What MSPs Need to Know About New Industry Regulations
Louisiana’s first-ever legislation regulating Managed Service Providers (MSPs) went into effect February 1, 2021. While Louisiana is currently the only state with such regulations in place, many states and the federal government are considering similar action. With the costly consequences of rising ransomware and phishing attacks, it’s only a matter of time until legislation expands. Get a glimpse of what could be coming your way based on Louisiana’s new laws, and the federal government’s handling of Cybersecurity Maturity Model Certification.
Louisiana Act 117 – Senate Bill 273
In June 2019, Louisiana approved the first state law over MSPs and MSSPs (Managed Security Service Providers). Louisiana Act 117 – Senate Bill 273 applies to channel vendors providing IT infrastructure to public bodies. The new requirements for doing business include the following:
- Registration with the Secretary of State
- Reporting of cyber incidents and ransomware payments
- Public access to information including but not limited to a record of cyber incidents
As determined by the secretary of state, all Managed Service Providers must be registered and in ‘good standing’ in order to partner with a public body. Contracts between a provider and a public body will be null and void if the MSP fails to meet these requirements. Registration is effective for two years, unless it has been denied or revoked by the state. All cyber incidents, which include any compromise of security or confidentiality that results in unauthorized access to the public body’s information, must be reported to state entities within 24 hours of discovery. Ransomware payments must be reported within ten calendar days.
Regulatory Cause and Effect
The channel has long debated regulating MSPs and while a consensus may never be reached, there is a reason the state of Louisiana stepped in. During recent years, multiple Louisiana school districts, DMV offices, and the city of New Orleans have been victims of ransomware and other cyber-attacks. Even six months after 4,000 government computers in New Orleans forced the entire city to shut down, and cost $4.2 million so far, the city is still only 80% recovered.
These targeted, sophisticated, and complex attacks have wide-reaching consequences beyond just the enormous cost to recover. Citizen’s private personal information is often repackaged and sold on the dark web, even after a ransom has been paid. Louisiana’s bill is meant to reduce the frequency of cyber-attacks on public entities by giving public bodies more information on an MSP’s past performance. Subsequently, MSPs have to report any security breaches, which are now public record. The consequences of an informed customer will affect an MSPs bottom line, and increase competition within the channel.
CMMC Roll Out: Slow, Confusing, and Complicated
To get an idea of what IT standards might look like on a federal level, look at Cybersecurity Maturity Model Certification (CMMC). This multi-level structure is a federal requirement for non-federal information systems and organizations managing Controlled Unclassified Information (CUI). Not unlike Louisiana’s bill, CMMC attempts to standardize several compliance pieces for contracts with government bodies. Businesses must climb five cumulative levels, across 17 cybersecurity control categories, built on 14 security controls. Additionally, CMMC encompasses other federal compliance regulations, as well as cybersecurity practices, and maturity process assessments. The complex design requires accredited independent audits at each level.
Despite having already invested years into development, much of CMMC implementation is still unclear. Businesses are confused by the chaos and with a six-year roll out, frustration is growing. Certification costs – estimated from $90 to $200k with consulting, hard costs, audit fees, and recurring percentages – will challenge many businesses financially. Some costs are said to be reimbursable, but details aren’t available. CMMC training for businesses isn’t developed, and procedures for third-party assessment organizations and individual accreditors is unknown.
Step Up Now to be in ‘Good Standing’ Later
Increasing cyber insurance rates and tighter requirements for coverage, compliance overhead, higher security standards, and a focus on accountability are all byproducts of legislation. At the same time, remote work is expanding, further exacerbating the challenges of cybersecurity and increasing the need for reliable recovery solutions that can span data and applications, across production servers and workstations.
When a breach occurs, legislation shifts blame away from the business attacked, and toward the MSP responsible for their protection. MSPs are only as secure as the business continuity and disaster recovery (BCDR) solutions you provide. It’s critical to partner with a comprehensive vendor that promotes operational efficiency, speed, accountability, and has a vested interest in your success.
The unified Axcient x360 platform keeps business running with a single pane of glass for BCDR, Cloud to Cloud Backup, and Secure Sync & Share. Axcient Direct-to-Cloud hardware-free BDR, and Bring Your Own Data Center (BYODC) gives MSPs the choice and flexibility necessary to protect any environment with just one vendor. Schedule a Demo or Start a 14-day Trial to see how Axcient is preparing MSPs for regulation.