Craig Petronella, CMMC RP, IT Cybersecurity and Compliance SME interviews Vincent DiCianni of AffiliatedMonitors.com on Monitoring and Assessments.
Founded in 2004, Affiliated Monitors, Inc. (“AMI”) was the first company in the United States to focus on providing top-quality, independent integrity monitoring and assessment services across a wide range of regulated industries and professions. What distinguishes our professionals from others is that monitoring is our only business; it is not a sideline to some other professional practice or service.
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
Craig Petronella, CMMC RP, IT Cybersecurity and Compliance SME interviews Vincent DiCianni of AffiliatedMonitors.com on Monitoring and Assessments.
Founded in 2004, Affiliated Monitors, Inc. (“AMI”) was the first company in the United States to focus on providing top-quality, independent integrity monitoring and assessment services across a wide range of regulated industries and professions. What distinguishes our professionals from others is that monitoring is our only business; it is not a sideline to some other professional practice or service.
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
You're listening to cybersecurity and compliance with Craig Petronella. Visit us online at Petronellatech.com.
Craig Petronella:Hi, Vin. Good afternoon. How are you today? Great. Good o have you. Tell us what your sp
Vincent DiCianni:Hi, Craig, how are you? cialty is. We know we spoke the ther day about your monitoring business, but tell us what that means, and introduce yourself, i you may. Sure. Thanks. My name is Vin DiCianni. I am the president of a company called Affiliated monitors. Our headquarters are in Boston, Massachusetts, but we're located across the country and have offices in Europe. Affiliated monitors is a company that provides two specific services and this sort of niche businesses. One is we do independent monitoring. And I'll describe that in a minute. Independent monitoring of companies that might have some issues or be in trouble with a government agency, and be allowed to continue in operations with a monitor, overseeing the work that they do to remediate whatever problems they have. That's one side of our business. The other relates to what I'll call proactive work, where we help companies with their compliance and ethics programs and controls. So that's very briefly what we do in a nutshell. Affiliated monitors started in 2004. So we're going on our 17th anniversary, in January. I was the company's founder, and it came about because of some cases that I had when I was an attorney in private practice. I had a couple of cases in my career before regulatory agencies where the punishment didn't fit the crime. If I can put it that way, some companies had done something inappropriate. And we're being either investigated or charged criminally or civilly, or even administratively with some wrongdoing. And sometimes, the punishment, the sanction meted out by the government agency was too severe for what the behavior was. So not crossing T's and dotting eyes and getting a suspended sentence, or revocation of a license, or loss of a contract was, for me, a little bit too severe. And then 17 years ago, this is the old world, if you will, there were no intermediary sanctions. So what would happen? The government had a few options. One was a slap on the wrist. Two was a suspension for some time, a revocation, or a department or something like that. And those were very severe. That almost a death sentence is to some companies. In the cases that I had it, they screamed for a different kind of sanction. When I created affiliate, at that time, it was really to think about the cases that I had and how to make it a little bit different by giving options through the government agency where they could have a sort of an intermediary sanction. And that's what the monitoring was all about. That's an introduction to who we are and what we do.
Craig Petronella:Awesome. Thank you for that. And I know we talked before. A lot of your work is in federal defense contractors and other regulated industries, of course. Much of my work is around the new CMMC or Cybersecurity Maturity Model Certification process for federal defense contractors, where they now have to no longer self a test. They have to have a certified third-party lead assessor and look for two forms of evidence for each of the 110 plus controls, depending on the maturity level they're after. So, the DoD came out with the CMMC because self-attestation didn't work. NIST 800-171 was the focal point for the past five-plus years. When I did the training and became a registered practitioner, they talked about the False Claims Act. What do you think about it? I'm sure that there are probably many federal defense contractors out there that may have taken a contract. And they have the default 7012 clauses as well as the NIST 800-1 71. They probably just glazed over it and said that they'd do that. And they took the contract award. What are your thoughts on false claims? Could you talk a little bit about that and how you might be able to help some of your monitoring sides?
