For Executive Teams
One break-glass platform that produces the evidence regulators in every major jurisdiction ask for.
Executive teams at firms operating across multiple jurisdictions face overlapping and sometimes conflicting incident-handling, breach-notification, and operational-resilience obligations. Regulators no longer accept “we have a policy” — they expect concrete tooling, immutable evidence, and a demonstrable ability to recover. The gap is rarely intent; it is the absence of an auditable, multi-jurisdiction control surface that survives the failure of any single provider, region, or individual.
Each card pairs what the regulation requires with what Glassbreak supplies. Grouped by jurisdiction so a multi-region programme can see the full coverage at a glance.
In force Jan 2025. Documented ICT incident management, major-incident classification + reporting, recovery procedures, third-party ICT risk evidence, and structured lessons-learned for financial entities and their critical providers.
Tamper-evident incident timeline, role-based escalation playbooks, exportable post-incident reviews, and a per-credential audit trail. The artefacts a DORA reviewer asks for.
Cybersecurity and incident-handling obligations on operators of essential services and important entities. Multi-cloud redundancy, continuity of operations, and auditable incident handling are explicit themes.
State distributed across independent providers with no shared failure domains; every incident step captured for the competent authority. Outage of any one cloud or CDN does not interrupt break-glass recovery.
Articles 33 / 34: notify the supervisory authority within 72 hours; notify high-risk affected data subjects without undue delay. Auditable access trails for personal data; controller / processor split; data-residency on demand.
Immutable access logs, explicit controller / processor model, and the EU-pure glassbreak.cloud vertical (no US compute, no US data transit) for customers with data-residency requirements.
Phased in from 2024–27. Manufacturers must maintain a vulnerability handling process, deliver security updates, and report actively exploited vulnerabilities to ENISA within 24h. Customers asking for CRA evidence from their suppliers in turn.
Per-secret audit history that demonstrates a defined vulnerability handling lifecycle, plus the same disclosure-workspace tooling needed when an upstream supplier triggers the 24h clock.
High-risk AI systems must maintain logs of operation, allow human oversight, and document risk management. Use of any AI by financial / public-sector deployers triggers documentation duties.
Glassbreak holds no customer encrypted content for AI training (contractually). Audit logs of every operator action — including any AI-assisted approval — are immutable and exportable.
PS21/3 + SS1/21 (in force March 2022, full impact tolerance compliance from March 2025). Identify Important Business Services, set impact tolerances, evidence ability to remain within tolerance during disruption. Critical Third Parties (CTPs) regulated from 2025.
Multi-cloud, no-single-failure-domain architecture maps to tolerance evidence. Per-incident timelines and recovery records are the artefacts the FCA / PRA asks for during a Lessons-Learned Exercise.
Parallel obligations to EU GDPR: 72-hour breach notification to the ICO, controller/processor split, data subject rights. UK Representative for non-UK controllers.
Same audit trail + controller/processor model as EU GDPR; UK Representative contact published in the Privacy Policy.
Operators of essential services and relevant digital service providers must take appropriate cyber security measures and notify the competent authority of significant incidents.
Multi-cloud redundancy, incident timeline, escalation workflow, exportable evidence. The same artefacts that satisfy NIS2 in the EU.
Public companies must disclose material cybersecurity incidents within four business days of determining materiality. The friction is reconstructing an accurate, defensible timeline under pressure.
A real-time timeline: detection, escalation, approvals, access grants/revokes, systems touched. The "what actually happened?" question is answered when the disclosure window opens.
45 CFR Part 164 Subpart C — emergency access procedures (164.312(a)(2)(ii)) and audit controls (164.312(b)) for entities handling protected health information.
Defined break-glass procedure with quorum approvals, immutable access logs, per-actor accountability. BAA available on Premium; the same tooling that runs your IR covers Security Rule obligations.
Amended Nov 2023 + Nov 2024. CISO certifications, incident notification to the DFS within 72h, ransomware payment notification within 24h, MFA, access controls, asset inventory, BCP/DR plan.
