We can't guarantee you're defensible β but we can show you exactly where you're not, and give you a proactive defense that's in place before scrutiny, not reconstructed after.
The Defensible Governance Frameworkβ’ maps every governance and technical obligation to the executives who own them β then shows you where you're not defensible and why, and guides you to build a proactive defense in line with the regulator and court tests for "reasonable," in place before scrutiny, not reconstructed after. When something goes wrong, the law asks two questions: was your decision reasonable, and was the obligation actually met β and can you prove both? Cyber leans on the first. Privacy leans on the second. AI demands both. We're the only layer that produces both records β so we cover all three, and make sure you can see, satisfy, and prove every legal governance obligation.
Shows executives what they are legally accountable for, where governance obligations are unmet, and how to remediate β producing authenticated evidence of reasonable care and verified proof of implementation across cyber, privacy, and AI.
Built to work with your existing stack: Can integrate with ServiceNow, Drata, Vanta, OneTrust, etc. β transforming compliance data into review-ready evidence.
Built for any domain the law holds you to β digital governance today; physical, environmental, food, and drug safety next.
βΆ Watch the Explainer Video
See your company's regulatory exposure, every executive's personal liability, and the lens a prosecutor would apply. CISOs and Technology Risk Officers also get a Personal Defensibility Review.
Get pre-release access βThe Core Distinction
Compliance asks one question: did you follow the rule? When something goes wrong, regulators and courts ask two different ones β was your judgment reasonable, adequate, appropriate; and was the obligation actually met, and can you prove it? Those are the standards hidden inside the statutes, and no GRC or privacy tool operationalizes them.
We do. By analyzing the 100 most expensive fines and settlements, we reverse-engineered the legal tests regulators use to build cases and courts use to judge them β and built them in: the U.S. 8-question multi-factor test for "reasonable" care under a duty of care, Australia's APP 11 six-factor reasonableness test, and the EU's "adequate" / state-of-the-art (SOTA) standard. One assessment, every jurisdiction.
| Dimension | Compliance / GRC Tooling | Defensible Governance |
|---|---|---|
| Primary Buyer | Risk / IT / Compliance | GC / CPO / CRO / CEO / Board |
| Question Answered | "Did we comply?" | "Was our judgment reasonable β and was the obligation actually met?" |
| Evidence Created | Control activity logs | Decision rationale, alternatives, board approvals β plus verified proof each obligation was implemented |
| Outcome Optimized For | Certification | Liability reduction |
| Risk Type Addressed | Operational risk | Personal & corporate legal exposure |
We don't replace your compliance stack β we add the legal-defensibility layer it was never built to provide.
The Standard, in Plain Terms
"Reasonable," "adequate," and "proportionate" aren't vague β every jurisdiction uses different words, and they decode to the same operational chain. Most companies don't realize there are defined legal tests behind those words across jurisdictions, or that they're obligated to set the thresholds those tests turn on. We operationalized the tests, and built the Defensibility Gap Assessment to check you against them.
CDAR β the Calculated Definition of Acceptable Risk: the threshold the law requires you to set, and document, before any incident.
Most companies have a board-approved risk appetite β a measure of risk to the business. But the law often requires something different: a documented threshold for the foreseeable harm acceptable to impose on third parties β customers, partners, minors, the public. GDPR (Art. 25 / 32), the EU AI Act, and CCPA require you to define and document it; in many of the child psychological-welfare laws the threshold is fixed in the statute itself, and the duty is to detect, conform, and prove. Internal risk appetite doesn't satisfy any of these β and most companies don't know the obligation is separate.
Companies already spend heavily on GRC, Big Legal, and Big 4 assessments β yet still have no defense when things go wrong. Executives still can't answer three questions: What are we legally accountable for? Where are we exposed? What actions are required?
Executives are liable under laws that are never translated into their specific responsibilities. No existing Risk Management, GRC, or Privacy tool maps legal obligations to individual roles, or operationalizes the legal tests used by courts that bring the massive fines post-event.
Leadership cannot see where governance obligations are unmet until after a breach or investigation. By then, the damage is done.
Existing tools track compliance controls and tasks, but do not tell executives what actions they must take to satisfy duty-of-care requirements.
When scrutiny comes, companies cannot produce either record the law expects β proof the decision was reasonable, or proof the obligation was actually met. GRC logs activity; it cannot show judgment or verify implementation.