Vincent DiCianni:Sure, I tell you, it's a great question. And there's a lot of pieces to it. We've worked with contractors. We're serving as the monitor in several matters right now. The company didn't have anything in place regarding those types of controls you described, or even something brought out, like a compliance program, or some process for vetting third-parties, or joining with subcontractors. That kind of stuff. So we see that all the time, and it is a false claim. You submit something that says, This is who we are and what we have. And then you don't have it. You're not truthful. That is a false claim. That has been my experience, but I think it's a broad experience. The government has different options. If it's severe enough and the dollar figure is high enough, it might be attractive to the Department of Justice, a US Attorney's office, or even a district attorney's office. If the activity is so bad that it warrants some criminal activity, then they'll do that. But what happens a lot of times is if the dollar figure isn't that much. It devolves back to the government agency to take some action to be a meaningful fix. Instead of simply dropping the case, they will do it where there's a clear false claim submission or some fraud. Still, the dollar figure doesn't get so high, or it's not the kind of case where they're using it as a sort of a message to the community. They'll go administrative or civil. They'll make it a civil action in which are administrative actions in which the company has to do something to fix the issues that have been discovered, like the false claim. They will have to bring you to do the work you do, ensuring that the company is up to speed on its IP and cybersecurity, internal controls, and data protection controls.
Craig Petronella:Sure.
Vincent DiCianni:For us, it's a little bit more than that. But it's an alternative. Instead of treating the default claims, getting rid of the company, and putting them out of business, let's fix it. That's the mentality that a lot of the department offices we work with have utilized. And that comes about under the far. That gives them the authority to do what's called suspension and debarment. And essentially, the debarment comes about when the government agency says, Look, you're a contractor for us, you have four contracts, you did something inappropriate, like submitting a statement that wasn't true or authorizing something that you couldn't authorize. Now, we've got to fix that. And we got to make sure that you don't do it again. Let's put in a strong compliance program, a monitor to make sure that you're doing it right, and then move forward with the monitor watching what the company does going forward. I think this is the reality, and now there's less trust in companies to certify on their own that they fix the problem or they've done something. And that's why having the third-party that's been certified is important. I think it validates for the company as a government agency that the company is on its game.
Craig Petronella:Sure. So, many of the listeners are probably small businesses, medium-sized businesses, and some large businesses. I know I was speaking with someone a few weeks ago, and they had said that the government's not going to go after you. If you didn't do the self-attestation, they're not going to take your contract away if you signed off on it. How true do you think that is? Do you think the government is ramping up its audits and looking deeper to go after companies that have not been in compliance and aligned with compliance? I feel like if you lied, it's dishonest. There should be some type of penalty. I don't know how aggressive they go after folks around that. But I think that's also why the DoD came out with the DFARS Interim Rule to put more pressure. They want to see your system security plan, your SSP, to see your self-assessment NIST 800-171 score. They want to know the score. Is it a perfect 110? Negative? Or somewhere in the middle? We also want to see what your plans of action and milestones are. If you don't have a 110 score, how are you going to get there? When are you going to get there? What are you going to do about it? That was the deadline on November 30, a few days ago now. And the DLD released the CMMC, officially, on January 31. I feel like the pressure is ramping up. What are your thoughts?
Vincent DiCianni:I agree with you. And believe it or not, I think it's the kind of thing that keeps a lot of companies up at night. They know they aren't compliant. And they try to skirt by and keep their head in the sand until the government comes knocking. I think that there may be a false sense of security. Like they're never going to get audited, or there's never going to be investigated, or they're never going to do anything wrong. That's going to merit or warrant a quick, closer review by a government agency. But that's a false sense of security. Keeping your head in the sand is just not the right approach. Being proactive and taking the steps you need to do to make sure that you're compliant is crucial because it is your livelihood. Why would you put it at risk and potentially face the kinds of sanctions out there for failing to do so or falsely or fraudulently saying that you've done something? It just makes no sense to me. Now, that's is the opinion of a fellow who does independent monitoring. The company calculated it. It was your company. You would want to take those steps to make sure that you're compliant with the government agency's requirements because you don't know when the next contract will be awarded. And then maybe the agencies are looking at that award, it may be drilling down, and they may be looking for that certification. And you can get yourself in all sorts of trouble by falsely certifying or not having that information now. I wouldn't take the chance. I think it's a risk. The best companies look at where they are at the greatest risk, which could be one of them. I get the independence of cut, and in an abundance of caution. I would do what you need to do to get that certification and make sure that it's valid and up to date.
