Regulatory analysis, written for practice owners.
Concise, cited, and scholarly-authoritative commentary on the frameworks that govern small regulated practices.
FTC Safeguards Rule: What Every Tax Preparer Must Now Document
The 2023 amendments to 16 CFR Part 314 turned every tax preparer into a financial institution. Here is what the Rule actually requires — and where small firms most often fall short.
HIPAA Risk Analysis Is Not a Risk Assessment. The Distinction Matters.
HHS-OCR settlements repeatedly cite the failure to conduct a §164.308(a)(1)(ii)(A) risk analysis. Practices that confuse it with a generic assessment routinely lose that argument.
The SEC’s 2024 Amendments to Regulation S-P: What Small Advisers Should Do First
The 2024 amendments modernized Reg S-P after twenty-four years. Small independent advisers face a compressed compliance runway.
Penetration Test vs. Vulnerability Scan: Why the Distinction Matters to Your Insurer
A vulnerability scan enumerates weaknesses. A penetration test demonstrates which ones an attacker could reach. Insurers are increasingly explicit about which they require.
Nonprofit Cybersecurity Is a Board Responsibility. Most Boards Do Not Know That Yet.
Volunteer boards routinely oversee organizations holding donor financial data, employee HR records, and constituent PHI — without a cybersecurity briefing on the agenda.
The NAIC Insurance Data Security Model Law: Where It Is Adopted, and What That Means
More than half of U.S. states have adopted a version of the Model Law. Independent producers should know exactly which regime governs them.