$21B+
in cyber, privacy & AI enforcement β addressed by Defensible Governance
$1.2B+
in fines tied to harm to minors β addressed by Minors Safety & Child Welfare
Five steps from obligation mapping to authenticated evidence.
Map legal obligations to executive roles: Board, CEO, CISO, GC, DPO.
Adaptive 72-question Defensibility Gap Assessment surfaces where obligations are unmet.
Evaluate alternatives, proportionality, and cost-benefit tradeoffs.
Approved DG Plan with remediation priorities and accountability.
Tamper-evident record of all decisions, approvals, and rationale β and the verified implementation evidence proving each obligation was actually met.
Performs the Defensibility Gap Assessment against the legal expectations of governance, and the output of all impact and risk assessments required by law. Shows where you're not meeting expectations, then performs a review of alternatives and cost-benefit analysis with a 3-year projected ROI of security spend β producing Board-Level Risk Exposure & Recommendations for review and approval.
Creates a Calculated Definition of Acceptable Risk to impose on customers, partners, and citizens. Formalizes risk tolerance, records alternatives, and connects decisions to Board approval workflows.
Time-sequenced, tamper-evident storage for risk assessments, decisions, and approvals. Packages review-ready artifacts for regulators, litigation, and insurance claims.
Tests your defensibility using regulator-style prompts: "Show evidence you considered safer alternatives." Generates exposure assessments and executive talking points.
Documents why decisions were made, what alternatives were considered, risk/harm balancing, and Board sign-off β turning ambiguous governance into legal-grade documentation.
Tracks role-specific obligations across jurisdictions, shows regulatory gaps requiring action, and displays personal liability posture for each C-Suite member.
How a prosecutor or regulator would read your posture β testing both whether your judgment was reasonable and whether each obligation was actually met and its implementation proven.
The Board-Level Risk Exposure & Recommendations report leadership reviews and approves β showing where obligations are met and implementation is verified, and where they are not.
Role-specific defensibility for every executive with personal liability exposure.
See your role's exposure for free β pre-release access open now.
Get pre-release access βFrom C-suite overview to role-specific drill-down β click any role to see active gaps, required actions, and exact close steps.
A clear view of each leader's personal exposure. The CISO who brings this to the table is seen as a partner advising the whole C-suite β not a cost center.
Executive Liability Dashboard β C-Suite Exposure by Role
Role Drill-Down β Active Gaps, Required Actions, Exact Close Steps
Sign up for free access.
If you carry the accountability, you should be able to see your exposure β and walk into your next leadership meeting as the executive who saw the regulatory picture before anyone else did. The free pre-release of our Defensibility Gap Assessment Tool gives you command of the corporate-exposure picture, every executive's personal exposure, and the lens regulators apply. We're opening pre-release access to a limited number of companies in exchange for feedback.
βΆ Watch the Defensibility Gap Assessment preview
What's free during pre-release: the full assessment that surfaces your gaps and the directional view of remediation. What's paid: the actual remediation workflow β alternative safeguard review, CDAR threshold setting, the remediation plan, and the sealed evidence record sealed in the Evidence Locker for the full governance lifecycle.
CISOs and TROs additionally receive a Personal Defensibility Review, built into the same free pre-release. A guided interview produces a Job Record capturing what you're responsible for, what you're explicitly NOT responsible for, where you have accountability, where you have authority, and where you have been given accountability without the authority to act on it. The Job Record is signed digitally by your VP of HR, supervisor, or CEO β whichever is appropriate. The review also produces a tailored personal plan: D&O policy naming, indemnification, supervisor sign-off, and the other protections worth putting in place now.
The Job Record persists in the platform during pre-release with full export to Word, PDF, or structured data with signature metadata at any time. You hold your data.
The record Tim Brown didn't have.
Tim Brown, the SolarWinds CISO personally named by the SEC, sits on our advisory board. Reviewing his case helped shape the Personal Defensibility Review. Educational β not a substitute for legal advice.
The same Defensibility Gap Assessment Tool, without the Personal Defensibility Review (the personal-scapegoating exposure pattern doesn't apply to these roles in the same way). You walk away with the company's top areas of corporate exposure obligation by obligation, every executive's individual exposure side by side, and your own exposure across the same lens β the artifacts you take into your next board or executive-team conversation as the executive who brings the structured view the room needs.
