organizations like Ahold Delhaize increasingly rely on technology for inventory management, e-commerce, and logistics, cyber disruptions can extend beyond IT systems to affect global supply chains and customer trust. This event serves as a wake-up call for businesses globally to adopt an Integrated Risk Management (IRM) approach to ensure performance, resilience, assurance, and compliance in an interconnected digital landscape.
The Exponential Growth of Cybersecurity Risks and Their Impact on Business Operations
The recent UnitedHealth hack, as detailed in a Wall Street Journal article today, serves as a stark reminder of the growing scale and severity of cybersecurity threats. UnitedHealth’s ongoing struggle with this breach reveals the broader business risks that companies face when a cyber incident occurs, particularly as the monetary and operational impacts spiral far beyond initial forecasts.
Moving Beyond a Security-Based Mindset: The Need for Integrated Disclosure and Internal Controls
In today’s interconnected and complex business environment, it is crucial for organizations to shift away from a security-based mindset that focuses narrowly on immediate threats. Instead, they must adopt an integrated risk management (IRM) approach that balances both tactical and strategic risk perspectives. Lessons learned from the SolarWinds cyberattack serve as a stark reminder of this necessity.
SEC Clarifies Cybersecurity Incident Disclosure Rules: Key Takeaways for Companies
The Securities and Exchange Commission (SEC) continues to refine its stance on the disclosure of material cybersecurity incidents, addressing corporate concerns and compliance complexities. On June 20, 2024, Erik Gerding, the Director of the SEC’s Division of Corporation Finance, provided further clarification regarding the selective disclosure of cybersecurity incidents. This move comes in response to persistent questions surrounding the SEC’s final cybersecurity disclosure rules, specifically under Item 1.05 of Form 8-K.
Understanding the New SEC Cybersecurity Incident Disclosure Rule: Trends and Implications
In the wake of increasing cybersecurity threats, the Securities and Exchange Commission (SEC) has implemented the Cybersecurity Incident Disclosure Rule, which took effect on December 18, 2023. This rule mandates publicly traded companies to disclose material cybersecurity incidents within four business days of recognizing their materiality. Here, we dissect the early trends observed since the rule's implementation and the broader implications for corporate disclosure practices.
CIRCIA’s New Rules on Critical Infrastructure: Incorporating IRM to Manage a $2.6 Billion Economic Impact
As the Cybersecurity and Infrastructure Security Agency (CISA) ushers in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), an estimated 316,244 organizations within vital sectors stand at the cusp of significant regulatory shifts. Amidst this landscape, the strategic incorporation of Integrated Risk Management (IRM) becomes crucial not just for compliance but for bolstering cyber defenses in the face of a projected $2.6 billion economic impact over the next decade.
The Looming Shadow of the EU Cyber Resilience Act: How Integrated Risk Management Can Be Your Shield
The European Union's Cyber Resilience Act (CRA) looms large on the horizon, casting a shadow of both challenge and opportunity for companies selling software and connected devices in the EU. While the act's enforcement date is still months away, its comprehensive cybersecurity regulations demand proactive preparation from manufacturers, importers, and distributors alike.
NIST CSF 2.0: Charting Your Course with IRM Technology and IRM Navigator™
This week’s release of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 presents a significant opportunity for organizations to strengthen their cybersecurity posture. This updated framework underscores the critical role of risk management in building cyber resilience, offering valuable guidance in a rapidly evolving threat landscape. However, navigating the implementation of NIST CSF 2.0 can be challenging, often hampered by siloed data, fragmented processes, and limited visibility into overall risk exposure.