Cybersecurity for Managing Partners

by John Hensberger | Feb 9, 2026 | Compliance, Cybersecurity

Cybersecurity for Managing Partners: Your Fiduciary Duty to Protect Client Data

As a managing partner, you’re responsible for more than just billable hours and client development. You bear the fiduciary duty to protect your firm from threats that could end careers, drain bank accounts, and destroy decades of reputation-building. Cybersecurity isn’t just an IT issue—it’s a risk management imperative that belongs on every managing partner’s desk.

The Threat Landscape Facing Law Firms Today

Law firms have become prime targets for cybercriminals, and the statistics are sobering. According to the ABA’s Legal Technology Survey, 29% of law firms experienced a security breach in the past year. Unlike other industries where hackers seek credit card numbers or personal data, attackers targeting law firms are after something far more valuable: privileged client information, M&A deal terms, litigation strategy, intellectual property, and wire transfer credentials.

Your firm holds the keys to the kingdom for your clients’ most sensitive matters. A single compromised email account can expose:

Confidential settlement negotiations worth millions
Upcoming merger announcements that could be used for insider trading
Trade secrets and patent applications
Attorney-client privileged communications
Trust account wire transfer access

The consequences extend beyond the immediate breach. Law firms face malpractice claims, bar discipline, loss of client trust, mandatory breach notifications, regulatory fines, and the devastating reputational damage that comes when clients learn their confidential information was compromised under your watch.

Your Ethical and Legal Obligations

Many managing partners don’t realize that cybersecurity is no longer optional—it’s an ethical requirement imposed by your state bar.

Model Rule 1.6(c) requires attorneys to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” State bars and courts have consistently interpreted this to include implementing reasonable cybersecurity measures.

But what does “reasonable” actually mean? That’s where managing partners often struggle. The ambiguity has led to inconsistent approaches across firms, with some doing the bare minimum and others over-investing in unnecessary tools.

State bars have begun providing more specific guidance:

New York requires attorneys to complete cybersecurity CLE training annually
North Carolina has issued formal ethics opinions on cloud computing security and data breach response
California and Florida bars have published detailed guidance on encryption, secure communication, and vendor management

The trend is clear: bars expect more from firms regarding data protection, and “we didn’t know” is no longer an acceptable defense.

Beyond Bar Requirements: Client Demands

Even if ethical obligations seem vague, your clients are and will be increasingly specific about their security expectations! Law firms can and should routinely send detailed vendor security questionnaires to their outside counsel.

These cybersecurity assessments ask about:

Encryption standards for data at rest and in transit
Multi-factor authentication implementation
Incident response procedures and breach notification protocols
Employee security awareness training programs
Third-party vendor risk management
Business continuity and disaster recovery plans
Whether you maintain certifications like SOC 2 or ISO 27001

Firms that can’t demonstrate adequate security controls are losing opportunities.

Law firms can be removed from RFP shortlists solely because they couldn’t certify their security posture. In competitive markets, security has become a differentiator—not just a compliance checkbox.

Investing in Cybersecurity

Your clients trust you with their most sensitive matters. Your partners have built their careers on the firm’s reputation. Your staff depend on the firm’s stability for their livelihoods. Protecting all of that from cyber threats isn’t optional—it’s your fundamental duty as a managing partner.

The question isn’t whether you can afford to invest in cybersecurity. The question is whether you can afford not to.

Black Bottle IT helps law firms meet their ethical duty to protect client data without the cost of a full-time security team. We implement the cybersecurity standards your bar requires and your corporate clients demand—so you can focus on practicing law, not IT compliance.

Payroll Companies are a Lucrative Business for Hackers

by blackbottledev | Jan 24, 2026 | Compliance, Cybersecurity, Risk Management

Payroll Companies Remain Prime Targets for Cybercriminals

As we enter 2026, the cybersecurity landscape for accounting firms, payroll providers, and tax preparers has never been more complex—or more critical. With regulatory requirements tightening and threat actors growing more sophisticated, compliance is no longer just about checking boxes. It’s about building a cyber-resilient operation that protects your clients’ most sensitive data while keeping your business operational.

The FTC Safeguards Rule, state data privacy laws, and industry-specific compliance mandates continue to evolve, placing greater responsibility on financial services professionals to demonstrate robust security measures. Yet many firms still treat their Written Information Security Plan (WISP) as a document that sits on a shelf rather than a living, breathing framework for daily operations.