Craig Petronella:Agreed. For years, I've been working in health care and HIPAA regulation, and I know that many folks I would talk to would have a false sense of alignment with HIPAA compliance. And they used to say they're compliant. And I would ask them a few questions about their policies, procedures, and security controls. And found in five minutes or less that they were not compliant or not as compliant as they thought they were. And they weren't doing all the actions that they're supposed to be doing. And most would complain that it costs too much money, or they weren't aware of it. But I know the Office of Civil Rights was ramping upon it. I think, ultimately, as bumpy of a road as the CMMC is a good thing. It's a good thing for our country and for a business that's dealing with sensitive information. It's already been proven that our adversaries have stolen much intellectual property and cloned warfare jets and all sorts of military assets to be used potentially against us in the future or somewhere, one of our allies, perhaps. It's the duty of us as Americans to do these things. But, quite frankly, a lot of folks would just not listen and just think that they wouldn't get caught or they thought it was too expensive. They didn't have a budget for it, or when they found out how much work it was or is to do the risk assessments think to write all the policies and procedures, they don't want to do it. I like the CMMC from the fact that you can't fake it anymore. If you're going to play ball, you want to get good contract awards and grow your business. Do it the right way, secure your sensitive information. Those that don't do it are going to fall off the chain. They're not going to be able to bid on contracts.
Vincent DiCianni:Exactly. Let me address that in two ways. One is people should not have the false security that the government agencies are not investigating during COVID. I think there was a slowdown, probably in March through June, as the government agencies would try to figure out working from home and how difficult it is to do a real investigation without seeing people and talking to them and looking at them. That has now changed, and investigations are going to ramp up and have been ramping up. And we know that because things like the PPP loans are now being investigated and prosecuted, people may have had this false sense. Let me apply, get some money, and nobody's ever going to look at the wall. Those things are now being scrutinized.
Craig Petronella:Yeah, it's funny that you bring that up, too. So many people were telling me to get the PPP loan. I don't need the PPP loan. If I needed it, I would go after it. But I'm not going to get it just because. You're telling me to get it because it could be forgivable. That's wrong.
Vincent DiCianni:Exactly. Many people took that money and didn't apply it to payroll, or rent, or that kind of thing. But instead, we're buying the world's voices and doing all those things with that money. And now there, it's all coming home to roost. And that is being investigated. Again, the first point was that the investigations are going on. The second thing is the thing about price. People don't want to do it because of the price and the cost. That's the way I look at that. Do you remember that commercial? Pay me now or pay me later.
Craig Petronella:Yeah, I think so.
Vincent DiCianni:It's an old commercial, and I'm an older guy, but it was the kind of thing where. You could do this now, and it's only going to cost you this much the price or the cost of not doing it. Think about that, what that's going to be because exponentially, the dollars will go ridiculous. So if the government agency comes after you, and you didn't put that program in for, let's call it $10,000, you get caught. And now there's an investigation, and now you're going to be prosecuted. And now you have attorney fees that you're going to have to incur. You have the reputational damage that's going to be out there because it will get publicity, and people will read about it. You have the damage to your business financially. You might not get contracts because you're being investigated. And then there's the resolution cost, which will be a fine penalty, administrative costs, and perhaps a monitor. So think about that cost.
Craig Petronella:Claims fines are nasty, aren't they? I mean, I was reading on training, they're like three times the contract. So if you are awarded 10 million in a contract award, and you've proven to be guilty of false claims fraud, you used to pay back 30,000,000 3 times the contract award plus the infraction fees of over 15,000.
