Management Team

Carl Cadregari
Carl Cadregari | CISA, CCSFP, CTPRP
Executive Vice President


Carl Cadregari | CISA, CCSFP, CTPRP

Carl is an Executive Vice President in the FoxPointe Solutions/Information Risk Management Division of The Bonadio Group.


  • IT Audit
  • Cybersecurity
  • Controls deployment
  • BCP / DR auditing and planning
  • Cybersecurity by design
  • Overall controls governance

What do you focus on?

I have expertise in the areas of Data Privacy and Cybersecurity Controls, Physical, Administrative, and Technical Security, Enterprise Risk Management, Vendor Management, and Disaster Recovery Planning, having worked with companies across almost all vertical markets ranging in size from small businesses to multi-regional and multi-national organizations with thousands of employees. Expertise in Data Privacy and Security Regulations and Frameworks
  • HITRUST Common Security Framework
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health Act (HITECH)
  • NIST Cybersecurity and Security and Privacy Controls for Federal Information Systems and Organizations Framework
  • Gramm-Leach-Bliley Act (GLBA)
  • General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
  • Federal Financial Institutions Examination Council (FFIEC)
  • Federal Deposit Insurance Corporation (FDIC)
  • Office of the Comptroller of the Currency (OCC)
  • Meaningful Use
  • Federal Trade Commission (FTC) Red Flag Rule
  • Family Educational Rights and Privacy Act (FERPA)
  • Federal Information Security Modernization Act (FISMA)
  • NY 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies
  • State, Federal, and international data privacy and security laws
  • Committee of Sponsoring Organizations (COSO)
  • Control Objectives for Information Related Technologies (COBIT)
  • Sarbanes-Oxley Act (SOX)
  • Statement on Standards for Attestation Engagements (SSAE 16/18)

Relevant Training

  • Information Systems Auditor
  • HITRUST Common Security Framework
  • Third Party Risk Management


  • Multiple articles regarding effective vendor management controls, cloud computer security, data breach avoidance, ransomware, and HIPAA compliance
  • ISACA Journal: “Every Silver Cloud has a Grey Lining “
  • NCUA ACET: New Tool, More Cybersecurity Measurement on Your Resiliency
  • “2016: The Year my Data went WHERE?”
  • NYS Bar Association Health Law Journal: “Ransomware Concerns and Risk Mitigation”
  • “2019: The Year to Get Out of Cybersecurity Ostrich Mode”
  • 2019 Buffalo First Article on Cybersecurity Risk

Recent Presentations

I present quite often on a number of topics surrounding Regulatory Compliance and Risk Management, ERM, Cybersecurity Controls, Information Security, Controls Testing and other Data Privacy and Security topics. I’ve presented on:
  • Advanced Persistent Threats (APT) and Ransomware
  • Cybersecurity Testing – What is a Penetration test vs Vulnerability Assessment
  • GLBA Compliance and Risk Management as Part of the Safeguards Rule
  • Cybersecurity Awareness for Tax Exempt organizations
  • Effective Cybersecurity in a Ransomware World
  • HIPAA/HITECH Security Rule Training
  • Computer Security Incident Management Plan Development and Implementation
  • OCR HIPAA Audits and Expectations


  • Certified Information Systems Auditor (CISA)
  • Certified Assessor for the HITRUST Common Security Framework (CCSFP)
  • Certified Third Party Risk Professional (CTPRP)
  • Certified HITRUST Quality Professional (CHQP)


  • Information Systems Audit and Control Association (ISACA),
  • Healthcare Information and Management Systems Society (HIMSS)
  • Healthcare Financial Management Association (HFMA)
  • DRI International (DRI)
  • Systems Administration Networking and Security Institute (SANS)
  • Healthcare Information Technology Standards Panel of the American National Standards Institute (ANSI)
  • Interim Chair of the Moore Stephens NA Technology Consulting Community Group