I'M MIKE SEMEL, THE COMPLIANCEOLOGIST.
There is so much bad information coming at you.
Even though it would be great if it was true, don't believe anyone who says 'We Make Compliance Easy'.
Even though it would be great if it was true, don't believe anyone who says you can't be brought down by a cyber attack.
I know you can handle the truth and I promise to give it to you.
Lots of companies claim they make compliance easy. Most make the fatal mistakes of focusing on just one requirement, like CMMC, HIPAA or the FTC Safeguards Rule, and then using boilerplate questionnaires to gather information.
They talk loudly about compliance and make you think they know it, until you ask them what formal training they have, what certifications they have earned, and what hands-on experience they have managing a regulated environment. Then they get very quiet.
Compliance management tools, GRC platforms, and scorecards are only reliable if the information entered is accurate and thorough. Many of our clients were shocked when we showed them their real compliance scores, backed up by the hard evidence we created and knowing what to look for after 40 years in the business, compared to their self-assessment scores.
Some compliance vendors even resort to gimmicks to try to make you feel good by saying you are compliant and that you should put a Seal of Compliance on your website. That can get you into millions of dollars of trouble with the Federal Trade Commission.
I WILL ONLY TELL YOU THE TRUTH SO HERE IT IS:
COMPLIANCE ISN'T EASY,
BUT IT CAN BE ACHIEVABLE & AFFORDABLE.
Compliance may seem annoying and expensive... until you compare it to the costs if you fail an audit or incident investigation, get sued, or have to pay back your funding sources. You should look at compliance as an investment, with measurable ROI.
Based on my years of experience, I know your biggest threats are probably not the ones your team is focused on, leaving you exposed. Some of the strictest compliance requirements I have seen haven't been in regulations. Instead, they were filed away in contracts and insurance policies. Your organization has multiple compliance requirements that stack up. It’s hard to create the right policies and procedures to cover everything, but we do it every day.
If you are an IT Managed Service Provider (MSP), unless you fully understand the compliance requirements for the businesses that you support, you could find yourself dragged into your customer's audits, investigations, and lawsuits. Or your own, since many regulations flow down from customers to their vendors.
Most MSPs and IT departments confuse Cybersecurity with Compliance, which is why their organizations will fail a compliance audit, incident investigation, and lose a lawsuit... even if they are doing the right things.
These are not scare tactics, just facts.
The new CMMC proposed rule for defense contractors was published in December of 2023 and will affect everyone with Department of Defense contracts, including their MSPs and security tool vendors.
The new NIST Cybersecurity Framework 2.0 has been released. NIST added a new domain - GOVERN - that affects all the controls in its familiar IDENTIFY-PROTECT-DETECT-RESPOND-RECOVER framework.
A new HIPAA Security Rule will be introduced in 2024, along with more HIPAA audits, enforcements, and higher penalties.
Not only that - the Department of Justice is actively using the federal False Claims Act to go after Medicare/Medicaid health care providers and defense contractors that misrepresent their level of cybersecurity. They are encouraging whistleblowers with large rewards. The penalty is paying back three times what the government paid you.
There's a big shift coming and if you are smart you will get started now.
I don’t just understand the regulations, I also understand regulators and how they work. I was the CIO for a hospital and a K-12 school district, and have successfully navigated multiple audits.
As a consultant, I’ve helped clients survive audits and investigations.
As a compliance expert, I'm driven to share my knowledge with cybersecurity experts, bridging the gap between the confusing words in the regulations and the action steps you must take.
“When it comes to compliance there is nobody else in the industry who knows more and is a better resource than Mike Semel. You can count on him.”
Michael Mittel, President, RapidFire Tools / Kaseya
CERTIFICATIONS MATTER
YOU DESERVE THE BEST EXPERT
Compliance knowledge requires formal training that is validated with certifications. I often see software developers and salespeople talk about compliance at many conferences, even though they have never received formal training, have no certifications, and have never worked in a regulated environment. Yet they loudly promise that their solution will deliver compliance if you just answer a few questions in their software. If you fall for that promise you will always pass yourself in a self-assessment, no matter how many violations you really have.
2024 will see compliance enforcement unleashed like never before. How do I know?
Compliance is my job.
I have received formal compliance training, have passed strict certification tests, and maintain my Continuing Education requirements.
I make it my business to keep up on compliance changes. I read the boring details in enforcement summaries so I know what the regulators are really thinking. I have been an Expert Witness and advisor in compliance lawsuits where the other side has given up.
I have been where you are, whether you're an owner, executive, CIO, or an MSP. I understand compliance and have the current certifications to prove it for CMMC, HIPAA, Cybersecurity Compliance, Business Continuity Planning, and Cyber Resilience.
CERTIFIED CMMC ASSESSOR (CCA)
CERTIFIED CMMC PROFESSIONAL (CCP) | REGISTERED CMMC PRACTITIONER (RP)
The Cybersecurity Maturity Model Certification (CMMC) is a new program but is not a new requirement. CMMC was created because defense contractors were not implementing the cybersecurity requirements that go back to 2017.
