The email landed on a Tuesday, and Gary read it twice before it sank in.

The Department of Financial Services would be examining his agency. Attached was a first-day letter — a list of the evidence they wanted, with a deadline closer than it had any right to be. Risk assessments. Policies. Access reviews. The annual certification, and the records behind it.

Gary wasn't worried at first. Twenty-two years in insurance, never cut a corner in his life. He forwarded the letter to his IT company with one line: "Can you handle this?"

The reply came back fast and friendly. "You're locked down — firewalls, antivirus, backups, the works." All true. And, as Gary would discover, almost beside the point.

Because the examiner didn't want to know whether he had tools. They wanted to know who owned the program. Who decided what the risks were. Where it was written down. Whether Gary — who'd signed last April's certification himself, without reading much past the signature line — could defend what he'd personally attested to.

He couldn't. Not because he'd done anything wrong, but because the job had never been given to anyone. His IT company kept the systems running; they were good at it. Owning a documented governance program that holds up to a regulator was a different job — and it had quietly belonged to no one for years.

So Gary did what most agency owners do. He scrambled. For three weeks, Gary pulled two of his senior people into nights and weekends — the kind of people whose time the agency could least afford to lose — rebuilding a year of documentation from memory and old email threads, trying to make it read like it had been there all along.

He got through it. But "through it" wasn't the same as "done." The examiner kept coming back — clarifications, more proof, follow-ups on the follow-ups — and what began with a single letter stretched into a year and a half of requests that pulled time and attention from every corner of the agency. The cost was never a fine. It was eighteen months of his organization's bandwidth, spent proving after the fact what should have been there all along.

I've watched a version of that Tuesday play out more times than I'd like — different names, same gap. It's the reason I built Fortify.

I work with NYDFS-regulated insurance agencies as the person who owns that second job: the governance, the documentation, the risk decisions, the accountability that's already in place when the examiner arrives, instead of getting manufactured in the weeks after. For some agencies that means building the program long before a letter ever comes. For others, it means walking in the day the first-day letter lands and steadying the response. Right now that includes serving as vCISO for Highview, an insurance carrier building its DFS governance program from the ground up. This is the work I've built my practice entirely around — not one service among many, the whole of it.

Over a decade in IT and security, the last several years focused entirely on cybersecurity governance and NYDFS Part 500. The credentials are below — but they've never been why a client trusts me. That comes from owning the fix, not just naming the problem.

Fortify is boutique on purpose. I work with a handful of agencies at a time, so each one gets real attention — which also means my calendar is genuinely limited. If you want someone to check a box and move on, I'm honestly not your person. But the certification comes due every April 15, and the time to fix what's missing is now — not in the weeks before, when there's no runway left and no room on my calendar. If you want a program that holds up, let's talk while there's still time to do it right.