Tier 1 produces the signed written risk analysis or Written Information Security Plan (WISP) your carrier and your attorney want to see — satisfying HIPAA Security Rule § 164.308(a)(1)(ii)(A) for healthcare, ABA Rule 1.6(c) for law firms, or FTC Safeguards Rule § 314.3 for CPA and tax practices. It supports cyber-liability applications and identifies remediation priorities your broker can underwrite against. Tier 2 closes the gaps. Tier 3 keeps them closed. Most engagements start at Tier 1.
Tier 1 produces the signed risk analysis your carrier and your attorney want to see. Tier 2 closes the gaps it finds. Tier 3 keeps them closed. Most engagements start at Tier 1.
A formal written risk analysis that satisfies HIPAA Security Rule § 164.308(a)(1)(ii)(A), supports cyber-liability applications, and identifies remediation priorities your broker can underwrite against.
Hands-on deployment of the controls carriers and regulators require: MFA on every account, EDR on every endpoint, hardened backups on a separate system, email security, staff training, an incident response plan, and — for law firms — IOLTA / closing-wire controls. Per-sector ranges in the briefs.
Continuous monitoring, alert response, monthly reporting, annual risk-analysis refresh, and incident response on retainer. The phone number you actually call at 2am.
A 20–40 page document mapping the practice against the HIPAA Security Rule's administrative, physical, and technical safeguards. Signed by the practice owner or designated Security Officer.
A prioritized table — gap, remediation action, owner, target date — that carries through the engagement and becomes the working document for Tier 2.
Named vendors, named products, and the evidence the carrier needs: MFA enforcement screenshots, EDR coverage reports, backup restore-test logs, the incident response plan.
Issued in a carrier-safe font mode for insurance-portal upload. Versioned, attorney-reviewable, marked CONFIDENTIAL · ATTORNEY-CLIENT PRIVILEGE where the engagement requires it.