Because the stakes are so high, you deserve CMMC advice that works. Which means you need to be careful selecting your guide. You don't want to take chances with a CMMC Registered Practitioner (RP) when you can be guided by a Certified CMMC Assessor (CCA), the highest level of the CMMC ecosystem.
I am one of the fewer than 200 certified CMMC Assessors that will be conducting Level 2 assessments for the 80,000 businesses that must be prepared to access, store, or process Controlled Unclassified Information (CUI).
Large prime defense contractors are already demanding that their subcontractors be ready with a CMMC Level 2 certification when CMMC appears in contracts in 2025.
A CMMC Level 2 assessment is estimated to cost $ 100,000, will need to be scoped properly, and will require a perfect score for all 320 assessment objectives.
Who can you trust to give the most accurate advice about CMMC assessments?
A certified assessor.
You may see a lot of vendors offering CMMC services using unregistered staff or the lowest level CMMC Registered Practitioners (RP). I started out as a Registered Practitioner and was shocked to find out what I didn't know about CMMC based on the 6-hour Registered Practitioner training that barely scratched the surface. It wasn't until I passed multiple certification tests after weeks of training to become a CMMC Certified Professional (CCP) and a CMMC Certified Assessor (CCA) that I really understood CMMC and what assessments will look like.
What that means to you:
1. You will get better advice from a CMMC Certified Assessor, not someone with the limited CMMC Registered Practitioner (RP) training.
2. Because it is taking businesses 12 - 18 months to become ready for an assessment, and CMMC is likely to be in contracts in 2025, we can help you meet your prime contractor demands NOW and get a jump on your competition.
3. Until CMMC is in contracts, we can help you with your required self-assessment score to make sure it is accurate enough to pass a Department of Defense audit.
4. We can help you avoid penalties under the federal False Claims Act for misrepresenting your cybersecurity, which are painful.
HIPAA & COMPLIANCE
CERTIFIED HIPAA SECURITY PROFESSIONAL (AUTHORED THE COURSE) | CERTIFIED SECURITY COMPLIANCE SPECIALIST
HIPAA is roaring back with a new audit program, more enforcements, and increased penalties. State attorney generals are actively using their authority to enforce HIPAA.
If you bill Medicare or Medicaid, and you misrepresent your level of HIPAA compliance and cybersecurity, or don't have an 'accurate and thorough' security risk analysis that will stand up to scrutiny, you can be sued for Medicare fraud under the federal False Claims Act.
It's time to take a serious look at your HIPAA program and get a professional second opinion from a certified expert and thought leader.
'Accurate and thorough' is the term HIPAA uses to describe the requirements for a risk analysis. It's also the goal I have set for every one of the hundreds of HIPAA projects I have led.
I received my first HIPAA certification in 2004, worked as the Chief Information Officer (CIO) for a hospital, responsible for the entire HIPAA program, and have audited and advised hundreds of healthcare organizations.
I wrote 4MedApproved's Certified HIPAA Security Professional (CHSP) training, its workforce training courses, many HIPAA published articles, spoken at national HIPAA conferences, and am the best-selling author of How to Avoid HIPAA Headaches.
BUSINESS CONTINUITY PLANNING
CERTIFIED BUSINESS CONTINUITY PROFESSIONAL (CBCP) | CERTIFIED CYBER RESILIENCE PROFESSIONAL (CCRP)
I've been a disaster victim and managed the Red Cross disaster recovery program in our region for 14 years.
When I was just 15, our home was flooded and our family business was destroyed. The only reason our family business survived was because one of our suppliers had a plan, when we didn't. I learned then that hope is not a business strategy.
You deserve a business continuity plan that works. So do your customers, investors, and workforce members whose families depend on your business.
You need cyber resilience to be ready for a sustained cyber outage. Don't believe the people who tell you it can never happen or that they can recover everything in minutes.
Whether you simply want to ensure your business survives disasters or you want your business to be your legacy long after you die, we can help you.
The plans I have written have helped a multi-billion-dollar credit union survive Superstorm Sandy, a regional IT company survive the Joplin Tornado, and other businesses survive disasters and disruptions you never heard of.
With unprecedented weather events and cyber attacks, customers are demanding that their vendors have tested business continuity plans. You could lose your largest customers if you can't provide a tested plan.
I earned my Certified Business Continuity Professional (CBCP) certification in 2006.
In 2021, out of over 20,000 certified professionals, I was selected by the chairman of the Disaster Recovery Institute to work on a small committee to rewrite the international standards for business continuity planning, which were published in 10 languages and are now the international standard for certification training.
I helped the Disaster Recovery Institute rewrite its Cyber Resilience certification class and became an instructor.
“Mike Semel understands how technology, compliance, and legal risks overlap. He has helped our IT, compliance, and legal teams work together to better protect our company and the people we serve.”
