Regulatory Preparedness, Response & Compliance

Navigating the complex landscape of overlapping compliance and regulatory regimes for cybersecurity and privacy requirements can be challenging. FTI Cybersecurity experts include former regulatory leaders in the cybersecurity space and leverage a global network to help clients evaluate existing program policies and procedures and implement corresponding solutions to achieve compliance. We maintain relationships with key regulators and stay abreast of regulations that are reshaping the market, including:

• Securities and Exchange Commission (SEC)
• U.S. Department of Defense Cybersecurity Maturity Model Certification 2.0 (CMMC)
• Defense Foreign Acquisition Regulatory Supplement (DFARS) Compliance Assessment
• Federal Trade Commission (FTC) Consent Orders, Mandated FTC Assessments, and FTC Consent Decrees
• Committee on Foreign Investment in the United States (CFIUS) Cybersecurity Services
• The Digital Operational Resilience Act (DORA)
• Network and Information Security (NIS) 2 Directive
• The Cyber Resilience Act (CRA)
• UK Financial Authorities CBEST and CQUEST programmes
• EU Threat Intelligence Based Ethical Red Teaming (TIBER)
• New York Department of Financial Services (NYDFS) Cybersecurity Requirements
• Health Insurance Portability and Accountability Act (HIPAA) Cybersecurity Compliance
• Children’s Online Privacy Protection Act (COPPA)
• California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA)
• Cyber Incident Reporting for Critical Infrastructure Act of 2022
• Biometric Information Privacy Act (BIPA)
• General Data Protection Regulation (GDPR)
• Cybersecurity Assessment and Data Breach Response
• The Digital Services Act (DSA)
• The Digital Markets Act (DMA)

Regulatory and Compliance Reviews: When undergoing a regulatory review, or if addressing issues identified during an assessment, organizations should ensure their actions and strategies align with established industry standards, regulations, and frameworks. We can help ensure your organization follows industry-standard best practices for cybersecurity and privacy by aligning your policies to widely-adopted frameworks, mapping these frameworks to the specific regulatory requirements applicable to you, giving a consistent model for cybersecurity review and enhancement.

Our team will review your organization’s controls against the most appropriate framework(s) and identify gaps or vulnerabilities, make recommendations for enhancements, and suggest strategies to improve efficiency and overall posture. Examples of the frameworks we use include:

• National Institute of Standards and Technology (NIST) Cybersecurity
• The Cyber Risk Institute “Profile”
• Privacy and Artificial Intelligence Frameworks
• ISO 27001/02 security management standards
• ISO 27701/31700 privacy standards

We have a proven track record in working with a wide range of regulatory and government agencies.  Our deep understanding of regulatory requirements and strong relationships with governing entities, including those listed below, enable us to provide authoritative and insightful assessments while helping clients navigate complex regulatory landscapes.

• U.S. Federal Trade Commission (FTC)
  • FTC independent auditor; FTC monitor services
• U.S. Department of Justice
• U.S. Federal Communications Commission
• U.S. Securities and Exchange Commission
• U.S. Federal Reserve
• U.S. Department of Health and Human Services Office of Inspector General
• Multi-State Enforcement Matters
• New York State Banking Department (now the Department of Financial Services)
• European Data Protection Board (EDPB)
• European Union Agency for Cybersecurity
• European Commission – Directorate General for Competition

Independent Assessorships: As an independent external assessor, we provide unbiased and objective evaluations of an organization’s security and privacy programs against regulatory requirements and industry accepted standards. We currently serve as the independent assessor for numerous security and privacy program assessments to:

• Assess the effectiveness of risk management capabilities
• Identify vulnerabilities and areas for improvement
• Verify compliance with regulatory consent orders, including FTC consent decrees
• Examine the design sufficiency and operating effectiveness of administrative, technical, and physical controls
• Aid organizations in meeting regulatory demands

Assessorship Support & Strategic Advisory: We understand that preparing your program for an external assessment or navigating the evolving regulatory landscape can be challenging and risky. We offer assessorship support services to assist with the strategic implementation of security and privacy programs based on our deep industry knowledge and extensive experience. 

We help organizations develop comprehensive strategies to:

• Align with their unique goals and regulatory requirements
• Ensure that privacy and security frameworks are robust, effective, and scalable
• Design and implement controls
• Conduct risk assessments
• Provide continuous improvement recommendations
• Proactively manage risks
• Enhance operational efficiency
• Achieve long term compliance and security objectives

FTI Cybersecurity experts leverage a global network to support clients by:

• Identifying applicable laws, rules, regulations and regulatory guidance that must be complied with or understood
• Decomposing and deconflicting multiple regulations to give a single, centralized view of compliance requirements for your organization
• Conducting regulatory gap assessments to identify necessary changes that need to be made to achieve compliance
• Assessing data environment, security infrastructure, and existing cybersecurity and privacy policies, procedure, and processes
• Designing a repeatable and scalable control framework and maintenance strategy in line with regulatory expectations and industry best practices
• Conducting design and operating effectiveness testing across cybersecurity and/or privacy controls environment
• Implementing recommended solutions to achieve compliance
• Visualizing compliance status in intuitive dashboards across a range of regulations and/or geographies depending on your unique footprint