Questions we hear most often

Moat Cybersecurity works exclusively with nonprofits and mission-driven organizations in New York, New Jersey, and Connecticut. This includes social service nonprofits, community health centers, behavioral health providers, federally qualified health centers (FQHCs), legal aid societies, civil rights organizations, and policy advocacy groups. The typical client has between 20 and 150 staff, handles sensitive client or patient data, has compliance obligations (HIPAA, state law, grant requirements), and has no dedicated IT security leadership.

It depends on your compliance obligations and risk profile. A 15-person organization that handles HIPAA-regulated health data, federal grant requirements, or sensitive client information may have a genuine need for strategic IT security leadership — regardless of headcount. A 15-person organization with no sensitive data and no compliance obligations may not need ongoing vCISO services, though the 30-Day Discovery Audit can still provide value as a one-time assessment. The best way to find out is to use the Assess Your Fit tool on this site or book a direct conversation.

For most nonprofits, one IT person handles the operational work — keeping systems running, managing vendors, handling helpdesk requests. That is a full-time job. Strategic IT leadership — governance, compliance, risk management, board reporting, and vendor accountability — is a separate discipline that requires a different skill set and a different perspective. Moat Cybersecurity fills that strategic gap without replacing your existing IT staff. In fact, most IT staff find it a relief to have a senior security leader handling the governance and compliance work they were never trained for.

Generally, no. Moat Cybersecurity is purpose-built for nonprofits and mission-driven organizations. The compliance frameworks, funding structures, board governance dynamics, and vendor relationships in the nonprofit sector are distinct enough that sector-specific expertise matters. If you are a small professional services firm with a nonprofit-adjacent mission or significant nonprofit client base, it is worth a conversation — but the primary focus is the nonprofit sector.

The 30-Day Discovery Audit is a comprehensive assessment covering: technology inventory and architecture review; cybersecurity risk assessment against NIST and CIS frameworks; compliance gap analysis (HIPAA Security Rule, SOC 2, applicable state requirements); vendor and contract review; and IT governance review. Deliverables include an executive summary report, a risk register, a compliance roadmap, technology rationalization recommendations, a 90-day action plan, and a vendor accountability framework. The audit is designed to give your leadership and board a clear, honest picture of where your organization stands.

No. The 30-Day Discovery Audit is a standalone engagement. You receive the full deliverables regardless of whether you proceed to an ongoing retainer. If you do decide to move forward with a retainer within 30 days of the audit, the audit fee is partially credited toward your first retainer period. There is no pressure to commit, and the audit findings are yours to use however you see fit — including working with a different provider.

Minimally disruptive. The audit requires time from your leadership team for interviews and document review — typically two to four hours total across the 30-day period. There is no system downtime, no agent installation, and no network scanning that would interrupt operations. Most of the work happens in the background through document review, vendor interviews, and analysis.

No. Moat Cybersecurity does not provide legal compliance certification, and no advisory firm can. HIPAA compliance is a continuous organizational obligation — not a certification that can be granted by a third party. What Moat Cybersecurity does provide is a rigorous gap assessment against the HIPAA Security Rule, a remediation roadmap, and ongoing governance support to help your organization build and maintain a defensible compliance posture. Whether your organization is "compliant" is ultimately a legal determination.

Moat Cybersecurity works with the frameworks most relevant to nonprofits and healthcare-adjacent organizations: HIPAA Security Rule (45 CFR Parts 160 and 164); NIST Cybersecurity Framework (CSF 2.0); CIS Controls (v8); SOC 2 Type I and Type II readiness; 42 CFR Part 2 (for substance use disorder programs); and applicable New York SHIELD Act and NYDFS requirements. The specific frameworks assessed depend on your organization's funding sources, data types, and regulatory environment.

The most common issues include: inadequate security risk analysis documentation (required under HIPAA but often missing or outdated); weak vendor contract language around data handling and breach notification; lack of a formal written incident response plan; gaps in access control and user account management; insufficient staff security awareness training documentation; and board-level governance gaps where IT risk is not formally reported or reviewed. Many organizations discover these issues only when they receive an audit finding or experience a security incident.

The first step is a conversation — no commitment required. You can book a 30-minute call directly via Google Calendar, email [email protected], or call 914-348-3181. If there appears to be a fit, the next step is the 30-Day Discovery Audit, which provides the foundation for any ongoing engagement. You can also use the Assess Your Fit tool on this site to get an AI-powered honest assessment of whether Moat is likely the right match before reaching out.

Moat Cybersecurity is a strategic advisory firm, not an incident response team. In the event of an active security incident, your first call should be to a dedicated incident response firm or your cyber insurance carrier's IR hotline. What Moat Cybersecurity does is help you prepare before an incident occurs — incident response planning, tabletop exercises, vendor selection for IR retainers — so that when something happens, you are not making critical decisions under pressure for the first time.

Fees are not published on the website. Moat Cybersecurity's engagements are scoped based on each organization's size, complexity, compliance obligations, and specific needs. The 30-Day Discovery Audit is a fixed-scope starting point, and ongoing retainer pricing is discussed after the audit establishes the full picture of what is needed. There are no surprise fees and no long-term contracts required. To get a sense of whether the investment is appropriate for your organization, the best first step is a direct conversation.