Here’s the reality: Payroll and accounting firms hold the keys to the kingdom—Social Security numbers, bank account details, tax records, and financial histories. For cybercriminals, you’re not just a target; you’re a goldmine. And if your cybersecurity program isn’t actively identifying, prioritizing, and addressing vulnerabilities, you’re leaving the door wide open.

Questions Only You Can Answer About Your WISP Plan

Your WISP Can’t Just Sit on a Shelf!

Have you performed an Annual Risk Assessment?
Do you have an Incident Response Plan, and have you TESTED IT?
Has your organization implemented Advanced Security Controls?
Do you have a Cybersecurity Awareness Training Program?
Who is your CISO; one must be identified in your WISP!
Do you know what systems contain sensitive client data and how it’s protected?
What’s your process to communicate your plan across the organization?

There’s no time for complacency. Failure to comply could subject your organization to legal liability, regulatory penalties, client lawsuits, and reputational damage that takes years to repair.

Let’s Dive a Bit Deeper with AV & EDR: A Better Core Control

Traditional Anti-Virus (AV)

Can only detect previously known threats
Minimal to no data collection
Minimal to no added features or benefits

Endpoint Detection & Response (EDR)

Can detect previously known AND unknown threats due to behavioral-based monitoring
Complex and detailed endpoint data collection
Added benefits include application monitoring, threat-hunting capabilities, and advanced reporting

Wouldn’t it be nice to know at which bend in the road your business might encounter a breach?

Your Preparedness Should Include:

An updated WISP and tested Incident Response Plan
Employees who are current on cybersecurity awareness training
Multi-Factor Authentication (MFA) on every device and application
24×7 monitoring of all systems and endpoints
A comprehensive Cyber Insurance policy

As a whole industry, we’re improving. Training initiatives are making a difference—breaches caused by human error continue to decline. But bad actors aren’t just after your data; they’re after your money. Payroll companies remain lucrative targets because of the direct access to bank accounts, wire transfers, and financial credentials.

Compliance and Cyber Resilience Go Hand-in-Hand

Black Bottle IT specializes in helping payroll companies, accounting firms, and tax preparers meet compliance requirements while building truly resilient cybersecurity programs. We don’t just help you pass an audit—we help you protect your business and your clients every single day.

Ready to strengthen your defenses in 2026? Contact Black Bottle IT today. We have a bench of cyber analysts ready to fight alongside you.

Key changes made:

Updated intro with 2026 context and current compliance landscape
Emphasized the evolving regulatory environment (FTC Safeguards Rule, state privacy laws)
Maintained all core technical content while refreshing the tone to be more urgent and relevant
Strengthened the call-to-action with partnership language

To get started, contact Black Bottle IT today. Our team is ready to support your business’s growth.

SOC2 Certification: A Critical Investment

by blackbottledev | Jun 1, 2025 | Compliance

In today’s digital financial landscape, data security and privacy have become non-negotiable requirements for FinTech companies of all sizes. While the SOC2 (Service Organization Control 2) certification process typically requires a significant investment, the return on investment can be substantial through expanded market access and increased customer trust.

Data breach costs underscore the importance of robust security measures. Healthcare experiences the highest average breach costs, at $9.8 million, followed by the financial sector, at $6.08 million per breach.

Why Small to Mid-Size FinTech Companies Need SOC2

Market Access Requirements

Without SOC2 certification, small and mid-size FinTech companies are increasingly shut out of lucrative partnerships. Regional banks, credit unions, investment firms, payment processors, and enterprise clients now treat SOC2 as table stakes—not having it means you won’t even make it to the shortlist for vendor consideration.

Competitive Necessity

In the growing FinTech market, SOC2 certification helps level the playing field with larger competitors. It demonstrates that despite your smaller size, you maintain enterprise-grade security standards—a crucial differentiator when competing for business against both larger and similar-sized companies.

SOC 2 is not a one-time certification. Payment companies must continually monitor their controls and processes to ensure ongoing compliance. This includes regular audits, vulnerability assessments and incident response testing.

Practical Impact on Your Business

Customer Trust For small to mid-size FinTech companies, SOC2 certification accelerates the sales cycle through pre-validated security controls while reducing security questionnaire response time. The certification provides third-party validation of your security practices and demonstrates a clear commitment to data protection that clients can trust.

