§ 00 Corpus Christi, TX · Coastal Bend

Enterprise security,
neighborhood scale.

Compliance-first cybersecurity for small healthcare practices, CPA and law firms, and the professional-services businesses across the Coastal Bend. Written, measured, defensible work — not slide decks.

Request a risk analysis See services

01 / 04

30+

Years enterprise depth

02 / 04

3

Sector briefs · healthcare · law · CPA

03 / 04

1

Principal signs every deliverable

04 / 04

0

Fear-based marketing

§ 00.1 The 2026 environment

Three numbers that changed the conversation.

§ 01

41%

Cyber-liability carriers denied cyber applications on first submission in 2025.

Source: Woodruff Sawyer, 2025 Cyber Insurance Market Report.

§ 02

58%

Share of all cyber insurance claims in 2025 driven by business email compromise (BEC) and funds-transfer fraud (FTF), together.

Source: Coalition, 2026 Cyber Claims Report.

§ 03

$1.25M

Average fraudulent wire transfer in 2024, with a median 18-day detection lag against a 72-hour reporting window.

Source: BakerHostetler, 2026 Data Security Incident Response Report.

§ 01 What we do

Three tiers. Sequential, not a bundle.

Tier 1 produces the signed risk analysis your carrier and your attorney want to see. Tier 2 closes the gaps it finds. Tier 3 keeps them closed. Most engagements start at Tier 1.

Tier 1 § 01

Security risk analysis

A formal written risk analysis that satisfies HIPAA Security Rule § 164.308(a)(1)(ii)(A), supports cyber-liability applications, and identifies remediation priorities your broker can underwrite against.

Duration: 2–3 weeks
Fee: $3,000–$8,000

Signed risk analysis
Plan of Action & Milestones
Control inventory
Broker-ready exhibits

Tier 2 § 02

Remediation implementation

Hands-on deployment of the controls carriers and regulators require: MFA on every account, EDR on every endpoint, hardened backups on a separate system, email security, staff training, an incident response plan, and — for law firms — IOLTA / closing-wire controls. Per-sector ranges in the briefs.

Duration: 1–3 months
Fee: $10,000–$45,000

MFA · EDR · backups
DMARC · email hardening
Patch cadence documented
IR plan + tabletop

Tier 3 § 03

Ongoing managed security

Continuous monitoring, alert response, monthly reporting, annual risk-analysis refresh, and incident response on retainer. The phone number you actually call at 2am.

Duration: Monthly retainer
Fee: $1,200–$5,000 / mo

24/7 monitoring
Monthly report
Annual RA refresh
IR on retainer

§ 02 What we measure

Eight controls. Every engagement.

Every Tier-1 risk analysis documents the same eight controls, in the same structure, against the same four questions. No bespoke methodology per client. The rigor is in the repetition. The status column below is illustrative — real findings are signed, dated, and carry through to the Plan of Action & Milestones.

§ No.	Control	Category	Status	Common gap
§ 01	Multi-factor authentication	Identity & Access	FULL	SMS-only on firewall console
§ 02	Endpoint detection & response	Endpoint	PARTIAL	Legacy imaging host excluded
§ 03	Hardened backups	Data Recovery	GAP	Backup on same subnet as prod
§ 04	Incident response plan	Response	PARTIAL	No tabletop in 14 months
§ 05	Email security	Communication	FULL	DMARC at `p=none`, not enforced
§ 06	Patching	Operations	GAP	Windows 10 past end-of-support
§ 07	Risk analysis	Governance	FULL	Four-page checklist from 2021
§ 08	BA oversight / wire integrity	Funds-Transfer	GAP	Payroll change verified by reply email

§ 02.1 Deliverables you can show your broker

Five codified artifacts. Signed, dated, versioned.

Every DIAM engagement produces written, measurable deliverables — not slide decks. The same five artifacts recur across engagements, formatted the same way every time so the carrier portal, the broker inbox, and the client's attorney all read the same file.

Sector brief: A broker-facing brief per sector — healthcare, law, or CPA — explaining the 2026 underwriting environment and the eight controls carriers ask about.
Risk analysis / WISP: A 20–40 page signed document that satisfies 45 CFR § 164.308(a)(1)(ii)(A) for healthcare or 16 CFR § 314.3 for CPA firms, and sits inside a cyber application without translation.
IR plan: A 5–15 page incident response plan naming carrier, counsel, forensics partner, and the first-call phone tree. Tabletop-tested. For law firms: tied to ABA Formal Opinion 483.
Engagement letter: Scope, assumptions, exclusions, and signature block. The engagement is defined before the work starts.
Proposal: Tier 1, 2, or 3 — fixed fee, written deliverables, and a timeline the client can forward to their accountant.

§ 03 The practice

One principal.
Signs every deliverable.

Roland Rodriguez. United States Air Force veteran, Military Space Systems Operations. Principal Technical Product Manager at AWS, 2022–2024, responsible for the five-year Rust adoption strategy across infrastructure serving 300M+ customer accounts. Core team for the Azure v1 launch at Microsoft, 2009.

The practice is delivered not by a local IT shop that added "cybersecurity" to its services menu, but by a principal whose prior work sits inside the infrastructure small practices already depend on.

The company is named for my four children — Damian, Isabella, Abigail, Matilda. The logo is those letters in ASCII binary. Every deliverable ships with their names behind it.

§ 04 For cyber-liability brokers

A technical partner for the application your client can't answer.

Carriers denied 41% of cyber applications on first submission in 2025. The denial pattern is nearly always the same across healthcare, law, and CPA books: the application attests to a control that is not actually in place — MFA on every account, immutable backups, a documented incident response plan, a callback procedure before every wire. DIAM produces the written evidence that either supports the attestation or tells the client what to fix first.

Refer a client See the briefs

Referral flow: Send the application or the declination letter. I reply inside one business day with a scoping note the client can read without translation.
What the client gets: A signed written risk analysis, a POA&M, and carrier-ready exhibits. Every deliverable is versioned and attorney-reviewable.
What you get back: A factual readout on the application gaps, the remediation path, and the timeline. No markup on anything. No referral fee that goes sideways.
Consult: Free 30-minute consultations for broker referrals. No obligation, no sales pitch.

§ 05 Get in touch

Call the number.
I answer it.

Send the carrier application, the declination letter, or the rough idea. Broker referrals get a free 30-minute consultation — no obligation, no sales pitch. I'll reply within one business day with a scoping note.

Office

615 N Upper Broadway St, Ste 639
Corpus Christi, TX 78401

HIPAA Cyber liability Breach law · TX