Free to a limited number of companies in exchange for feedback. Every registered user receives a complimentary 30-minute briefing with the founder covering platform activation, a regulatory enforcement landscape briefing tailored to the user's industry and role, and access to a value calculator that produces budget-justification artifacts the user can take internally.
The compliance era is over. Enforcement now turns on governance judgment, not audit activity.
GDPR, EU AI Act, SEC Cyber Rules, NIS2, DORA, and 20+ state privacy laws now all require evidence of proportionate, reasonable decision-making β and proof the required measures were actually implemented, not just controls.
Uber CSO criminally convicted. SolarWinds CISO personally named. Drizly CEO personally bound for 10 years. D&O insurance now excludes "gross negligence." The shield has shattered.
Marriott's fine reduced 81%. Citi fined $536M. Same category of breach β different documentation. Contemporaneous evidence of judgment changes everything.
The standard has shifted.
From: "Did you comply?" β To: "Can you prove your leadership took reasonable care β and that the obligation was actually met?"
| Company | $ Amount | Primary Transgression | Governance Failure Characterization |
|---|---|---|---|
| $5β$7.8B | Secret tracking in Incognito mode; unlawful data collection | Unreasonable practices; failure to safeguard users from foreseeable privacy harm; deceptive governance | |
| Meta Platforms | $3.5β$4.1B+ | Illegal cross-border transfers; biometric collection; children's data misuse; transparency failures | Systemic governance failure; inadequate safeguards; unreasonable reliance on invalid transfer mechanisms |
| Amazon | $877M | GDPR violations in ad-tech and data processing | Failure to implement appropriate technical & organizational measures (Art. 25, 32 GDPR) = Requires defining and applying risk-based thresholds to demonstrate the standard of reasonable and appropriate care |
| Equifax | $700M | Failure to patch known vulnerability; massive consumer data breach | Negligence; failure to meet reasonable security standards; foreseeable harm ignored |
| Epic Games | $520M | COPPA violations; dark patterns tied to data use | Failure to protect children; unreasonable data and product governance |
| T-Mobile | $500M | Repeated breaches; inadequate access controls | Failure of reasonable security; governance breakdown despite prior warnings |
| Meta (Texas) | $1.4B (incl. above) | Facial recognition without consent | Per-se statutory negligence; failure to govern biometric risk |
| TikTok (EU) | $370M | Children's data mishandling | Failure to implement heightened safeguards for vulnerable populations |
| Citi (aggregate) | $536M | Data breach controls; internal risk governance failures | Failure to secure financial data; inadequate internal controls = governance failure |
| Uber (EU) | $324M | Unlawful international data transfers | Unreasonable safeguards; failure to assess transfer risk post-Schrems II |
| Home Depot | $200M+ | Payment card breach | Failure to segment networks and monitor foreseeable attack vectors |
| Capital One | $190M+ | Cloud misconfiguration; access control failure | Failure of reasonable cloud governance and risk assessment |
| Twitter / X | $150M | Misuse of security data for advertising | Deceptive governance; misuse of data entrusted for security purposes |
| Anthem | $115M | Healthcare data breach | Failure to safeguard sensitive health data; foreseeable harm |
| Oracle | $115M | Improper data collection and sale | Inadequate data governance; unreasonable secondary use of personal data |
| Zoom | $85M | Security failures ('Zoombombing') | Failure to design for reasonable security under foreseeable misuse |
| OPM | $63M | Federal employee data breach | Failure to meet baseline government security standards |
| Plaid | $58M | Excessive data collection beyond consumer consent | Unreasonable data minimization and access governance |
| Blackbaud | $49.5M | Ransomware + misrepresentation of risk | Failure to implement reasonable ransomware defenses; governance misstatements |
| Morgan Stanley | $35M | Unencrypted data disposal | Failure of basic data lifecycle governance |
$21B+ in enforcement penaltiesIn every case, governance failure was the common factor β the exposure Defensible Governance is built to address.
We reviewed the most expensive enforcement cases, looked at the legal tests different jurisdictions used, and operationalized that into one Universal Test β so coverage isn't a law-by-law list we chase. The engine runs the standard these regimes are built on; the jurisdictional specifics are added by configuration, not a roadmap wait β just as is any new regulation you want to cover.