MFA enforcement, immutable access logs, BCP/DR via multi-cloud, and the disclosure workspace for the 72h notice. CISO certification evidence is exportable from the audit trail.
CCPA / CPRA (California), NY SHIELD Act, Texas HB 4181, Virginia VCDPA, and equivalents in every other state impose their own thresholds, timelines, and content requirements.
A coordinated disclosure workspace: contact lists by jurisdiction, message templates, delivery log. Notifications go on time, to the right authorities and individuals, with a record of what was sent.
Federal banking regulators (OCC, Fed, FDIC, NCUA) expect documented IS programs, BCP, third-party risk, and incident response. FFIEC IT Examination Handbook is the de facto exam playbook.
Multi-cloud BCP, third-party-risk evidence on Glassbreak itself, incident timelines, and access controls all map to specific booklet expectations.
Effective Jan 2024 for federally regulated financial institutions. Sets expectations on governance, technology operations, cyber security, third-party technology risk, and resilience.
Audit-grade tech-and-cyber evidence at the level of detail B-13 supervision asks for; multi-cloud topology answers the resilience expectations directly.
Federal Personal Information Protection and Electronic Documents Act. Notify the Privacy Commissioner of Canada and affected individuals of a breach of security safeguards involving real risk of significant harm.
Same immutable access trail as GDPR; coordinated breach notification workspace covers OPC and individual notifications.
Documented incident reporting and recovery procedures for financial institutions, with prompt notification of relevant incidents to the Monetary Authority of Singapore.
Timeline, escalation, and recovery workflows produce the artefacts MAS reviewers look for; multi-cloud topology addresses resilience and concentration-risk expectations.
Module OR-2 (issued May 2022). Authorized Institutions must identify critical operations, set tolerances, and demonstrate ability to remain within tolerance through disruption.
Multi-cloud architecture + per-incident recovery records support the impact-tolerance demonstration the HKMA expects.
Governance + risk management + incident reporting requirements on banks, insurers, and securities firms; alignment with the JFSA Cybersecurity Self-Assessment.
Self-assessment evidence: documented procedures, audit logs, and quarterly resilience tests reflected in the platform itself.
Reserve Bank of India expects regulated entities to maintain cyber security policy, IT governance, incident reporting to CSIRT-Fin, and BCP testing.
Reportable timelines, BCP evidence, and access control logs aligned with the RBI Master Direction expectations.
Korean Information Security Management System certification + Financial Services Commission supervision on tech risk and incident reporting.
Control evidence at the operational level K-ISMS auditors expect; supports the standalone disclosure obligations to the FSC.
CPS 230 (Operational Risk Management, eff. July 2025): identify critical operations, set tolerance levels, maintain BCPs, manage material service providers. NDB scheme: prompt notification to the OAIC and affected individuals.
Continuity tooling, supplier-risk evidence, and incident management workflows CPS 230 expects — plus a clean audit trail for any NDB assessment.
Maintain information security capability commensurate with the size and extent of threats; notify APRA of material incidents within 72h.
Multi-cloud + zero-knowledge + audit-grade logs satisfy the "commensurate capability" and 72h-notification operational needs.
Reserve Bank of New Zealand expects supervised entities to maintain cyber resilience, governance, and incident reporting; aligned with Australian APRA standards in many respects.
Same evidence that satisfies CPS 230 / CPS 234 satisfies the RBNZ guidance in practice.
GFSC has aligned its operational-resilience expectations with the UK FCA / PRA model. Authorised firms must identify Important Business Services, set tolerances, evidence continuity, and report material incidents.
Same evidence stack as FCA / PRA OR; lighter-weight self-attestation flow for smaller firms with proportionate Glassbreak deployments.
Outsourcing Code of Practice + Cyber Security Guidance: due-diligence on critical service providers, business continuity, incident reporting to the Commission.