Craig Bolton, General Counsel, Celmatix
DON'T SIGN OFF ON YOUR CYBERSECURITY UNTIL YOU'VE GOTTEN AN INDEPENDENT EXPERT OPINION
I PROVIDE EXPERT COMPLIANCE ADVICE FOR EXECUTIVES AT MID-TO-LARGE BUSINESSES WHO NEED CYBERSECURITY COMPLIANCE CERTAINTY BEFORE SIGNING AN ATTESTATION
YOU'RE THE BOSS. I know you can handle the truth and I will never lie to you. Even if the news is bad.
But often people are afraid, and will tell you what they think you want to hear, and seldom any bad news they think may affect their job.
You are right to be worried when it comes to signing off on your cybersecurity program because new regulations, insurance policies, and contracts are requiring the CEO's signature legally attesting that your cybersecurity program meets their requirements.
Many of the new regulations also require board of directors cybersecurity reporting.
You don't want to be blind-sided. You don't want to be embarrassed in front of your board.
You want to know that your signature won't come back to haunt you.
The best way to know is to have an independent expert confidentially report directly to you before you sign your name.
When we find something wrong we show you what needs to be fixed before it becomes a big problem.
When we find things are right it gives you the peace of mind knowing your signature will stand up to scrutiny.
Don't wait. Call us now.
“I am leveraging your knowledge quite a bit with prospective customers; In one case I closed the deal almost immediately.”
Mike Williams, TeamLogic IT, Northeast Pennsylvania
CYBER INSURANCE VALIDATION TO AVOID CLAIM DENIALS
YOU BUY MILLIONS OF DOLLARS OF CYBER INSURANCE FOR A REASON.
You pay a lot and expect your insurance to protect you when you need it.
By the time you find out your claim is denied, or your policy is cancelled, it is too late.
Out of your own pocket you have to pay millions in ransom, pay the lawyers, fight lawsuits, pay cybersecurity incident responders, fight regulators, pay fines, lose profits because your business interruption isn't covered, lose customers, have embarrassing conversations with your board, your investors, and your spouse, and lose a lot of sleep... WHICH CAN ALL BE PREVENTED if we assess your insurance policy compliance before you sign off.
We verify questions like these as part of every compliance assessment:
Cyber insurance applications barely used to fill one page. Now there are multiple applications with pages of complex questions, designed to set you up for a claims denial if you get just one thing wrong.
Don't take chances. Call us today.
“Mike Semel is a wealth of knowledge and truly cares about the industry and his customers. It's an honor and privilege to know him. Thank you Mike Semel for everything you do.”
Max Pruger, General Manager For Kaseya Compliance Manager GRC
BUSINESS CONTINUITY PLANNING
YOUR CUSTOMERS ARE WATCHING AND SO ARE YOUR INVESTORS, LENDERS, WORKFORCE MEMBERS, AND THEIR FAMILIES
We can help you plan for business interruptions you never imagined.
When I was 15, I never imagined that our home could be flooded.
I was wrong. See the kid in the white hat looking at the flood? That's me.
I turned my experience as a disaster victim needing help into a career helping others. I've been an EMT, fire department rescue captain, Red Cross disaster manager, and served on the Formula One and IndyCar safety teams for over 20 years. I was fortunate to be able to blend my emergency service experience into a way to help business owners.
Our business continuity plans have helped the largest federal credit union in New York survive the UNPRECEDENTED Superstorm Sandy, an IT support company survive the UNPRECEDENTED Joplin Tornado, a service provider survive the UNPRECENDENTED death of a key employee, and many other disruptions and disasters you never heard about.
Lots of people depend on your business. Your workforce and their families, your customers, your investors, your lenders, and your community. You don't want to let them down. Because you would also be letting yourself and your family down.
We are working with clients whose customers are demanding that they show them a tested business continuity plan.
Supply chain management is more important than ever. Your customers are worried, for good reason.
Why?
Because everything today is UNPRECEDENTED.
UNPRECEDENTED weather. UNPRECEDENTED bridge accident. UNPRECEDENTED cyber attack.
UNPRECEDENTED flooding, tornadoes, hurricanes, wildfires, wind, rain, snow, communications failure, traffic, illness, civil unrest...
Your business is more dependent than ever on technology. But more than anything you depend on people - your owners, managers, subject matter experts, workers, customers, clients, vendors, and suppliers.
Having a plan can make you more resilient, even if it isn't exactly for the incident you were expecting.
The plans we wrote for workers to work from home if a building was destroyed by a tornado or fire... made the business resilient and helped it survive when COVID hit.
We write plans, run tabletop exercises and tests, and keep the plans updated because even little things that change can mess up the best plans. We wrote pandemic plans in 2010, 10 years before COVID.
Most plans are created by people without formal business continuity training using free or cheap plan templates. The plans aren't tested and processes fail as soon as the first pressure of a disaster touches them.
We follow the Disaster Recovery Institute's Professional Practices and are certified in planning and cyber resilience.
Don't wait to find out your plan won't work. We're the experts you need to help you survive.
“Mike Semel created and tested an extensive business continuity/pandemic response plan for our credit union, which has almost 180,000 members, 25 branches across Long Island, and over $ 4 billion in assets."
Gary Jendras, Vice President, Internal Audit, Bethpage Federal Credit Union
