Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.

As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.

Compliance Reporting: What Not to Share with Customers

If a customer asks for proof that you’re compliant with a particular standard, you should provide the right information that satisfies their request. But there’s a ton of information that no one outside your organization has any right to see.

It is critical that you and your employees understand exactly what to share, and what not to share, when third parties ask for proof of compliance. 

This issue pops up all the time, and many organizations will hand over anything that’s requested in order to keep major clients happy. Know your rights, and educate your employees so they know exactly what to provide, while protecting the company, and while doing it properly.

Safeguard Your Internal Reports

As an example, if you go up against the PCI DSS and you’re going up against a full Report on Compliance (ROC) or a Self-Assessment Questionnaire-D (SAQ-D), those are your internal reports. They contain a myriad of information that external entities have absolutely no right or reason to see. Instead, PCI DSS provides an externally facing summary report known as the Attestation of Compliance (AOC). The AOC summarizes your compliance posture and is perfectly suited for external distribution.

The same general premise applies to every compliance standard. If you have a detailed report that reveals granular details about your internal environment, the tools you use, and how your systems are configured, DO NOT distribute that detailed report. Only issue the externally appropriate summary of your security posture to third parties. 

Establish a Centralized Distribution Channel

To manage these incoming inquiries regarding your security / compliance stance appropriately, your organization should establish a centralized function to handle the receipt of these inquiries and the distribution of all security and compliance documentation. 

This actually popped up for a client just a couple days ago. The sales and marketing departments received direct inquiries from prospects and they tried to answer them independently. 

Naturally, the sales and marketing crew wants to knock down barriers, solve problems, and land deals quickly. But because they’re focused on closing the contract, they may accidentally hand out sensitive data that should only be internal.

Instead, create a centralized system so that every single request — whether it comes from a brand-new prospect or an existing client undergoing their annual vendor revalidation process — routes to a central location. This centralization gives the organization granular control over what leaves the building, and it establishes a tracking mechanism.

The personnel processing these requests should maintain a tracking system that records:

  • Exactly what was distributed (e.g., the AOC)
  • When it was distributed
  • Who specifically received the documentation

Maintaining this centralized tracking information can directly support multiple security and compliance standards. When your Assessor asks how you handle client compliance verification, you can share the tracking log as proof of your process.

Inbound inquiries will come to your organization from any number of channels:

  • Sales and marketing pipelines
  • Standard customer support lines
  • “Contact Us” web forms on your public site
  • Direct calls to account managers

Regardless of the entry path, establish one common method for everyone within the organization to submit these requests to the central team. If you have a robust ticketing system, set up an automated routing mechanism that flags the ticket and sends it exclusively to the central compliance handling function. If you don’t have a ticketing system, establish a dedicated corporate distribution list (e.g., [email protected]) so every employee knows exactly where to send an inquiry.

Consider an MNDA with Prospective Customers

For existing active clients, your standard master service agreements likely contain robust confidentiality clauses that cover security and compliance data sharing. For prospects, however, your organization should consider when to enforce a mutual non-disclosure agreement (MNDA).

As a general rule, standard high-level sales presentations and pre-approved marketing materials are fine to share openly. But the moment a prospect steps to the next phase — when they begin asking for security and compliance documentation — get an MNDA executed between both organizations before proceeding any further, to protect the organization.

Learn to Say No to Inappropriate Requests

Customers are going to ask for all sorts of internal security documents. It happens often. Your top priority is to protect your sensitive data, so get comfortable with respectfully telling people “No” when they request internal documents. 

You can formalize a pre-approved corporate statement for your team to use, worded something like this:

“We are happy to provide appropriate evidence to prove our security posture. However, the requested information is internal documentation proprietary to our organization and never shared with any third parties. To ensure we are protecting all of our customers — you included — we do not distribute our internal documentation externally. You are welcome to review our publicly available compliance assets (such as our AOC), and we would be happy to schedule a call with our security and compliance team to answer any technical follow-up questions you may have.”

Look at it from the perspective of being a good steward of security. If an organization asks a vendor for their raw, internal penetration testing documentation, and that vendor flippantly delivers it over email to anyone who asks, that is an absolute, blaring, flashing red flag. If a company won’t protect their own highly sensitive security data, they certainly won’t protect your corporate data. 

Drawing a hard line at the centralized level protects your network, and it proves to knowledgeable clients that you actually practice the security protocols you claim to follow.

TCT Portal Quick Tip: Don’t Sort-of Use TCT Portal

The largest challenge in security and compliance engagements is simply being able to manage the sheer number of things that you need to manage. Because you have a ton of different people, places, locations, and teams, you run into a real problem: there’s a crap load of compliance data flowing across a wide variety of communication channels. 

  • You have emails coming in. 
  • You see somebody at a meeting where they give you a piece of pertinent information. 
  • They send you a text message or chat to you on Teams. 
  • They dump evidence to you through email, or printing it out and putting it on your desk. 
  • They put it on SharePoint or on the file server — and usually in the wrong folder.
  • They leave you voicemails.

…And on and on. That’s the crux of the problem on a security and compliance engagement, and that’s why it’s so astronomically challenging to manage it successfully.

