Big Tex, you closed May 2026 at 21%, up 0.6 from April, ranked 9 of 412 small businesses on the platform. The single biggest move you made was multi-factor authentication: you marked it Implemented on April 12, and that change alone took your Identify function from 24% to 27%. The rest of the score is roughly where it was at the end of April.
Three things to focus on in June. Backup verification is at 0.4 of 3.0; the backups exist but no one has restored from them in 90 days, and that is the single largest gap. Data-at-rest encryption is in progress; finishing the rollout would move Protect from 18% to roughly 25%. Endpoint detection at 1.6 needs the Cylance install to land. Everything else can wait until July.
Nothing material changed in your regulatory profile since April. The SEC adviser cyber attestation deadline remains December 31, 2026; you have eight months. State-AG bulletins in your jurisdiction recorded no new requirements for businesses your size.
One item to flag for July: NYDFS is in a 60-day comment period on a proposed update to Section 500.15 (data encryption). You are not registered with NYDFS, so the rule will not bind you, but several of your customers are. We will summarize the change in next month's report if it is adopted.
Multi-factor authentication moved from In Progress to Implemented on April 12, which is what carried this function. Asset inventory remains your strongest control at 2.9 of 3.0.
Your incident response plan moved from Not Implemented to In Progress this month. The plan is drafted; the next step is a tabletop exercise to test it.
Recovery planning moved up because you documented your backup retention policy. Backup verification itself remained at 0.4; testing the restore is the move that will carry June.