Glassbreak's sub-processor list + DPA + audit trail address the outsourcing-provider due-diligence package directly.
IOMFSA aligns with the UK PRA's operational resilience approach; supervised entities must demonstrate tolerance for disruption and incident reporting.
Multi-cloud + immutable timeline + recovery records map directly to the IOM FSA examination model.
Regulated insurers, banks, and digital asset businesses must maintain a cyber risk management framework, governance, and reporting of material cyber events.
Cyber-risk evidence package: access controls, incident response workflows, and continuity proofs aligned with BMA expectations.
Cayman Islands Monetary Authority expects regulated entities to maintain a cybersecurity policy, governance, BCP / DR, and incident reporting framework.
Policy-aligned controls and an evidence trail that maps to the Statement of Guidance; multi-cloud satisfies the BCP / DR expectations.
UAE Central Bank Cybersecurity Framework + Dubai Financial Services Authority Cyber Risk rulebook: governance, incident management, supplier risk, and material incident notification.
Evidence stack covers governance, supplier risk (Glassbreak as the supplier), incident response, and the notification workspace.
Saudi Central Bank framework for cyber security risk management in regulated entities. Covers governance, identification, protection, detection, response, recovery.
Direct mapping into the SAMA CSF domains; protection + detection + recovery artefacts produced by the platform feed straight into SAMA reporting.
Brazilian Central Bank requires regulated FIs to maintain a cyber security policy, incident management, supplier-risk governance, and reporting of material incidents.
Same control evidence model that satisfies DORA / FFIEC adapts to BACEN expectations; multi-cloud topology satisfies the supplier-concentration concerns.
Lei Geral de Proteção de Dados: data-subject rights, controller/operator split, ANPD notification of incidents that may cause relevant risk or damage.
Same controller/processor architecture + audit trail + breach notification workspace as GDPR. ANPD-specific message template available.
Access control (A.5.15 / A.5.16 / A.5.18), cryptography (A.8.24), logging (A.8.15), and incident management (A.5.24–A.5.28) control families. SOC 2 CC6, CC7, A1.
Designed to align with these control families. Glassbreak is not itself ISO 27001 or SOC 2 certified today; the platform produces clean evidence for the controls in YOUR report.
Published 2024. Adds Govern function to Identify / Protect / Detect / Respond / Recover. Used as a de-facto target architecture by regulators worldwide.
Maps directly to Govern (audit log of policy-level events), Protect (access control + encryption), Detect / Respond (incident timeline), Recover (multi-cloud BCP).
Cardholder data environment must enforce access controls, audit logging, vulnerability management, and breach response. v4.0 future-dated requirements effective March 2025.
Glassbreak does not store cardholder data, but the access control + audit logs satisfy the related Requirement 7, 8, and 10 controls for in-scope operators.
Not a policy doc — a working platform that produces the artefacts.
The same access, approval, and audit primitives satisfy DORA, NIS2, GDPR, SEC 1.05, HIPAA, APRA, MAS, and ISO / SOC 2 evidence requests.
Independent verticals on AWS (us-east-1) and Scaleway (fr-par), with Fly.io planned. No shared failure domains for DNS, CDN, or database.
Route EU-resident customers through the EU-pure glassbreak.cloud vertical when regulators or contracts require it. End-to-end EU stack.
Every action logged with cryptographic integrity, exportable for the board, auditors, or supervisory authorities. No reconstruction under pressure.
Glassbreak cannot decrypt your content. AES-256 + RSA-4096 + Kyber1024 hybrid on-device. Removes whole classes of supplier-risk and lawful-access questions.
Each vertical owns its own database. A provider outage, a sovereignty change, or a billing dispute does not strand your incident response.
Free tier supports one team and up to five members — enough to evaluate the audit trail, escalation flow, and the cross-jurisdiction disclosure workspace before talking to your compliance team.
Get product updates and security insights. No spam, unsubscribe anytime.
We respect your privacy. See our privacy policy.