Vincent DiCianni:Absolutely, and that's true in most different areas. We do a lot of Medicaid and Medicare fraud work. We have a monitor in Medicaid and Medicare fraud cases. They look at the particular number of claims. And if there are many ov rcharges, they will ex rapolate that compared to yo r client, your patient base, an the numbers go up really hi h with penalties and fines. Th t's what I'm saying about the co t of putting in a program pr actively, while it makes th ngs, the benefits you're go ng to get. Number one is yo're going to win. You're going to stay in business and w n contracts. But the cost that f you didn't do, it could be astronomical. Craig, I know ou do it and put in a program like yours on all of the cyber and data security pieces. And do it in a much broader way n terms of compliance p ograms and ethics and third-pa ty due diligence, etc. Those inds of programs are an a set to a company. So if you go o sell the company with&a nowadays, they're looking t whether or not you have a pr gram whether or not you have, an ESG program whether or not ou're doing things, in the righ way. That's an asset for t e company when you can check tho e boxes and show your potenti l acquirer or the merger comp ny, we've got these things, and we're on top of it. So I look at it as an asset.
Craig Petronella:I agree, and I also look at it as a competitive edge. So even if you're not in a contract or have received a contract award now, it's an opportunity for you to pursue. And it opens new doors and opportunities for you. It keeps you more organized. It's going to give you more structure and make you as close to unhackable as possible. It's going to move you up in that direction. I feel like that organization, that structure is going to help you grow and sustain growth faster. You're going to increase your profits and your revenues. I think it's an investment to do it now instead of waiting or rol ing the dice to see if you get caught.
Vincent DiCianni:Yeah, I agree with you. Let me give you a little story. We do a lot of work with government contractors. They potentially face suspension and debarment. And sometimes, the violations are not on top of all of their contracts. They don't have a good contract administration process. So they win a contract, they give it to somebody, and then they go after the next four contracts without really thinking about execution and schedule and performance. And what we have seen, in some instances, and we work with one tiny little company out of San Diego, they got in trouble with the name, but they had the very best contract administration process that you possibly could imagine. It was just amazing. And it was a simple process. It went to these two women responsible for the performance. Who on the company was going to be responsible for contract performance? What was going to be on the team? Who were the third-parties? Did they vet the third parties? You know, were they on a suspension and debarment? List? What is the pricing look like? What's the schedule, performance is going out from day one through the end of the project's execution? It was such an amazing thing. And yet, I go into companies that have lots of contracts; they have no contract performance system at all. And you would think it sounds very complex, right? Or the contract administration process. They just had this wonderful process. It was like a two-pager that worked. So these are not complicated fixes. Once you understand what you're doing, and you put the process in place.
Craig Petronella:Great. You talked about COVID a little bit earlier. How has COVID affected your business with the monitor aspect of things? Quarantining cases are going up. How's that affected the monitoring aspect for you?
Vincent DiCianni:We had to make some adjustments. It is t pical. As the monitor, you s metimes have to visit sites, a d sometimes it's a physical i spection that you have to do, o you want to talk to people f ce to face. We've been r stricted in that. We've got a c uple of things. We're doing o e for the Navy now. And we n eded to go to the plant, y t, when we were planning to go to the plant, they had an outbreak of COVID. So we co ldn't go. We've had to postpone physical inspections. On the o her hand, a lot of the work we d is talking to people. Now, vi eo conferencing has b en more than satisfactory in al owing us to talk to peop e, and then that's been workin. So for us, the business of mon toring continues. We c ntinue to do much work a ross industries that we moni or, healthcare and manufa turing and consulting serv ces and construction, and fi ancial services. That cont nues, but we've had to djust on the fly in terms of how we do our monitoring. Neverthele s, it goes on. So it's been mpacted to some extent, but he oversight continues. An with this wonderful news of a vaccine on the very near horizon, I think we will eturn to some normalcy in the elatively near future. That mea s you and I being on plays agai, but that's so bad, right?
Craig Petronella:Right. I think that there's probably going to be some permanent changes. I think companies have learned to adapt. The remote tools are pretty mature and useful. It's not the same as a face-to-face meeting, but it's pretty close. And it certainly saves on travel, and I think people are reevaluating their leasing options now and how many people they need to have if they need to have a lease. It's very interesting times that we're in at the moment.
