Stay connected: follow us on LinkedIn and explore more at
www.CherryHillAdvisory.com.
.svg)
Subscribe now to join the Risk Register community:
Source: Finextra
In mid-February, Figure Technology (a blockchain-based lending platform) disclosed a data breach affecting 967,200 customer accounts. The company initially downplayed it as affecting "a limited number of files," but Have I Been Pwned published the full extent of the exposure.
The attack vector: Social engineering. Attackers from the ShinyHunters group ran a voice phishing campaign targeting single sign-on accounts at Okta, Microsoft, and Google across more than 100 organizations. They impersonated IT support, tricked employees into entering credentials on phishing sites, and captured multi-factor authentication codes. No technical vulnerability exploited. No zero-day attack. Just a well-crafted phone call.
Figure had strong cryptographic security. They're a blockchain-native platform. But security failures happen at the human layer, not the technology layer.
And when you look at the material weaknesses that drive adverse SOX 404 opinions, access control issues show up repeatedly.
Weak password policies for shared service or vendor accounts. Inadequate user access monitoring. Untimely access removal when employees or contractors are terminated.
When controls over privileged and administrative user access to financial systems are inadequate, it creates exposure for unauthorized access, data breaches, and fraudulent activities.
This isn't just a cybersecurity issue. It's an ICFR issue.
Your audit plan should test vendor access controls with the same rigor you apply to internal user access. You need to validate that access provisioning and de-provisioning processes actually work for third-party service providers. And you should be testing whether your team could detect a social engineering attack that bypassed technical controls. Because if your testing stops at "we have MFA enabled," you're missing the control that failed at Figure.
Source: AP News
On February 27, the Department of Defense designated Anthropic (maker of the Claude AI model) as a supply chain risk. This designation is typically reserved for companies from adversarial countries like Huawei. But Anthropic is an American company.
The Pentagon will sever its contract with Anthropic (valued at up to $200 million) and require companies it works with to certify they don't use Claude in their workflows. Claude is the only AI model currently used in the military's classified systems. It was used in the operation to capture Nicolás Maduro. Defense officials admitted it would be "a huge pain in the ass" to disentangle.
The government designated an American company a supply chain risk for the first time in history, apparently in retaliation for Anthropic not agreeing to certain contract terms.
From an audit perspective, this surfaces a new category of risk: procurement and contract compliance risk tied to AI and emerging technology vendors.
Even if Anthropic ultimately prevails in court, the damage may already be done. As one expert noted, "It will take years to resolve in court. And in the meantime, every general counsel at every Fortune 500 company with any Pentagon exposure is going to ask one question: is using Claude worth the risk?"
Third-party risk management has become a central theme in the SEC's 2026 Examination Priorities. Vendor oversight appears across many regulatory focus areas, highlighting a broader shift in how regulators view third-party risk as critical infrastructure that supports core operations.
Your vendor risk assessment process needs to account for regulatory or government procurement restrictions that could impact operational continuity. You should be monitoring contract compliance requirements for technology vendors (especially AI platforms) that could trigger supply chain designations or regulatory scrutiny. And you need a contingency plan if a critical vendor is suddenly deemed a compliance risk by a regulatory body. Because the Anthropic case shows that vendor risk isn't just about data security or service delivery. It's about regulatory positioning and operational resilience.
Source: U.S. Securities and Exchange Commission (EDGAR)
On February 25, Driven Brands announced it would delay the release of its fiscal year 2025 financial results. The company disclosed it would restate financial statements for fiscal years 2023 and 2024, plus the first three quarters of 2025.
The reason: Material accounting errors including lease accounting errors, unreconciled cash account differences, misclassified expenses, and inappropriately recognized revenue. The company also revealed material weaknesses in internal controls over financial reporting.
The stock dropped over 30%.
This is a textbook SOX 404 remediation case. A recent study by Ideagen Audit Analytics North America reveals that IT concerns have emerged as the top issue cited in adverse auditor opinions for the first time.
The trend in repeat adverse assessments is concerning. Over 60% of adverse reports come from repeat filers. Nearly 70% in the last two years. This indicates that remediation efforts may be insufficient, ineffective, or time intensive. Translation: Companies are identifying material weaknesses, but they're not fixing them fast enough or thoroughly enough to prevent recurrence.
You should be tracking remediation timelines for identified control deficiencies with the same rigor you apply to initial testing. You need a process to validate that remediation efforts actually address the root cause, not just the symptom. And you should be testing IT controls with the same depth you apply to financial process controls. Because the data shows that IT issues are now the leading driver of material weaknesses. And if your testing doesn't reflect that shift, you're auditing yesterday's risks.
Subscribe now to join the Risk Register community:
%20in%202026.png)