What Louisiana’s First MSP Regulation Could Mean for the Channel
Much like in many other industries such as healthcare and financial services, government entities are making initial steps toward managing the IT channel. Resulting from a spike in costly ransomware and phishing scams, the repercussions of insufficient security have many eyes on Managed Service Providers (MSPs). The first-ever state bill, and the federal roll-out of Cybersecurity Maturity Model Certification offer a glimpse into what future IT channel and MSP regulation could look like.
State MSP Regulation Becomes a Reality
Debate over the need for MSP legislation and regulation have been waging for years. With one state’s first move forward, it would be short sighted to think it will be the last. In June 2019, Louisiana approved the first law regulating MSPs and MSSPs (Managed Security Service Providers) providing IT infrastructure to public bodies. Effective February 1, 2021, Louisiana Act 117 – Senate Bill 273 requires the following from channel providers.
- Registration with the Secretary of State
- Reporting of cyber incidents and ransomware payments
- Public access to information including but not limited to a record of cyber incidents
Managed Service Providers must be registered and in ‘good standing’ in order to do business with a public body. If an MSP does not meet these requirements, the contract between provider and public body will be null and void. Unless registration is denied or revoked, it is effective for two years. Cyber incidents must be reported to state entities within 24 hours of discovery, and ransomware payments must be reported within ten calendar days.
Overall, the bill aims to reduce the frequency and impact of cyber attacks on public entities by giving public bodies more information on MSPs. In turn, MSPs are being called on to elevate security services and business continuity solutions, or face the consequences of a better educated consumer. After a slew of ransomware and other cyber-attacks on Louisiana school districts, DMV offices, and the city of New Orleans – which affected 4,000 government computers, forced the entire city to shut down, and cost $7 million in damages – it’s no wonder SB273 passed. Similar legislation is being discussed across the country as these types of targeted attacks threaten a growing number of industries, companies, and consumers.
Implementation Could Impact MSP Operations
While it’s too soon to judge the efficiency, effectiveness, cost, and application of SB273, the Cybersecurity Maturity Model Certification (CMMC) provides a glimpse into what a national standard in the IT industry could look like. CMMC was created as an offshoot from existing federal requirements on non-federal information systems and organizations managing Controlled Unclassified Information (CUI). The multi-level structure requires businesses to climb five cumulative levels, across 17 categories of cybersecurity controls, built on 14 security controls. Certification encompasses many other compliance regulations, including DFARS (Defense Federal Acquisition Regulation Supplement), ITAR (International Traffic in Arms Regulations), and FedRAMP (Federal Risk and Authorization Management Program), as well as additional cybersecurity practices, and maturity process assessments. The complicated design requires an authorized and accredited independent audit, all in an attempt to standardize several compliance pieces for contracts with government entities or municipalities.
After years of development, CMMC still leaves much of the actual implementation undefined. While it’s estimated to roll-out over the next six years, businesses are confused by the chaos. Certification costs, which could range from $90-$200k with consulting, hard costs, and audit fees, plus yearly recurring percentages, could make it financially challenging for many to do business. While some costs are said to be reimbursable, details haven’t been provided. CMMC training for businesses isn’t developed, and procedures for third-party assessment organizations and individual accreditors is unknown.
With the managed services market expected to grow 11.27% each year from now until 2026, MSPs and MSSPs can assume more regulations are coming. Whether at the state or national level, MSPs are facing increasing cyber insurance rates and tighter requirements for coverage, compliance overhead, higher security standards, and more accountability. All while remote work – a trend expected to stay well after the pandemic – exacerbates the challenges of cybersecurity and makes an MSP’s job harder.
Success in Preparation
The way to succeed in the face of change is through preparation. Self-regulation, continuing education, required core security services, and a cybersecurity playbook can help protect your MSP, your clients, and the industry as a whole. MSPs and MSSPs can’t prevent cybercriminals from attacking, but you can stop data loss with secure business continuity and disaster recovery (BCDR) solutions.
Discover how a layered security approach can help you plan ahead for incoming regulations while protecting clients, and growing your MSP. For a limited time, Senior Vice President of Product at Axcient, Ben Nowacky, is hosting an informative lunch event on the topic for qualified service providers.
The Future of MSP Regulation: Understand What’s at Stake for Your Business
Plan ahead for higher operating costs and compliance overhead, gain expert security insight to overcome remote work challenges, and explore the impact of public breaches on regulation – including the SolarWinds attack.
Reserve your spot today!
About the Author:
Liz Mellem // Technical Copywriter, Axcient
Liz Mellem has been a freelance copywriter for over three years in the technology, education, and alternative medicine industries. She produces content, sales collateral, and email marketing campaigns that contribute to digital marketing strategies for sales growth and brand awareness. In her free time, Liz enjoys reading, exploring Austin, and Netflix with her cat, Harlem.