Vincent DiCianni:Yeah, I think you're right. Think about, you know, all of the companies that have been impacted by this. And suppose everyone, all sizes companies, small, midsize, large companies, everybody's been impacted. In that case, I've seen the thing, and it's probably one of the biggest factors related to compliance and ethics related to communication because before everybody would be in an office, even in remote locations, they would be in offices. Now everybody is working from home. And I think that companies have suffered from that communication gap. That just exists because you're not talking to people face to face. People aren't together there. There's, I think, an over-reliance, number one on email, which is not the best way to communicate ethics and compliance issues and messaging, but also just that lack of personal touch. And I think that particularly compliance offices are struggling to keep that communication lines open and strong. That's a big impact. And I don't know if you've seen it in your real world, but I certainly.
Craig Petronella:Yeah. Do you think that there's been a dampening effect on the government's ask, basically, for monitoring type services in 2020? Because of COVID? Or do you think that it's been about the same? Or what do you think about that?
Vincent DiCianni:So I think it depends on the agency. One thing that has been very clear to folks who work in the white-collar space with the Department of Justice is a reduction in the use of monitors in large cases like Goldman Sachs. They resolve this ridiculous case in a large time, but they didn't have to have a monitor, which is very curious. But that has been the movement with the current Department of Justice with a new administration. I think that's going to go back to the use of monitors. On the other hand, other government agencies continue to use monitors with regularity or are increasing the use of monitors, the monitoring piece. From my perspective, it's sort of civil probation. It's an outsource to a private entity for oversight and reports back to the government. So it enhances our government agencies, resources, and ability to stay on top of a pretty bad case.
Craig Petronella:For almost a year, you've been providing third-party evidence too.
Vincent DiCianni:Absolutely, but to have a company monitor itself... I think you get what you pay for.
Craig Petronella:I wouldn't even think of being ethical, don't be able to monitor yourself.
Vincent DiCianni:Well, that's what happens. That's why you don't have a monitor. You got to report to us that you're doing well. What do you think the answer is going to be when those reports go in? We are doing well. The company that's not monitoring has an interest in making sure that it's doing well.
Craig Petronella:It's just like the self-attestation process. I remember working with a client in the HIPAA world about a year ago. And one of the questions was about your last risk. What was your last third-party risk assessment? They had done a self-assessment. And they thought they did a good job with their self-assessment when it was woefully inadequate. So incomplete. It's the same methodology there. I don't think those self-assessments are good. It's kind of like watching a YouTube video and doing surgery on your knee. Let's face it. You want to hire a professional who knows what they're doing, that knows the compliance side of things and the cybersecurity side of things on the security control sides. And then the mapping and intertwining of the two together to make sure that you're getting and reducing your liability, getting alignment, and reducing your liabilities and risks.
Vincent DiCianni:I couldn't agree with you more. The knee is a good example. Can you assess yourself? How good are you at assessing yourself? Don't think you give yourself an objective response. We do a lot of work in assessing a company's compliance program, how real it is, how strong it is, are there gaps? But then how effective is it in the field? So were to think about a company doing it? Who's oing to do it? Is it going o be the internal audit commit ee that doesn't know anythi g about compliance going to audi compliance? Is it going to be t e compliance officer audit ng himself and assessing him elf? Many companies bring u in as an independent third party with lots of experienc or looking at companies, progra s, and cultures. You get a real valid assessment of the company and the effectiveness of the program. It makes so much sense.
Craig Petronella:And it's worth its weight in gold. It just does't make sense to try to do hat on your own. You have to hav a professional do it to find th issues and just move th needle forward. Look at what appened with the DoD, Interim R le recently. A few days ago, hey released some self-assessm nt tools, and there are some w bsites out there that will he p you. But most people couldn't even get past page two beca se they were saying, Okay, wh t is your control 3.1.1? Are ou compliant with that or not? atie Arrington, the CISO from the DoD, had done a webinar a f w weeks ago. She said that all f you are supposed to be attesting to NIST 800-171 fo over five years now. So thi shouldn't be a big deal. ut here's the reality. The rea ity is most of the people were d ing nothing during those fi e years. Now it's the scramble effect of, Oh, my gosh, what do I need to do, I don't hav all those policies, I don't ha e security controls, I have some stuff. And then they try to cobb e things together. And then the try to use these tools on the nternet that are freely avail ble to try to self-assess thems lves. And they don't even know h w to go through it. Because it s complex, it's hard. It's techn cal. And you need an expert to guide you through it.
