What this service does
Regional banks, RIAs, wealth managers, fintech, NYDFS-regulated firms. NYDFS Part 500, Reg S-P, FFIEC, FINRA, SEC cyber rule, PCI DSS, GLBA. Mid-market FinServ spends $2,700-$3,500 per employee per year on cybersecurity , twice the cross-industry baseline. 55-60% goes to managed services.
Senior practitioner on every engagement. Quinnlan Varcoe (Founder and CEO) oversees every engagement and reviews every case before findings leave the practice; Jose Santana, Lead Technical Consultant, oversees the practitioner team executing the technical work under her methodology. NDA-protected. No black-box delivery, no off-shoring, no junior staff bait-and-switch.
What we deliver
- NYDFS Part 500 Compliance. 23 NYCRR 500 program build. CISO certification language, MFA + encryption + risk assessment + IR plan + third-party risk + training. Annual Certification of Compliance preparation.
- Reg S-P + SEC Cyber Rule. Reg S-P 17 CFR 248 modernization (effective Dec 2025/Jun 2026). SEC cybersecurity disclosure rule (4-day Form 8-K Item 1.05). Pre-incident materiality framework documented.
- FFIEC + Federal Reserve Examinations. FFIEC Cybersecurity Assessment Tool, FFIEC IT Handbook, OCC Heightened Standards. Examiner-ready evidence packages for state and federal exams.
- PCI DSS 4.0 Compliance. PCI DSS 4.0 readiness, AOC support, SAQ-D scoping, segmentation validation. We work with QSA panels (Coalfire, Schellman, Trustwave) , no QSA conflicts.
- FINRA + SEC for RIAs / Broker-Dealers. FINRA Rule 4530, SEC Rule 206(4)-7 compliance program. Books and records cybersecurity controls. ADV Part 2A cybersecurity disclosure language.
- Real-time Fraud + BEC Detection. BEC + wire-fraud monitoring tuned for finance attack patterns. Vendor-impersonation, CEO-spoofing, account-takeover detection. Integrates with treasury workflows.
- AI Governance for FinServ. AI/ML model risk management aligned to OCC SR 11-7 + Federal Reserve SR 11-7 model risk guidance. ISO 42001 + NIST AI RMF + EU AI Act crosswalks for cross-border firms.
- Insurance + Carrier Coordination. Coalition, Beazley, Chubb, Resilience, AT-Bay carrier coordination. Sub-limit review for ransomware extortion + regulatory fines + social engineering , the sub-limits that bite financial services hardest.
How an engagement begins
- Confidential consultation. NDA-protected. 30 to 60 minutes. Direct conversation with Quinn, not a sales rep.
- Scoped engagement. Written proposal with defined deliverables and pricing. Hourly with milestone caps for open scopes; fixed fee where the work is well-defined.
- Delivery and reporting. Court-admissible methodology where evidence matters. Written deliverables you can hand to counsel, the board, or your auditor.
Why this work runs through Witness
Witness is the parent brand for the practice. The same firm operates a B2B sister brand at varcoe.ai for buyers whose procurement workflow expects a B2B website and a B2B sales motion. Same legal entity (Blueberry Security Global, Inc., Delaware C-corp). Same Quinn. Same delivery team. The split is by audience, not by capability.