Operational Benefits Beyond customer trust, certification brings tangible operational improvements including streamlined security processes, clearer documentation, and better risk management. Teams develop improved awareness of security practices, which ultimately leads to reduced incident response times when issues do arise.

Cost Management Strategies Small to mid-size companies can optimize their investment by starting with a readiness assessment and using cloud-based compliance management tools. Implementing changes gradually, leveraging existing team members for documentation, and choosing focused rather than comprehensive consulting services help control costs without sacrificing quality.

Implementation Timeline for Small to Mid-Size Companies A realistic timeline with the Black Bottle IT Team of cybersecurity and compliance experts spans 8-10 months from start to certification. This includes initial assessment (1 month), policy development (1-2 months), implementation (2-3 months), observation period (3 months), and the final audit (1 month).

Practical Next Steps

Start with a Gap Analysis

Assess current security measures
Identify required improvements
Estimate specific costs for your organization

Plan Your Resources

Identify internal team leads
Research consulting options
Evaluate technology needs

Create a Timeline

Set realistic milestones
Plan around busy seasons
Allow for adjustment periods

Conclusion

For small to mid-size FinTech companies, SOC2 certification isn’t just about compliance—it’s about opening doors to new business opportunities and establishing credibility in a competitive market.

The key is to view SOC2 certification as a strategic investment rather than a burden. With proper planning and resource allocation, small to mid-size FinTech companies can achieve certification without overwhelming their resources while positioning themselves for significant growth opportunities.

Remember: The cost of not having SOC2 certification often exceeds the investment required to obtain it, especially in the FinTech sector where security credentials are increasingly becoming a baseline requirement for doing business.

Let’s connect today. Email us at info@BlackBottleIT.com.

Digital Spring Cleaning: A Must for PCI Compliance

by blackbottledev | Feb 4, 2025 | Compliance

If you process even a single credit card transaction, this message is for you. From the corner coffee shop to the bustling e-commerce store, PCI compliance isn’t optional – it’s essential. And with spring around the corner, there’s no better time to clean up your digital security.

Who Needs PCI Compliance?

The short answer? Everyone who accepts credit cards. This includes:

Small retail shops processing in-person transactions
Restaurants with payment terminals
Online stores of any size
Service providers accepting card payments
Mobile businesses using card readers
Subscription-based businesses with recurring payments

The Myth of Being “Too Small to Target” Many small business owners think their size protects them. Unfortunately, cybercriminals often target smaller businesses precisely because they tend to have weaker security measures. In 2023, 43% of cyberattacks targeted small businesses, and the average cost of a data breach for small businesses exceeded $200,000. (Verizon)

Spring Cleaning Your Security for PCI Compliance

Start with Password Hygiene

Your payment processing systems are only as secure as their passwords. Implement a password manager for all employees and require complex passwords with minimum 12-character lengths. For PCI compliance, ensure all default passwords on payment terminals and systems are changed immediately.

Clean Up User Access

PCI compliance requires strict access control. Review and revoke access for former employees, particularly those who handled payment data. Implement role-based access control (RBAC) to ensure employees only access what they need for their specific jobs.

Update and Patch Everything

Payment systems must have the latest security patches. Schedule automatic updates for all software, especially:

Point-of-sale systems
Payment terminals
E-commerce platforms
Card readers
Backend payment processing software

Backup and Recovery Check

PCI compliance requires secure backup of cardholder data and a tested disaster recovery plan. Store backups in multiple locations, but ensure they’re encrypted and protected according to PCI standards.

Train Your Team

Your employees are your first line of defense. Schedule regular training covering:

Proper handling of credit card information
Recognition of card skimming devices
Identification of phishing attempts
Secure remote work practices
Incident reporting procedures

The Benefits of Compliance

Beyond avoiding penalties, PCI compliance offers substantial benefits:

Protected payment card data reducing breach risk
Enhanced customer trust in your business
Reduced likelihood of fraudulent transactions
Improved overall security posture
Potential insurance premium reductions

Getting Started

Begin with a self-assessment to determine your current compliance level. The PCI Security Standards Council offers questionnaires based on your transaction volume and processing methods. Use this spring cleaning period to:

Complete the appropriate self-assessment questionnaire
Conduct a network scan if required
Address any gaps in your security
Document all your security procedures
Train your staff on new procedures

Remember, cybersecurity isn’t a one-time spring cleaning task – it’s an ongoing process. However, using this season to establish strong security habits can set your business up for long-term success and compliance.

