The rules you live under, and how we help you live under them well.

The SEC holds registered investment advisers and broker-dealers to Regulation S-P (the Safeguards and Disposal Rules), Regulation S-ID (identity-theft red flags), the Marketing Rule, and Books & Records preservation requirements under Advisers Act Rule 204-2 and Exchange Act Rule 17a-4. The Division of Examinations publishes its priorities every year; cybersecurity and operational resilience have led the list for over a decade.

Our role is to translate those requirements into real controls. Privileged-identity management, conditional access, WORM-compliant archiving of email / Teams / SMS, DLP tuned to PII and portfolio data, evidence packages ready before an exam letter arrives.

FINRA governs broker-dealers through rules that reach directly into technology: Rule 4511 on books and records, Rule 3110 on supervision, Rule 2210 on communications with the public, and Rule 4370 on business continuity plans. Off-channel communications enforcement — the texts and personal-device messaging that everyone does and nobody governs — has produced more than a billion dollars in fines in recent years.

We build the controls that make supervision possible: advisor devices under management, personal messaging either off-limits or captured to the archive, written supervisory procedures (WSPs) that match what the technology actually does, not what the compliance manual promises.

The HIPAA Security Rule (45 CFR 164.308–312) imposes administrative, physical, and technical safeguards on covered entities and business associates. The Privacy Rule and Breach Notification Rule round out the framework, and HITECH strengthened the enforcement teeth. Every recent OCR settlement has pointed to the same root cause: the Security Risk Analysis wasn't current, or the controls it referenced weren't actually in place.

We serve as the Security Officer under 164.308(a)(2), maintain a living Security Risk Analysis, and run the annual tabletop against the breach-notification clock — so when something does happen, your team already knows the steps.

SOC 2 is an attestation report issued by an independent CPA firm against the AICPA Trust Services Criteria: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Type I reports on design of controls at a point in time; Type II reports on operating effectiveness over a period (typically six to twelve months). For any firm selling B2B services with client data, it's increasingly the price of admission.

We don't issue the report — that's the auditor's job. We build the environment and the evidence so that when the auditor arrives, the answers exist and are documented. And we stand with you through the engagement.

The Gramm-Leach-Bliley Act, implemented through the FTC Safeguards Rule, reaches far beyond banks: tax preparers, mortgage brokers, auto dealers extending financing, and many accounting firms are all "financial institutions" under the rule. The 2023 amendments added concrete requirements — a qualified individual responsible for the program, risk assessments in writing, MFA, encryption, vendor oversight, and an incident response plan.

We serve as that qualified individual, or support yours. The program isn't paperwork — it's a running cycle of assessment, control, evidence, and response.

The NIST Cybersecurity Framework organizes a program around six functions: Govern, Identify, Protect, Detect, Respond, Recover. It's voluntary — and it's also the scaffolding most regulators, insurers, and enterprise buyers now expect to see behind any cybersecurity conversation. Version 2.0 (2024) added Govern as a top-level function, making board-level accountability explicit.

We use CSF as the organizing structure for every client program, regardless of which sector-specific rule sits above it. It's how we keep the whole picture coherent when four or five other frameworks also apply.

The CIS Critical Security Controls (v8.1) are a prioritized set of 18 defensive actions drawn from real-world attack data. Implementation Group 1 is the essential hygiene every organization should meet. IG2 and IG3 scale up for higher-risk environments. Unlike most frameworks, CIS is specific enough to operationalize directly — inventory assets, manage accounts, protect data — and maps cleanly to NIST CSF, HIPAA, and others.

We use CIS as a tactical checklist on top of the broader framework — the place where "align with NIST CSF" gets turned into configurations and verifiable evidence.

23 NYCRR Part 500 applies to any entity licensed by NYDFS — banks, insurers, producers, trust companies, mortgage servicers. The 2023 amendments raised the bar: a named CISO, annual certification signed by the board or senior officer, incident notification within 72 hours, MFA, encryption, annual penetration testing, tabletop exercises, and written incident response and business continuity plans. Connecticut, Massachusetts, and the NAIC model law followed with near-identical requirements.

We serve as the named CISO or support yours; the annual certification is signed with confidence because the evidence is continuous, not assembled the week before.

PCI DSS v4.0.1 governs any organization that stores, processes, or transmits cardholder data. Merchant levels 1–4 dictate the assessment type (QSA or self-assessment), but the core expectation is the same: encrypted transmission, segmented cardholder environments, quarterly vulnerability scans, annual penetration testing, and continuous monitoring. v4.0 introduced the customized approach — flexibility for mature programs — and more prescriptive authentication and scripting requirements.

We help scope the cardholder environment (the single biggest cost-saver), reduce it where we can, and document the controls that remain. Often the best answer is to take your environment out of scope.

CMMC 2.0 became final rule at the end of 2024 and is now being written into solicitations and subcontracts. Level 1 (17 practices, annual self-assessment) covers Federal Contract Information. Level 2 (110 practices from NIST SP 800-171 Rev 2, audited every three years by an accredited C3PAO) covers Controlled Unclassified Information. Level 3 adds NIST SP 800-172 enhancements and is assessed by DIBCAC.

Most subcontractors end up at Level 2. The single most important decision is scope: what's in the CMMC boundary and what isn't. We run that scoping, build the enclave (GCC High or equivalent), remediate the SPRS score honestly, and stand with you through the C3PAO engagement.

GDPR applies to any organization offering goods or services to individuals in the EU, or monitoring their behavior — regardless of where the company is based. Core obligations: lawful basis for processing, data subject rights (access, erasure, portability), 72-hour breach notification, Data Protection Impact Assessments for high-risk processing, and in many cases a Data Protection Officer. Fines reach up to 4% of global annual revenue.

For most of our clients, GDPR shows up in narrower ways: a European client, a European employee, a marketing tool with EU data subjects. We map the exposure honestly, build the Records of Processing, and put the data-subject workflow in place so the obligation is operational, not aspirational.

California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Texas (TDPSA), and a growing list of other states have enacted comprehensive consumer privacy laws. Thresholds, covered data, and consumer rights vary — but the common core is now clear: data inventory, consumer rights to access and delete, opt-out of targeted advertising, reasonable security, and breach notification on tight clocks (often 30–60 days, faster in several states).

We take a single-framework approach: build to the highest common denominator and document variances where a specific state goes further. It's cheaper than maintaining parallel programs, and it makes expansion into new states a documentation change, not an engineering one.