The interesting thing about cybersecurity is that there is no “generic compliance” which mandates which cyber controls that you must employ to protect data.  There are however many states that have data privacy laws which have cybersecurity controls in them as well as other rules such as the FTC Safeguards Rule which do mandate specific controls for protecting data.

As of January 2022, the FTC doesn’t conduct audits specifically for cyber compliance. However, the FTC does enforce regulations related to cybersecurity and data protection. They investigate and take action against companies that fail to adequately protect consumer data or engage in deceptive or unfair practices related to cybersecurity. So, while there may not be audits in the traditional sense, companies are still subject to FTC scrutiny if they’re found to violate cybersecurity regulations.

Additionally, the FTC has an anonymous whistleblower program which pays people to let them know when they see an organization who is not properly protecting data.  For example, the fines for not complying with the FTC Safeguards Rule can be in the hundreds of thousands, and the whistleblower can receive up to 20% of the fines that are levied.

Most cybersecurity and privacy regulations are also designed with good cyber hygiene in mind.  So just because there will not be an audit, complying and employing a comprehensive cybersecurity program is simply good business practice.