Vincent DiCianni:I talked to n attorney in Massachusett. And he has told the story of a sessing a company's complia ce program because the compa y was being investigated and olled in their compliance progr m, trying to demonstrate t at they're really good. They got a good program. And as e was reading the program, this compliance manual. He see that they didn't change the company's name, whose compliance program it was. In other words the company took the program of the Internet and changed the na e in some places. They put their name on it, but they didn't put heir name. And it was like you re trying to not only get in tro ble for the acts that got you here but now you're trying to s y to me that you have a strong ompliance program. I think tha's what happened. I know, these are silly stories, but th y're true stories. Does that le d to that whole issue of do companies take compliance and get in your world? Or in y world? Do they take it serious y enough? I'm sorry to say tha there's a lot of companies out here that don't even bother.
Craig Petronella:I would say most of them don't bother. I would say it's pretty rare that I speak to somebody that does have their stuff together. And I and that's why I welcome the CMMC because I feel like that's going to be a game-changer for other regs. In our country. I feel like it's going to overtake HIPAA one day, and for a good reason. Because with HIPAA compliance, you can still do the self-attestation process. You're supposed to be doing the risk assessments every year. You're supposed to have an evidence trail. But most of the chiropractors and physical therapists and the smaller medical practices, sometimes even the larger, are not doing all the stuff they're supposed to be doing.
Vincent DiCianni:Right. Exactly, they're not. And that's a scary thought.
Craig Petronella:Look at what's happening. Look at what's happening on the headlines with ransomware. And how ransomware is shutting hospitals down all through the world. Had these hospitals had a good cybersecurity and compliance program that they were pen-testing regularly at least every year? They were doing the risk assessments, and they would have the supporting evidence. They'd be doing drills on this, and they wouldn't be low hanging fruit.
Vincent DiCianni:It's true. In the Office of the Inspector General for Health and Human Services, in its corporate integrity agreements, builds in now, a requirement that the company institute a strong ethics and compliance program and controls, they just build it in. You would think that these kinds of institutions, laboratories, and medical centers, and large group practices would have such programs in place. But they don't. Now they're a compulsion. And then the other guidance has come out of the Department of Justice, and they keep updating it. But there are strong requirements to have a strong ethics and compliance program in place, and you get better if you're ever charged with some crime, and you go to resolve it. You get a better disposition if your program is strong.
Craig Petronella:That's right. I think that kind of like how insurance companies sometimes reward their employees for working out and exercising. If they show supporting evidence of that, they might get a discount. So I feel like this should be going into cyber insurance, too. It should be. You should not get cybersecurity insurance if you didn't furnish supporting evidence of your third-party risk assessment, pen-testing, and all of your policies and procedures. If you can't furnish that, you shouldn't qualify.
Vincent DiCianni:Right.
Craig Petronella:One attorney told me of a small practice. He said, Oh, I'm not going to do all that compliance stuff you're telling me. He's like, I'll just fold up and just go under a new name. That's so unethical.
Vincent DiCianni:Yeah, I know. I have talked to attorneys as well, Craig. Interesting that you say that. Sometimes companies are facing problems. And they are going before an agency, and they have the option of trying to resolve the case. And it might include up having a monitor. They will fight it to the desk and say, Look, I will pay the fine. And it's the cost of doing business. They pay a fine of $400,000 to resolve the matter, but they made 2 million. And they just say, Look, it's just the cost, and I'll bite him. I'll add in the attorneys' fees, and we made $1.6 million. Would I want to do business with them as a government agency? I think not, but it's just as people are.
Craig Petronella:And that brings up a valid point that you brought up earlier around assessing who you do business with and assessing your vendors. You should have a process around that. You should have VSQ, user vendor security questionnaires, that you give a vendor you're going to do business with as part of your due diligence and risk profile process. Make sure that they're going to handle if they're going to come in contact with sensitive information, whether it's PII or PHI, or CUI in the CMMC world. You want to make sure that they're going to keep your stuff secure too, and they have the proof of it.
