If you're a covered institution, the same assessment doubles as an exam-readiness file. Every obligation is mapped to your control scores — so the gaps a generic maturity review scores as "fine" while leaving an examination exposure are surfaced automatically: the artifacts, the clocks, and the content the rule names but the framework doesn't.
The 2024 amendments — a written program, the 30-day customer-notification clock, and service-provider oversight — read against your scores. For RIAs, broker-dealers, and registered funds.
16 CFR Part 314 for non-bank financial institutions — the Qualified Individual, mandatory MFA and encryption, a testing cadence, and the FTC breach notice.
A vendor register that flags missing 72-hour breach clauses, a sensitive-data inventory, a risk register, an evidence file, the notification clock — and a draft WISP and incident-response plan.
Decision-support, not legal advice. Every mapping is verified against the rule text, and documents are prepared for your counsel's review. New to the rules? Read Reg S-P in plain English or Does the FTC Safeguards Rule apply to me?
The NIST Cybersecurity Framework is the engine underneath everything; Reg S-P and FTC Safeguards are the regulatory overlays that bolt on. Which one (if any) applies comes down to a single question — who regulates you?
A single- or multi-family office that wants a clear, honest cybersecurity picture and a plan — the maturity scorecard, roadmap, policies, and tabletops, with the discretion the family expects.
Registered investment advisers, broker-dealers, funds, and SEC-registered multi-family offices — the full program plus the Reg S-P exam-readiness file.
State-registered RIAs, exempt reporting advisers, and other non-bank financial institutions — the program plus the FTC Safeguards Rule built and kept current.
Every engagement opens with a coverage determination that helps determine whether Reg S-P, the FTC Safeguards Rule, or neither applies — and what that means for you.
Start the conversation →