GDPR Β· UK GDPR Β· EU AI Act Β· EU AI Act Art. 5 Β· DORA Β· NIS2 Β· DSA Β· DMA Β· Data Act Β· Data Governance Act (DGA)
SEC Cyber Rules Β· SOX Β· FTC GLBA Β· HIPAA Β· KOSA Β· COPPA Β· COPPA 2.0 Β· Federal Telecom Act Β· Executive Order 14117
CCPA/CPRA Β· CAADCA Β· VAADCA Β· NY SAFE for Kids Β· Florida DBOR Β· Texas SCOPE Β· Utah SOMA Β· Maryland AADC β with stronger deltas in CA, FL & NH β and 15+ more
PIPEDA Β· Quebec Law 25
Australia Privacy Act Β· APP 11 Β· UK Online Safety Act Β· Ireland OSMRA
The minors' laws above β CAADCA, NY SAFE, Utah SOMA, KOSA, COPPA 2.0, UK OSA, EU AI Act Art. 5 β sit inside these groups, and power the dedicated Minors Safety & Child Welfare application below.
Brazil (LGPD) Β· India (DPDP) Β· Singapore (PDPA) Β· South Korea (PIPA) Β· Japan (APPI) β and other reasonableness / adequacy regimes. Each is largely the same standard the Universal Test already operationalizes, with small jurisdictional deltas. Adding one is configuration, not engineering β load the regulation and it's covered, with no roadmap wait.
ISO 27001 / 27701 / 42001 / 31000, NIST AI RMF, CIS, CMMC, DoCRA β all mapped.
DPIAs, FRIAs, ARIAs, Cyber Risk, Vendor, Data Transfer, and Defensibility Gap Assessments β unified in one system, each linked to verified proof the obligation was met. When you don't already have a FRIA, AIRA, or LIA, the platform provides the template and captures the completed assessment as evidence.
Plus regulatory guidelines, executive orders, and imminent laws β available as optional best-practice views. Add or subtract anything by configuration.
Minors Safety & Child Welfare Β· Gaming Β· Social Media Β· EdTech
For twenty years, protecting minors online meant privacy β COPPA, California's child-privacy rules, GDPR Art. 8: who may collect a child's data, and with whose consent. That layer still applies. But a second, newer body of law has arrived that has nothing to do with data privacy: psychological-welfare laws that regulate the design of the software itself β and its effect on a child's mental health, sleep, attention, and behavior.
This is the layer nobody else governs: feed defaults, notification windows, curfew hours, dark patterns, algorithmic amplification, behavioral profiling, and manipulative AI aimed at vulnerable users. Vermont's duty-of-care code, NY SAFE for Kids, Utah's curfew law, the UK Online Safety Act, and EU AI Act Article 5 regulate these mechanics directly. We are the first governance platform to operationalize this category β Psychological Welfare & Harmful Design β as a discipline distinct from privacy and security.
20 child-related laws out of the box β plus two significant imminent laws, KOSA and COPPA 2.0, included as best-practice.
The first four describe what a platform must build. The fifth describes what it must be able to prove.
$1.2B+ in fines
Epic Games (Fortnite) $275M + $245M refunds Β· Instagram β¬405M Β· TikTok β¬345M, plus Β£12.7M in the UK Β· YouTube $170M Β· Genshin Impact $20M. The most sophisticated operators on the internet, with deep legal and compliance teams. The fines happened anyway.
The next wave isn't privacy β it's harm. The Roblox litigation (federal MDL No. 3166; state AG suits in Louisiana, Kentucky, Texas, and more) moved the theory from "did you handle children's data lawfully?" to "you knew the risk and failed to mitigate foreseeable harm." That is a duty-of-care standard β the same one Vermont, the UK OSA, and the EU are writing into statute.
Maps each obligation to the named accountable executive, by jurisdiction. Returns a binary DEFENSIBLE / NOT DEFENSIBLE posture per law. Enforces the Pre-Release Gate β the risk assessment must be completed and sealed before a feature or game ships, with the seal timestamp as the legal artifact; post-launch assessment carries no protection. Court Mode stress-tests your posture against FTC/KOSA, Ofcom, the EU AI Office, and the eSafety Commissioner.
KOSA and COPPA 2.0 aren't law yet β they're built in now as optional best-practice frameworks that flip to compliance mode the day either is enacted, with no rework.
A binary DEFENSIBLE / NOT DEFENSIBLE posture for each governance area and each applicable law β with the evidence required to close every gap.
