Compliance Reviews

What is a Compliance Review? 

A compliance review is a way of proving you meet someone else's bar. A lot of the time, that bar belongs to another company you want to work with. For example, hospitals require proof of HIPAA compliance, and plenty of larger businesses now ask vendors to show documented security controls before they'll sign a contract.

It matters for insurance as well, just not in the way most people assume. Most carriers won't outright refuse to insure you for lacking a specific certification, but they will ask detailed questions about your security controls on the application. If your answers don't hold up later, that's often when claims get denied. A compliance review is how you make sure what you tell your insurer is actually true, documented, and something you can stand behind if you ever need to file a claim.

What a Compliance Review Covers

Cyber Insurance Preparation
Whether you're applying for coverage for the first time or renewing what you have, we look at what your insurer is actually asking for, assess where you currently stand, and document the controls you have in place. We also flag the gaps that could lead to a denied claim down the road. Most businesses that go through this either qualify for better rates or avoid coverage problems they never saw coming.

PCI-DSS (If You Take Credit Cards)
If your business takes credit card payments over the phone, in person, or online, you have obligations under the Payment Card Industry Data Security Standard regardless of whether or not you carry cyber insurance. Most small businesses either don't know this applies to them or quietly ignore it. We figure out which requirements actually apply to your specific setup, walk you through the Self-Assessment Questionnaire, and help you complete it accurately. It's not as complicated as it sounds once someone explains which parts are relevant to you.

Incident Response Planning
If something goes wrong the decisions you make in the first few hours matter a lot, regardless of who's asking to see your plan. A written incident response plan tells you exactly who to call, what to shut down, how to notify your customers, and what your legal obligations are. Insurance carriers often require one. Bigger clients sometimes ask for one. Even if nobody's asking, it's the kind of thing you want written down before you need it, not while you're in the middle of it. We write it specifically for your business, not from a generic template.

We have a page that goes in depth about this, view it here.

Vendor Risk Review
Every software tool your business uses like your scheduling platform, accounting software, and payment processor has access to some of your data. Increasingly, your clients, your insurance carrier, and even potential buyers want to know you've thought about that. We review your key vendors, document what they hold and how they protect it, and give you something you can actually hand over when someone asks.

Who is a compliance review a good fit for? 

Businesses applying for or renewing cyber insurance. Anyone who takes credit card payments. Businesses whose clients are starting to ask security questions before signing contracts. Businesses considering a sale or looking for financing where security posture might come up. If any of those sound like you, it's probably worth a conversation.