Go Back Up

Somewhere in the Fine Print Is a Penalty With Your Name On It. Let Us Find It First.

May 12, 2026 7:37:44 PM Emily Zaczynski 10 min read

If you run a small or mid-sized business in a regulated industry, here is something you probably already know in your gut: the regulations you are expected to follow were not designed with you in mind. They were written for organizations with compliance departments, legal teams, and dedicated security staff. You have yourself, a busy team, and about forty other things competing for your attention every single day.

That is exactly why we built The Fine Print.

The Regulatory Playing Field Is Not Level

Large enterprises have entire departments whose only job is to track regulatory changes and translate them into action. When a new rule drops, someone reads it the same day. When a deadline changes, someone updates the calendar.

Small businesses have you. And you are also managing staff, serving clients, running payroll, and doing everything else that keeping your company alive requires.

The result? Only 27% of small businesses claim full compliance with cybersecurity laws and frameworks. That is not because small business owners do not care. It is because there are only so many hours in a day, and reading a 40-page regulatory guidance document is rarely at the top of the list.

Only 27 percent of small businesses claim full compliance with cybersecurity laws.

Regulations Are Getting Stricter, and Enforcement Is Not Waiting

The regulatory environment for small businesses has shifted significantly in the past few years. HIPAA enforcement has accelerated. The CMMC program now requires third-party certification for defense contractors. FINRA is requiring AI governance documentation. Twenty-two states have enacted insurance-specific cybersecurity laws. The PCI-DSS v4.0 grace period is over. New state privacy laws took effect in Indiana, Kentucky, and Rhode Island on January 1, 2026.

And the consequences of falling behind are not small.

  • Nearly 1 in 5 SMBs that suffered a cyberattack filed for bankruptcy or closed their business entirely. (Mastercard, 2025)

  • Organizations with 50 to 100 employees face recovery costs per employee nearly 8x higher than larger enterprises. (Devolutions, 2025)

  • Compliance fines averaged $8,900 per violation for non-compliant SMBs in 2025. (SQ Magazine, 2025)

A single audit finding can trigger multiple violations simultaneously. And the fine is only the beginning. Legal fees, remediation costs, required third-party audits, and insurance premium increases follow.

Most Business Leaders Find Out the Hard Way

Here is an uncomfortable truth: the most common way a small business leader discovers a regulation applies to them is by receiving a notice from the agency enforcing it. By that point, the organization is already in reactive mode, often without the documentation, policies, or controls that would have constituted a defense.

Two recent cases make this very clear.

Solara Medical Supplies | Healthcare | $3,000,000 | HHS OCR | January 2025

A phishing attack exposed patient-protected health information. OCR's investigation did not focus primarily on the attack itself. It focused on one missing document: a completed enterprise-wide risk analysis. That gap alone produced a $3 million settlement.

OCR entered ten HIPAA resolution agreements in the first five months of 2025 alone. Nearly every single one cited the same missing requirement.

Healthplex, Inc. | Insurance | $2,000,000 | NYDFS | August 2025

A single phishing email accessed one employee's inbox, exposing tens of thousands of consumers' nonpublic information. Healthplex is a licensed insurance agent, not a large carrier. The $2 million fine came down to three things: no MFA on email, no data retention policy, and a breach notification that arrived four months late. The regulation required 72 hours.

If your organization holds an insurance license in any of the 22-plus states that have enacted the NAIC Insurance Data Security Model Law, this case describes your regulatory environment.

A Look at What Is Inside

Here is a sample of what our Q1 2026 edition covers. Every article is written by a member of our vCISO and compliance team based on real regulatory developments.

FINRA 2026 GenAI Governance: A Survival Guide for Small Financial Firm CEOs

FINRA's 2026 Regulatory Oversight Report signals that the AI honeymoon in financial services is officially over. Firms must now govern AI tools with the same rigor as human supervisory processes. If your firm has adopted any AI-assisted tool in the past two years, this article explains exactly what FINRA now requires and what you need to do before your next examination.

The Insurance-Specific Cybersecurity Law Your State Passed Without Telling You

More than 22 states have enacted the NAIC Insurance Data Security Model Law. It applies to every licensed insurance entity in those states including independent agents, brokers, and adjusters. Most small agency owners have never heard of it. This article identifies which states are covered, what the law actually requires, and the compliance gaps regulators are finding most often.

