Quick Q&A: MSP Regulations

Louisiana’s first-of-its-kind regulation of Managed Service Providers (MSPs) is a reality check for what could be coming in the future. It’s important that MSPs stay informed on state and federal calls for legislative action to understand what’s at stake for your business. In a recent virtual event hosted by Ben Nowacky, SVP of Product at Axcient, we discussed the implications of MSP regulations. Here’s what MSPs wanted to know…

Do you think MSP regulations will be specific to industry compliance requirements – such as HIPAA for healthcare?

Of course, we don’t know what a national standard will look like for MSPs, but I think the Cybersecurity Maturity Model Certification (CMMC) provides insight. A variation of CMMC – with its levels of maturity, certified business audits, and accredited auditors – will also likely include NIH requirements with HIPAA and SEC requirements with FedRAMP. I imagine a united framework where you pick your poison. If you need to be HIPAA compliant, you fall under the national healthcare regulation, and so on for finance, government, etc.

Are national regulations designed to put MSPs out of business?

I don’t think that’s the intended outcome, but it is a consequence. Required costs for CMMC could range from $90-$200k with consulting, hard costs, and audit fees, plus yearly recurring percentages. That’s pretty substantial, and it’s going to make it financially challenging for many MSPs to do business. While some CMMC costs are said to be reimbursable, details haven’t been provided.

We don’t want Big Brother stepping in to regulate the channel because it’s a huge business blocker. Beyond just the costs, government intervention stops people from entering and exiting the market. The main driver for channel oversight is the cost of data loss on federal, state, and local agencies. As an industry, MSPs and vendors need to self-adopt higher standards for security and compliance and prove our ability to self-regulate, secure client data, and provide comprehensive protections.

It’s time to force yourself and your clients into the security solutions necessary to stop cyber incidents. Find a balance between mandating tools like backup and disaster recovery (BDR), business continuity software, and ransomware protection, and supporting client cost concerns. With responsibility for cyber-attacks now falling on the MSP, rather than the business attacked, it’s in your best interest to ensure clients can recover from anything. Adopt the CompTIA Trustmarks to show your commitment to security, and emphasize the value of your security-first approach when talking to clients. Clients who refuse the protections you know they need, are putting your business in jeopardy.

How does BDR play into a layered security approach? Is it all you need, or part of the infrastructure?

The latter. BDR doesn’t solve all your problems, but it’s critical to data protection. You still need strong firewalls, endpoint security, and a robust cybersecurity playbook that is regularly practiced and updated. These tools and technologies evolve to fit both the marketplace and the risks businesses are facing. MSPs need to follow a parallel evolution and relay those changes to clients. Education is an essential layer of protection that can also emphasize the need for data BDR, and explain your choice to mandate certain solutions. After all, human error remains the number one cause of data loss.

Launch a mock phishing attack on clients, and hold a post-mortem to review their response. Had the attack been real, how would their reaction have impacted the business? Do they have solutions in place to recover data after an attack or accidental deletion? Also, how does your client’s ability to recover impact your MSP?

The saying, ‘any client is a good client’ is no longer true. You have to qualify clients based on their willingness and ability to protect data with the solutions you recommend. Resistance to data protection puts your MSP at risk. With regulations on the horizon, you take the blame when a client’s data gets hacked. Is the client worth risking your reputation and business growth?

What now?

Stay up-to-date on federal and local calls for more cybersecurity accountability and MSP regulations. Reevaluate what you require of clients and play the tape forward. Understand the implications for clients, and your MSP. Explore compliance regulations that highlight your commitment to a security-first business approach. For instance, SOC2 compliance can drive competitive advantage, and the certification process forces you to increase security and disaster readiness.

Check out these resources for more information and follow Axcient on LinkedIn for the latest industry news and MSP-specific strategies.

Liz Mellem

About the Author:
Liz Mellem // Technical Copywriter, Axcient

Liz Mellem has been a freelance copywriter for over three years in the technology, education, and alternative medicine industries. She produces content, sales collateral, and email marketing campaigns that contribute to digital marketing strategies for sales growth and brand awareness. In her free time, Liz enjoys reading, exploring Austin, and Netflix with her cat, Harlem.