The MSP industry could face stricter government regulations over the coming year as attacks on vulnerable managed service providers (MSPs) continue to rise. There is a belief that either government agencies or insurance providers (possibly both) will begin placing regulations on the MSP industry to protect against the increase in cyberattacks.
Over the last year, one-quarter of MSPs have suffered a security breach that was ransomware-related. However, nearly three-quarters of MSPs had at least one client that experienced a security incident, with over 50 percent of the MSP clients experiencing a ransomware-related incident. Whether the government agencies or insurance carriers are the driving force, new regulations and compliance minimums are already underway in several states.
MSP Regulations Conversations Have Turned Into a Reality
Conversations over the need for MSP legislation and regulation have been ongoing for many years. As soon as one state made a move, it would be short-sighted to think no other state would be next. In June 2019, the state of Louisiana approved the first legislation regulating MSPs and MSSPs that supply IT functions to public bodies. Effective since February 1, 2021, Louisiana Act 117 — Senate Bill 273 requires channel providers to meet the following requirements:
- Register with the Secretary of State
- Report any ransomware payments and other cyberattacks
- Offer public access to information, such as cyber incidents records
MSPs have to be registered and have to be in ‘good standing’ to do business with a public body. If an MSP fails to meet the above requirements, the agreement between the MSP and the public body will be nullified. If registration is not denied or revoked, it will remain in effect for two years. Cyber incidents have to be reported within 24 hours of the initial discovery. Ransomware payments must be reported within ten days.
The Impact on MSP Operations
With the managed services market expected to grow significantly from now until 2026, MSPs and MSSPs should move forward with the mindset that more government regulations are underway. Whether at the state level or the national level, MSPs should expect to see an increase in cyber insurance rates, along with the following:
- Stricter coverage requirements
- Higher security standards
- Compliance overhead
MSPs and MSSPs will continue to be some of the main targets of cybercriminals. Infiltrating an MSP or an MSSP can open the door to hundreds or thousands of targets at once. It is important for those in the MSP industry to educate themselves and others about cybersecurity risks. It is also important for those in the industry to implement best practices that can prevent or mitigate attacks. Knowing about the latest in government regulations is also important.
Thoughts and Opinions
In a recent online discussion, users voiced their thoughts about the government regulating the IT industry. One user said:
“I’m not convinced that this is a good idea. In fact, I’m pretty certain this is a bad idea. We (the smaller MSPs) are going to get screwed, and nothing will meaningfully change in the industry”.
Another user said:
”Imagine, if you will, an industry hamstrung by laws and procedures that they must follow for each and every organization regardless of whether that’s a 5 user office or a 100 user SMB. Imagine the FCC and net neutrality. Imagine Sarbanes-Oxley. Imagine the people that think that they can regulate against email spam, spam phone calls, and ransomware. Imagine the people that are still struggling to lay down a budget plan for repairing and modernizing infrastructure. It’s been 12 years and there isn’t yet a budget plan, let alone a project plan or actual work..”
One user in the online discussion believes most of this will come down to insurance companies, the user stated:
”I think this is going to come down to insurance companies requiring a certain level of compliance from both the client and the IT Services company. Followed by user education as to WHY they want to do business with a compliant IT Services company. Can’t meet compliance? You’re not getting insurance. And if you’re not getting insurance, you’re running a high-risk business where many WILL NOT do business with you. Compliance is not a game-ending expense. A nuisance for sure, but a much-needed one to sort out the fly-by-nights from the people that take IT and security seriously.”
Another user in the online discussion believes government regulations could be harmful if there are no mandatory IT standards, the user stated:
”Regulations for MSPs are ”completely stupid and counter-productive” in the absence of mandatory IT standards. You can’t force MSPs to be licensed and implement something that the clients are not obligated to comply with technology standards. Why would MSPs be held to different requirements than in-house IT departments? How would you force a client to back up something or enforce MFA if they refuse to pay for it and are not obligated to under any regulations?”
Have A Say in Government Regulations
As with any new change, there will be positives and negatives, but it is evident that many MSPs are concerned about the potential for government regulations in their states. For those who are concerned, there are actions that can be taken right away. MSPs and MSSPs can join industry organizations that are aimed at addressing regulatory changes.
These groups have been put in place to allow MSPs to speak up. The MSP industry wants to come together and allow their voices to be heard, as well as their customers. MSP customers play a major role in cybersecurity. Human users still need to have the best strategies and techniques that will allow them to do their jobs safely and securely.
Now is a good time to start taking action. Managed Service Providers and Managed Security Service Providers are going to feel this pain — some are already feeling it. However, if there is going to be a solution, it will have to be solved by people, not applications. The answer will come in the form of a collective community.