The CMMC Level 2 C3PAO Selection Framework: A Strategic Guide for Defense Contractors

CMMC Phase 2 begins November 10, 2026. Self-attestation ends for DoD contracts involving Controlled Unclassified Information, and every qualifying contractor will need a completed third-party assessment. Choosing the wrong assessor has real consequences for your certification. This framework walks you through exactly how to evaluate and select a C3PAO before the window closes.

 

---> Preview the full newsletter here <---

Our Promise to You

The Fine Print is free, quarterly, and written by people who actually implement controls to meet these regulations for a living. We make three commitments to every subscriber.

  • We read the boring stuff so you do not have to. Every guidance document, enforcement release, and regulatory update across seven industries, distilled into what you actually need to know.
  • No spam. Ever. The Fine Print publishes quarterly. Four emails a year. Nothing in between unless something is urgent enough that waiting 90 days would leave you exposed.
  • Everything you need, nothing you do not. Every edition is designed to be readable in under ten minutes. You get the full picture and get back to running your business.

Compliance does not have to be the thing that catches you off guard. It can be the thing you stay ahead of. That is what The Fine Print is here to help you do.

The fine print of your next penalty is already written.    Subscribe to our regulatory newsletter for busy leaders.   

 

YOU MAY NEED TO KNOW

Frequently Asked Questions About Our Compliance Newsletter

What is The Fine Print?

The Fine Print is a free quarterly compliance newsletter published by CompassMSP. It covers the regulatory updates, enforcement actions, and compliance deadlines that matter most to small and mid-sized businesses across seven industries: healthcare, finance, manufacturing and defense, legal, insurance, retail, and construction. Every edition is written by our vCISO and compliance team — practitioners who implement these regulations for a living.

Who writes The Fine Print newsletter?

Our compliance and cybersecurity team, which includes our vCISO, Senior vCISO, Director of Cybersecurity Advisory Services, and CMMC Program Manager. These are not content writers summarizing press releases. They are the same people who sit across the table from regulators, conduct risk assessments, and guide clients through certification audits. Everything in The Fine Print comes from that firsthand experience.

Is The Fine Print really free?

Yes, completely. No trial period, no credit card, no paid tier. We publish it as a resource for the business owners and executives we serve. All we need is your email address.

How often will I receive The Fine print Newsletter?

Four times a year. That is it. We will never send promotional emails, product pitches, or marketing blasts in between editions. If something is urgent enough that waiting 90 days would leave you exposed, we may send a one-time alert — but that is a rare exception, not a habit.

My business is small. Do these regulations really apply to me?

This is the most common misconception we encounter, and it is the entire reason this newsletter exists. Regulatory agencies do not scale their requirements by company size. The NAIC Insurance Data Security Model Law applies to every licensed agent and adjuster, not just large carriers. HIPAA applies to every covered entity and business associate regardless of how many employees they have. CMMC applies to every defense contractor handling Controlled Unclassified Information, from 10-person shops to 10,000-person primes. If you operate in a regulated industry, the regulation applies to you.

What industries does The Fine Print cover?

We cover seven industries in every edition: healthcare, finance, manufacturing and defense contractors, legal, insurance, retail, and construction. If there is no major regulatory news in a given industry for a particular quarter, we will not manufacture content to fill the space. Every article we publish is tied to a live regulatory development with real consequences.

I already have an IT provider. Why do I need this?

Having an IT provider and staying current on compliance are two different things. Most IT providers focus on keeping your systems running. Compliance requires knowing which specific regulations apply to your business, what they require, when deadlines fall, and what enforcement actually looks like when organizations fall short. The Fine Print gives you that visibility in a format you can actually use.

What should I do if I read something in The Fine Print and realize my business might not be compliant?

Start by not panicking. Most compliance gaps are fixable with the right guidance and enough lead time. The worst outcomes happen when organizations ignore a problem or discover it too late. If something in an edition raises a concern, our team is available to talk through your specific situation. You can also explore our compliance services at compassmsp.com/solutions.

Is anything in The Fine Print legal advice?

No. The Fine Print is for informational purposes only and does not constitute legal advice. We provide the operational and technical perspective that helps organizations understand what regulations require and how to implement the controls that satisfy them. For specific legal determinations, we always recommend consulting qualified legal counsel.

Emily Zaczynski

Emily is a vCISO for Compass MSP. She is an experienced compliance professional with 12 years of expertise, including 9 years specializing in insurance compliance. She has a proven track record of ensuring regulatory adherence, mitigating risks, and implementing best practices within dynamic environments.

Navigate What’s Next

Get new insights, practical guides, and timely resources delivered to your inbox.