July 16, 2025
What happened?
Goodwin, a law firm with asset manager clients, recently notified authorities in several states that sensitive data of more than 360 individuals was exposed in a recent data breach.
The hack was “a result of a recent incident involving one of our third-party providers, Commvault,” Goodwin stated. Commvault, a cybersecurity company, experienced a cyber threat in March, which targeted applications hosted in its Microsoft Azure cloud environment.
Goodwin issued a letter stating that it had initiated an investigation to determine the cause and scope of the incident. The majority of those affected by the breach have been notified, and Goodwin is in the process of contacting the remaining individuals.
What does this mean for me?
This incident reinforces the importance of conducting routine and comprehensive vendor due diligence on all vendors that have access to sensitive client information.
Additionally, soon, all RIAs will have to comply with Amended Regulation S-P, which requires covered entities to implement a comprehensive vendor management program, an incident response program, a customer notification requirement, and more, to help ensure that firms are prepared to swiftly respond to and mitigate breaches like the one Goodwin just experienced.
If you have any questions about Amended Regulation S-P, or if you need assistance building or maintaining a comprehensive vendor management program, contact us to speak with one of our regulatory experts.