The question has moved from "did you comply?" to "can you show your leadership weighed the foreseeable harm to a child before it reached them?"
Request Pre-Release AccessFree to a limited number of companies in exchange for feedback.
Proactively documenting reasonable care is the opposite of negligence β and regulators treat it that way. When leadership can show it, fines are often substantially reduced; when they can't, enforcement is devastating even when charges are ultimately dismissed.
Fine reduced 81%
ICO initially proposed Β£99M. Reduced to Β£18.4M. Why? Marriott produced DPIAs, board minutes showing oversight, and alternatives-analysis documentation. Regulator acknowledged: "They took reasonable steps."
No provable rationale
$400M (2020) + $136M (2024). Regulators found a documentation gap β leadership could not produce evidence of why key risks were accepted, delayed, or sequenced. COO replaced. Trust eroded.
$46M+ even after dismissal
SEC dismissed all charges Nov 2025. But the cost: $26M settlement, $20M+ legal, CISO personally named, 400 engineers off roadmap for 6 months, renewals dropped from 98% to 80%.
11,000 emails reviewed. 7 identified a risk. Zero explained the rationale.
We don't have validated reduction-percentage amounts, because almost no company is aware of, let alone following, the due-care principles regulators and courts actually apply.
We know Marriott's proposed fine was cut by 81% because they could show reasonable, documented care before anything went wrong β and there are a few other cases that saw reductions.
The other side of the ledger is far larger β and unanimous. Across the biggest enforcement outcomes of recent years β more than 100 actions, the largest reaching into the billions β every one centered on a governance-judgment failure: unreasonable or inadequate measures, disregard for foreseeable harm, or missing documentation β not the breach alone. The 25 largest exceed $14 billion combined.
The consolidated governance record: risk assessments, cost-benefit analyses, board-level findings, and executive approval decisions β and the implementation-evidence record proving each committed obligation was actually met and verified β exportable to Word, ready for regulators.
See Full Defensibility Dossier"I've seen how executive decisions can come under intense scrutiny, even when they're made responsibly. Defensible Governance addresses a critical need: helping leaders show the reasonableness of their actions before they're judged in hindsight."
"Too many CISOs, boards, and executives still believe that compliance checkboxes and 'best effort' will shield them from liability. The reality is different. Prosecutors and regulators systematically reconstruct whether leadership met a reasonable duty of care. Defensible Governanceβ’ is the framework that shifts the balance. This is no longer optional β it's necessary body armor for managing cyber legal risk."
Defensible Governanceβ’ creates this evidence automatically, before scrutiny arrives.
The Defensibility OS
The regulations differ β and so do the legal tests behind them, each with its own thresholds, definitions, and jurisdictional nuance. What stays constant is the exposure: wherever the law can hold a leader or a company accountable, leadership eventually has to show it met its governance obligations, acted reasonably β and can prove it. Our mission is to make that proactive legal defense possible wherever executive and organizational liability exists β and we're building the operating system to produce it.
Today Β· Available now
Cyber, privacy, AI, and minors' safety β delivered through our first two applications, Defensible Governance and Minors Safety & Child Welfare.
Next Β· Same engine
The same legal-defensibility engine extends to physical, environmental, food, and drug safety β wherever foreseeable harm, reasonable care, and documentation-before-the-fact decide liability.
One operating system β built to turn reasonable, documented judgment into a defense you can prove, wherever the law holds leaders and their companies accountable.
Built by operators across cyber, legal, governance, and enterprise security.
Creator of Defensibility.ai and Defensible Governanceβ’. 35 years in enterprise software, 25 years in startup GTM and sales, 22 years in cybersecurity. Seven cyber/risk startups with successful exits.
Privacy, security, and AI governance attorney. Validates legal logic, governance workflows, and defensibility requirements. CIPP/US, CIPM, Fellow of Information Privacy (FIP). Known as The Data Lawyer.
Enterprise security and AI/ML leader. Advises on the product architecture that operationalizes Defensible Governance at scale.
Every advisor is here because they lived the problem, helped build the solution, or validates that this is investable.
Former Global CSO/CISO, Honeywell
Championed this company before it had a name. Contributed the prosecutorial framework that became Court Mode. Customer of John's in 2010.
CISO, SolarWinds
Personally named by the SEC in the case that proved executive liability is real. The platform solves his specific problem. He knows it firsthand.
