That’s the thing. There’s a ton of grifters and/or idiots in the compliance space. If you talk to an actual lawyer that specializes in SOX litigation, or similar, you’ll find that many of the measures your compliance or fake-infosec people are telling you that you have to do aren’t actually required by any law or regulation.