Maintaining a clean and secure digital environment isn’t just about checking boxes for PCI compliance – it’s about protecting your business, customers, and reputation. No company is too small to start taking security seriously. Begin your digital spring cleaning today, and make security a year-round priority.

Black Bottle IT wants to connect with your business today. Our cybersecurity consultants will get started with the appropriate assessment questionnaire. Email us at info@BlackBottleIT.com.

Black Bottle IT Achieves HIPAA Compliance with Compliancy Group

by blackbottledev | Aug 30, 2022 | Compliance, Risk Management

Black Bottle IT Achieves HIPAA Compliance with

Compliancy Group

Black Bottle IT has demonstrated its good faith effort toward HIPAA compliance by completing Compliancy Group’s proprietary HIPAA compliance process.

We are pleased to announce that Black Bottle IT has taken all necessary steps to prove its good faith effort to achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA). Through the use of Compliancy Group’s proprietary HIPAA solution, The Guard™. Black Bottle IT can track its compliance program and has earned its Seal of Compliance™. The Seal of Compliance is issued to organizations implementing an effective HIPAA compliance program using The Guard.

HIPAA comprises a set of regulatory standards governing the security, privacy, and integrity of sensitive healthcare data called protected health information (PHI). PHI is any individually identifiable healthcare-related information. If vendors who service healthcare clients come into contact with PHI in any way, those vendors must be HIPAA compliant.

Black Bottle IT has completed the Compliancy Group’s Implementation Program, adhering to the necessary regulatory standards outlined in the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, Omnibus Rule, and HITECH. Compliancy Group has verified Black Bottle IT’s good faith effort to achieve HIPAA compliance through The Guard.

“Our streamlined solution with Compliance Group will drastically cut down the time needed to achieve HIPAA compliance, saving our clients time and stress,” said John Hensberger, Partner. “We are excited about our partnership and look forward to helping our clients grow their business, safely.”

About Compliancy Group

HIPAA should be simple. That’s why Compliancy Group is the only software with Compliance Coaches™ walking you through HIPAA to simplify compliance. Built by auditors, Compliancy Group gives you confidence in your compliance plan to reduce risk, increase patient loyalty, and profitability of your organization. Visit https://www.compliancy-group.com to learn how simple compliance can be.

How will You Keep Your DOD Contacts?

by blackbottledev | Jun 8, 2021 | Compliance

Prioritizing the security of your company’s network is an essential practice when it comes to remaining as productive as possible. Unfortunately, failure to do so could easily result in a large number of legal complications.

When it comes to firewall security, you may be surprised to learn this type of protection can expire. Let’s take a deeper look at what you need to know.

When Does Firewall Security Expire?

As time goes on, cybercriminals develop more advanced tools to procure sensitive data. As a result, the firewall protection you implement can quickly become outdated if you aren’t regularly updating it.

To clarify, even a firewall defense that uses relatively contemporary safeguards can become highly inefficient as hackers begin to use new types of malware.

In fact, a firewall that looks notably strong on paper may not accomplish its task appropriately.

However, to answer the above question, firewall security can be considered expired when it no longer receives regular patches, updates, and other similar services.

What Are the Risks?

As you might assume, the most significant risk of having your firewall security expire comes from failing to protect sensitive information adequately.

Depending on the industry you work in, this often includes data that should never fall into the wrong hands (such as medical patient info).

Additionally, you run the risk of hackers procuring trade secrets that they can then sell to other companies within your industry. In many scenarios, a situation like this is complicated to recover from for any business.

What Should I Look For in a Provider?

The ideal provider to work with implements a renewal policy. In practice, this will allow you to continually renew your firewall service automatically so that you can ensure you are always protected.

This firewall service often includes frequent threat detection updates and new firmware implementation.

Additionally, the provider you work with should also have some form of continual customer support for your firewall service. This level of customer support means that you should be able to quickly get in touch with your service provider with questions or concerns.

While it isn’t always practical to assume that your provider will offer 24/7 customer service, many provide round-the-clock service 365 days a year.

You should also take a look at their past reviews. You’ll gain insight into whether or not you can expect to receive the level of service you are looking for for your business.

Maintaining Proper Firewall Security Is Crucial

You must take the necessary steps to maintain firewall security properly. From here, you’ll have no issue ensuring that your firewall security is as protective as possible over the sensitive data in your organization.

Want to learn more about what Black Bottle IT has to offer your business? Feel free to reach out to us today and see how we can help.