A multitude of local, state, federal and international laws regulate how organizations handle sensitive data. Our professionals perform a wide range of risk assessments and audit readiness assessments to help clients identify compliance gaps and close them. Among the laws that we cover are:

• CMMC – The Cybersecurity Maturity Model Certification (CMMC) normalizes and standardizes cybersecurity preparedness across the federal government’s defense industrial base (DIB).
• FACTA – The Fair and Accurate Credit Transactions Act (FACTA) red flags rule requires financial institutions to demonstrate they have taken sufficient steps to protect consumers against identity theft.
• FERPA – The Family Educational Rights and Privacy Act (FERPA) aims to protect the privacy of student education records and prevent unauthorized access to them. FERPA applies mainly to educational institutions.
• FISMA – The Federal Information Security Management Act (FISMA) requires federal agencies to have a robust information protection plan in place. FISMA aims to help protect information held on federal information systems.
• GDPR – The General Data Protection Regulation (GDPR) applies to all organizations that collect and process data that belongs to European Union (EU) citizens. The regulation has specific requirements related to privacy, security, data control, and governance.
• GLBA – The Gramm-Leach Bliley Act (GLBA) is a U.S. federal regulation that requires financial institutions to ensure the confidentiality and integrity of the non-public personal information of their customers.

• HIPAA – The Health Insurance Portability and Accountability Act (HIPAA) requires organizations dealing with Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) to protect that data, and to require its business associates such as vendors to also comply.
• Sarbanes Oxley – The Sarbanes Oxley Act of 2002 (SOX) has very specific stipulations and requirements related to information security and data governance that apply to all publicly held U.S. companies, international companies with SEC registered securities and to third-party firms that provide financial services to these companies such as CPAs.
• SEC Cybersecurity – The Office of Compliance Inspections and Examinations (OCIE) and the U.S. Securities and Exchange Commission (SEC) conduct cybersecurity examinations that apply to financial institutions including investment advisors, investments companies, broker-dealers, transfer agents, and private fund advisors. We evaluate preparedness levels for the actual examinations and help organizations reach compliance-ready levels.
• State Cybersecurity Regulations – All 50 states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have laws pertaining to data breaches and cybersecurity. Certain entities that operate in the state of New York must comply with that state’s latest cybersecurity regulation.