A new rule just hit your desk. You need to know what it means for your controls before the deadline, not after.

Why This Matters

The hardest part of a new rule is knowing what it means for your environment before the deadline, not during the enforcement action.

New regulations often arrive as abstract summaries or high-level alerts, leaving a gap between the rule and your actual workflow. By the time the industry reaches a consensus on implementation, your team is already playing catch-up.

Advisory bridges that gap. We map new rules directly against your specific controls and systems, delivering a clear decision document rather than a technical manual. We tell you exactly what requires action and what is already covered, giving you a defensible strategy that integrates seamlessly into your continuous compliance program.

100%

of regulatory changes are delivered to our clients as actionable "decision memos" at least 30 days before the enforcement deadline.

Internal Advisory Standard / Industry Benchmark

By The Numbers

>14 days

average turnaround from the publication of a new federal or state rule to the delivery of a customized impact memo for your specific environment.

Thomson Reuters Regulatory Intelligence

5x

lower total cost for organizations that implement proactive advisory and monitoring compared to the cost of reactive remediation and fines.

Eagle Rock CFO Research (2026)

Three situations where the rule just changed.

Who This Is For

Situation 1

A new rule just landed

A federal agency, a state legislature, or a regulator published something that applies to you. The deadline is visible. The impact isn't.

Situation 2

A contract raised the bar

A new enterprise customer, a new BAA, or a renewal comes with a compliance obligation you don't carry today. You need to know the gap before signing.

Situation 3

The board or investor expects an answer

A new framework, an SEC disclosure rule, a state AI law lands and someone senior is asking whether you're exposed. You need an answer you can defend, not an email thread.

Best Outcome

A decision memo noting what applies, what doesn't, and what changes in your program.

Best Outcome

A gap read and a decision on accept, negotiate, or walk, with the remediation cost if you accept.

Best Outcome

A written position on exposure, action taken, and residual risk, all ready for the board deck.

Six risk categories. Every rule maps to at least one.

How a New Rule is Categorized

Operational

Process failures, system outages, human error, or internal fraud that disrupt business continuity.

The first thing we do with any new rule is decide which categories of organizational risk it actually touches. The category determines who owns the response, what indicators it shows up in, and how it gets folded into the running program.

Compliance

Noncompliance with applicable laws, regulations, contractual obligations, or industry standards.

Strategic

Shifts in the market, regulatory framework changes, evolving consumer needs, or leadership transitions.

Reputational

Threats to public image or stakeholder confidence due to negative publicity or ethical lapses.

Data Security & Privacy

Unauthorized access, cyberattacks, data breaches, and mishandling of sensitive or protected information.

Financial

Accounting errors, budget mismanagement, revenue loss, fraud, and unanticipated regulatory penalties.

Sustainable Governance.
Scalable Results.

What's Included

After this engagement, you will have:

A rule-to-control decision memo

The rule read against your environment. What applies, what doesn't, what changes, with reasoning an auditor or regulator can follow.

After this engagement, you will have:

A remediation plan scoped to the deadline

What has to move, in what order, with which owner. Scoped to the effective date, not to a generic best-practice timeline.

After this engagement, you will have:

Contract and BAA language review

Customer, vendor, and BAA language reviewed against the rule. Where the contract goes beyond the rule, we flag it. Where it falls short, we rewrite it.

After this engagement, you will have:

Policy and procedure updates

Any policy or procedure the rule reaches gets rewritten, version-controlled, and pushed through your formal review/approval cycle, not boilerplate inserted at the back.

After this engagement, you will have:

Board- and regulator-ready position

A written position on exposure, action, and residual risk. Reviewed for audience (board, customer, regulator) and ready to be handed over.

After this engagement, you will have:

A tracking calendar of what comes next

The adjacent rules, comment periods, and re-assessment triggers on your horizon. So the next one doesn't arrive as a surprise.

After this engagement, you will have:

A handoff path into compliance operations

Anything that lands in your continuous compliance program gets folded in. One evidence base, one answer, across everything you report against.

Four phases. Scoped to the rule and its deadline, not to a standard engagement length.

How It Works

Phase 1

Read

Lawyers read rules. We read rules against control environments. The first phase is the rule, the agency guidance, the comment record, and the enforcement history; then your program.

Phase 2

Map

The rule's requirements mapped to the controls you already carry and cross-referenced against the risk categories above and the frameworks already in your evidence base. Overlaps, gaps, and contradictions called out with the reasoning attached, not just the verdict.

You walk away with:

A working read of the rule, its scope, and the parts that will actually reach your operations.

You walk away with:

Automated evidence flowing, manual cadences documented, drift alerts live.

Phase 3

Decide

We sit with your team and your counsel. What to accept, what to seek clarification on, what to remediate, and what to watch. The decision is yours. We make sure it's an informed one.

You walk away with:

A signed decision memo covering each requirement with the rationale ready for an audit file.

Phase 4

Integrate

Decisions land somewhere real: a policy, a contract, a control change, a roadmap item, a working-group action. We stay through the first integration pass and hand off to your continuous compliance cadence.

You walk away with:

Changes in-flight, owners named, tracking in the GRC forum.

Expertise This Work Draws On

The components behind a defensible regulatory position.

Cybersecurity & Compliance

Compliance Framework Alignment

How a rule maps to SOC 2, HITRUST, HIPAA, NYDFS, ISO 27001, and NIST, and where a new rule reshuffles the control set you already carry.

Cybersecurity & Compliance

Regulatory Monitoring

Active tracking across state privacy laws, federal cyber rules, sectoral regulators, and customer-contract obligations with a decision cadence built around the ones that matter to you.

Cybersecurity & Compliance

Policy & Control Engineering

Policy development, distribution, review, and enforcement deliver version-controlled rewrites that reflect the new rule and hold up under audit.

Technology & Security Operations

Logging & Audit Trails

Where the rule creates new evidence or retention obligations, we wire the logging to meet them before the effective date.

Knowing the rule is the baseline. Mapping it to your controls is the work.

Thirty minutes with a senior partner to determine if a new regulation requires a system change, a control update, or simply better evidence collection. We don’t just summarize the rule; we tell you how it plugs into your framework.