Former Global Head of Data Protection, Citi
Led the 300-person data protection team through both enforcement actions β resigned after the second. The platform was built modeled after his case. Started skeptical. Saw the demo. Joined.
Sr. Director of Product Security
Twenty-four years of cyber security expertise. Holds six patents. Customer of John's in 2011.
Former CPO, Fannie Mae Β· Berkeley Law Professor
Privacy authority and Big Law attorney. Validates the legal logic and defensibility framework from the regulatory and academic side.
EU Partner Β· CIPP/E
EU AI Act regulatory committee contributor. Validates European regulatory coverage. Our commercial path to market across the EU.
Two kinds of law now govern minors β and almost everyone is watching only one. A newer body of psychological-welfare law regulates product design itself: feed defaults, curfew hours, dark patterns, and addictive engagement loops. Ten binding regimes, $1.2B+ in fines, and the shift from "did you comply?" to "can you show your leadership weighed the foreseeable harm to a child before it reached them?"
Read ArticleCISOs are treated like technical operators before a breach β and held accountable like executives after one. The survey data on personal liability, why GRC doesn't save you, and why a contemporaneous, sealed decision record β not better insurance β is what actually protects an executive under scrutiny.
Read ArticleA better operating model still doesn't create legal evidence. Why the threshold decision the law now requires β the Calculated Definition of Acceptable Risk β can't be improvised in a conference room, and needs infrastructure that applies the legal test and seals the rationale before the incident, not reconstructed after.
Read ArticleA Los Angeles jury found Meta and Google liable in a landmark social-media addiction case. The deeper signal isn't the damages β it's the shift from privacy compliance to design accountability, where the question becomes whether leadership can prove it identified foreseeable harms to minors, weighed safer alternatives, and documented proportionate decisions before the harm occurred.
Read ArticleReserve Your Spot Β· Pre-Release
Free to a limited number of companies in exchange for feedback. Sign up and we'll schedule a 30-minute briefing with the founder covering platform activation, a regulatory enforcement landscape briefing tailored to your industry and role, and access to a value calculator that produces budget-justification artifacts you can take internally.
Schedule a conversation with our team.
Defensible Governanceβ’ doesn't replace your GRC β it makes your GRC matter when your judgment is reviewed.
Your GRC platform shows controls exist. We help you show your decisions were reasonable. Between 2021β2026, 95% of organizations penalized with $21B+ in fines had active GRC programs. They passed audits but failed prosecution.
We sit above your existing GRC, transforming operational documentation into review-ready evidence of decision quality.
60 days to full operational deployment. Our platform is pre-configured with major frameworks. You start capturing defensible decisions immediately β not after months of configuration.
This is a C-Suite tool, not a departmental one. Executive sponsor is typically the CEO, GC, or CRO. Day-to-day administrators are Risk and Legal teams. Key users are all C-Suite officers with statutory obligations. Oversight: Board Risk Committee.
Most organizations see payback in 2 months. ROI comes from assessment efficiency (35β50% reduction), faster audit/verification cycles, and avoided penalties. A single avoided enforcement action can exceed the platform cost by 100β1000Γ.
No. We integrate with and enhance ServiceNow, Archer, LogicGate, OneTrust, TrustArc, and your existing security tools. We're the conductor that harmonizes them into a legally defensible record.
Compliance frameworks are necessary but not sufficient. Frameworks define what to do. Courts ask why you made specific decisions. We bridge that gap by documenting the reasoning behind your implementation choices.
DG becomes your primary defense. You immediately produce contemporaneous evidence of foreseeability, alternatives considered, proportionate safeguards, board-approved risk thresholds, and complete evidence chain. This is exactly what reduced Marriott's penalty by 81%.
Model the estimated financial impact of Defensible Governance on your organization's regulatory exposure.
All outputs are modeled estimates based on industry benchmarks and inputs you provide. Results are not guaranteed savings.
1.0 = 1/yr 0.5 = 1 every 2yr 0.33 = 1 every 3yr 1.5 = 3 every 2yr
Enter total fines + legal costs from your most recent event. Overrides the industry benchmark per-event cost when populated.
Based on enforcement patterns in your industry, select which risk categories your organization faces.
Large financial services companies typically face enforcement involving 2β3 categories. In the Top 25 enforcement actions ($14B+), every case coded to at least two governance failure patterns.
If your organization has documented enforcement actions, enter the details below. This strengthens the exposure model with real data.