If you run a small or mid-sized business in a regulated industry, here is something you probably already know in your gut: the regulations you are expected to follow were not designed with you in mind. They were written for organizations with compliance departments, legal teams, and dedicated security staff. You have yourself, a busy team, and about forty other things competing for your attention every single day.
That is exactly why we built The Fine Print.
Large enterprises have entire departments whose only job is to track regulatory changes and translate them into action. When a new rule drops, someone reads it the same day. When a deadline changes, someone updates the calendar.
Small businesses have you. And you are also managing staff, serving clients, running payroll, and doing everything else that keeping your company alive requires.
The result? Only 27% of small businesses claim full compliance with cybersecurity laws and frameworks. That is not because small business owners do not care. It is because there are only so many hours in a day, and reading a 40-page regulatory guidance document is rarely at the top of the list.
The regulatory environment for small businesses has shifted significantly in the past few years. HIPAA enforcement has accelerated. The CMMC program now requires third-party certification for defense contractors. FINRA is requiring AI governance documentation. Twenty-two states have enacted insurance-specific cybersecurity laws. The PCI-DSS v4.0 grace period is over. New state privacy laws took effect in Indiana, Kentucky, and Rhode Island on January 1, 2026.
And the consequences of falling behind are not small.
Nearly 1 in 5 SMBs that suffered a cyberattack filed for bankruptcy or closed their business entirely. (Mastercard, 2025)
Organizations with 50 to 100 employees face recovery costs per employee nearly 8x higher than larger enterprises. (Devolutions, 2025)
Compliance fines averaged $8,900 per violation for non-compliant SMBs in 2025. (SQ Magazine, 2025)
A single audit finding can trigger multiple violations simultaneously. And the fine is only the beginning. Legal fees, remediation costs, required third-party audits, and insurance premium increases follow.
Here is an uncomfortable truth: the most common way a small business leader discovers a regulation applies to them is by receiving a notice from the agency enforcing it. By that point, the organization is already in reactive mode, often without the documentation, policies, or controls that would have constituted a defense.
Two recent cases make this very clear.
|
|
Solara Medical Supplies | Healthcare | $3,000,000 | HHS OCR | January 2025 A phishing attack exposed patient-protected health information. OCR's investigation did not focus primarily on the attack itself. It focused on one missing document: a completed enterprise-wide risk analysis. That gap alone produced a $3 million settlement. OCR entered ten HIPAA resolution agreements in the first five months of 2025 alone. Nearly every single one cited the same missing requirement. |
|
|
Healthplex, Inc. | Insurance | $2,000,000 | NYDFS | August 2025 A single phishing email accessed one employee's inbox, exposing tens of thousands of consumers' nonpublic information. Healthplex is a licensed insurance agent, not a large carrier. The $2 million fine came down to three things: no MFA on email, no data retention policy, and a breach notification that arrived four months late. The regulation required 72 hours. If your organization holds an insurance license in any of the 22-plus states that have enacted the NAIC Insurance Data Security Model Law, this case describes your regulatory environment. |
Here is a sample of what our Q1 2026 edition covers. Every article is written by a member of our vCISO and compliance team based on real regulatory developments.
FINRA 2026 GenAI Governance: A Survival Guide for Small Financial Firm CEOs
FINRA's 2026 Regulatory Oversight Report signals that the AI honeymoon in financial services is officially over. Firms must now govern AI tools with the same rigor as human supervisory processes. If your firm has adopted any AI-assisted tool in the past two years, this article explains exactly what FINRA now requires and what you need to do before your next examination.
The Insurance-Specific Cybersecurity Law Your State Passed Without Telling You
More than 22 states have enacted the NAIC Insurance Data Security Model Law. It applies to every licensed insurance entity in those states including independent agents, brokers, and adjusters. Most small agency owners have never heard of it. This article identifies which states are covered, what the law actually requires, and the compliance gaps regulators are finding most often.
The CMMC Level 2 C3PAO Selection Framework: A Strategic Guide for Defense Contractors
CMMC Phase 2 begins November 10, 2026. Self-attestation ends for DoD contracts involving Controlled Unclassified Information, and every qualifying contractor will need a completed third-party assessment. Choosing the wrong assessor has real consequences for your certification. This framework walks you through exactly how to evaluate and select a C3PAO before the window closes.
---> Preview the full newsletter here <---
The Fine Print is free, quarterly, and written by people who actually implement controls to meet these regulations for a living. We make three commitments to every subscriber.
Compliance does not have to be the thing that catches you off guard. It can be the thing you stay ahead of. That is what The Fine Print is here to help you do.