Vincent DiCianni:And we have companies that have gotten in trouble, not for anything that they have done, but for a joint venture partner or subcontractor who has done something inappropriate, but they're working under this master contract. I agree with you 100%. And we do so much of it. We're not limited to the cybersecurity piece. The data protection piece, redoing it, just generally as contractors that you're bringing on board. Companies sometimes don't have any system for knowing who their subs are. They don't know that the company has been disbarred or the owner is 516 bankruptcies, or have been criminally convicted of fraud. They don't know that because they never found look to do any kind of due diligence.
Craig Petronella:Wow.
Vincent DiCianni:Yeah, one of our first cases as the monitor, back in 2005, was a money laundering case involving a precious metals refiner. They got in trouble and not for anything they did other than they didn't know who their customers were. They're buying gold and other precious metals for refining purposes, and then whatever they're going to do with it from entities that were like a phone book in Peru or Brazil or some other places on Earth. They were buying their gold. So they didn't know what the source of the gold was, they didn't know if people's fingers had been chopped off, and they got the ring off the finger. And they're all wiring, and they were wiring 10s of 1000s of dollars to these. I'm going to call them phone booths. They didn't know who their customers were. And they got in trouble for money laundering, and they had to put it in the strong money laundering, anti-money laundering process. They had to develop, and we worked with them and tested them for many years. They asked the third-party due diligence what they know about the customer. Who's selling them or shipping them precious metals? Just remarkable stories.
Craig Petronella:Oh, yeah, that makes sense. Have you seen the story recently around Bitcoin and people that get ransomware that the hackers want Bitcoin payments? And if the hacker or terrorist group is on the sanction list, you can get in trouble for money laundering if you pay the ransom.
Vincent DiCianni:Imagine that. Isn't that crazy?
Craig Petronella:I know there are government agencies, local governments that got ransomware. I've paid for the ransom. So it's ironic there. But this has been fantastic. Lots of great information. The bottom line here is to be proactive.
Vincent DiCianni:It is, and bite the bullet; it's an investment that you're making in yourself.
Craig Petronella:It's probably, the best investment you'll ever make in your own company because it paves the way for new revenues and more profit.
Vincent DiCianni:Exactly. And then the other things that resound here. Human beings need ome guidance. They need some irection. If they're your mployees, and the company's lead rship doesn't give a damn about compliance, should they? Or w ll they? You know, I think it s ys a lot.
Craig Petronella:I believe strongly that CMMC ult mately is a good thing. Tha's why I welcome the day tha third-party audits are a goo thing. People can't fake it anymore. I think it's going to be a really big tipping po nt for other industries to fol ow suit like HIPAA. I think medi
Vincent DiCianni:I think you're right. Again, I think that al practices should not be able to practice and continue to practice without getting th t stamp of approval from the au it process. And they should be renewing it. I think overal claims are going to go down f r cyber insurance claims. And it s just going to be a more secure country for ourselves. So our ad ersaries aren't stealing all of our intellectual proper y. anything that helps is a good thing. I don't see it as negative; some people will. But I see it only as a positive. And then, as you said, there are so many sorts of downstream positives. It all works to the benefit of society. So it's all good stuff. Craig, this has been great.
Craig Petronella:Absolutely. Thank you so much. Yeah, thank you for joining and sharing such great information. I appreciate it. Tell our listeners one more time how they can reach you, how they can contact you.
Vincent DiCianni:Sure. My name is Vin DiCianni. The company is Affiliated monitors online, we at www.affiliatedmonitors.com. And you can always reach me there and also on LinkedIn. So lots of ways of finding us. You can just look up the word independent monitor, and we show up.
Craig Petronella:Awesome. Thank you so much. I appreciate it. Have a great last of your day.
Vincent DiCianni:Thanks again.
Craig Petronella:Absolutely. Take care.
Vincent DiCianni:Okay, bye.
Announcer:Thanks for listening to yet another episode of cybersecurity and compliance with Craig Petronella. Listen to all of our podcasts on Apple, Google, and Spotify. Visit us online at Petronellatech.com to book a meeting with Craig about your business.