Use TCT Portal — For Everything

Your engagement may be complex, but the solution is simple. Use your compliance management software. That’s it. Use TCT Portal

Just because your company has a license to use TCT Portal, that doesn’t mean your people are faithfully using it as intended. Bottom line: one of the hugest lifesavers for a streamlined compliance engagement is to train your people to put your things into the portal — AND TO ENFORCE IT.

  • If you need confirmation that you’re pulling the right evidence, put it in the Portal and send it up for review.
  • If you have a question, enter it into the Portal.
  • If you have an additional explanation about evidence you’ve provided, put it in the Portal.
  • If you need to reference the vendor’s documentation for a particular item, put it in the Portal.

It sounds simple when saying it, but human nature always wants to take over. People want an answer right now, so they send a text message, or they see someone in the hallway and ask them a question. Any time that happens, you have to get in the habit of saying, “Thank you for explaining that. Please put it in the Portal.” You also need to be in the habit of ONLY processing items received through the Portal — which will reinforce the need for entry.

Greater Compliance Management Efficiencies

When you’re done with your engagement, you have a rock-solid artifact of exactly what happened: who did what, when they did it, and what they provided. That information is gold by the time you get to year two. You can use that prior information to guide your next compliance cycle and save even more time than before. Your training costs go down, and your speed of acquisition of control owner inputs go way up.

New team members have a template they can step into. They don’t need to ask questions or wait to talk to the compliance Consultant — they can go into TCT Portal and look at exactly what was done last year. 

Staging and setting up your future engagements is made easier because all the right people are already assigned to the right things that you worked out in the previous year you used the system.

Organizations that do this well are a lot happier with their compliance engagement than the ones that don’t. Companies that don’t use the Portal consistently express frustration about not being able to determine a status, wondering if so-and-so completed a task, or asking, “What did I give you last year?” 

Just use the system, because the system is up and running 24/7, and it’s available to everybody on the team. By doing so, you gain improvements in efficiency, you gain improvements in user satisfaction through the process, and you optimize your program more effectively.

What’s Going on in Security This Quarter?

Some of the top breaches in Q2 2026 include:

Carnival Corporation (April 2026)

A successful social-engineering attack, ending with a ransomware payload, affected nearly 6 million customers for this cruise ship business.

NYC Health + Hospitals (May 2026)

Roughly 1.8 million people were impacted by this breach. Most significant was the theft of traditional PII and biometric identifiers. Palm prints can’t be changed like passwords, so this could have massive implications for those affected by the breach.

Notable stories that hit the news:

FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

A massive credential compromise campaign called FortiBleed has exposed valid administrator and VPN credentials for approximately 74,000 to 86,000 Fortinet FortiGate firewalls worldwide. According to CISA’s alert, this represents roughly half of all internet-facing Fortinet devices. 

Verified victims include major enterprises like Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, and Oracle, plus government entities and even a Turkish NATO defense contractor.

Canvas back online after major breach, but some California campuses locked amid ongoing threat

Canvas LMS, a learning management system, had a data breach and an outage. This breach included certain user data, such as names, emails, student ID numbers, and messages between users. ShinyHunters was the hacking group responsible for this. 

This hack is considered to be the biggest educational hack on record. Over 8,800 learning institutions were impacted in some form. 41% of US higher learning institutions use Canvas, and the attackers claim to have stolen 3.65 terabytes of data.

Critical Ubiquiti Vulnerabilities in Attackers’ Crosshairs

Critical Ubiquiti vulnerabilities are currently being targeted by attackers. If exploited, remote, unauthorized remote attacks could make changes to vulnerable UnifiOS devices. 

One vulnerability was a path traversal defect that would allow the attacker to access files on underlying UniFiOS and access underlying accounts. Another was an improper input validation allowing attackers to execute command injection attacks. Server OS version 5.0.8 was released with patches to those vulnerabilities. 

If you are not on this version and you own UniFi devices, you are exposed to these rated 10/10 vulnerabilities.

Security leaders say the next two years are going to be ‘insane’

Security leaders, in a sit-down meeting with Cyberscoop, have said that AI is finding security bugs faster than anyone can fix them. This is leading to exploit development speeding up, and the next two years are going to be “insane” for companies. 

If harnessed properly and prompted correctly, AI could also be used to fight/combat the exploitations, but it is being used faster and more effectively on the “dark side” of cybersecurity. This is widely becoming known as the inflection point for AI and traditional cyber security.

When the Machine Guesses: An AI Deleted a Database in 9 Seconds

An AI agent independently decided to delete an entire database at a small software company called PocketOS. The agent was running Cursor, an AI coding tool that uses Claude. The AI agent hit a snag when doing checks. But instead of stopping or raising an alert, it tried to fix the issue on its own. It then found an API token that was in an unrelated file. That token could destroy data. The agent called an older version of PocketOS, skipped a safety check, and deleted the live database, wiping everything in the production environment. The backups lived on that same volume, which meant the backups were out the window as well.

Perhaps unsurprisingly, there was no human in the loop.

Subscribe

Get industry insider expertise delivered to your inbox

Subscribe to the TCT blog

KEEP READING...

You may also like