Push Is On To Register MSPs, But How To Do So Still A Question
‘With regulations and approvals comes a higher minimum bar, but it also creates a higher operating cost to MSPs to conduct business. Not only will what services you provide start to be controlled, but necessary business things like cyber insurance premiums and other insurance offerings will start to increase as well,’ says Ben Nowacky, Axcient’s senior vice president of product.
A move by states, and potentially by the federal government, to regulate managed service providers in the wake of cyberattacks via the MSP community might sound like a welcome way to clean up the business, but the potential costs of such regulations could be devastating to smaller MSPs who are already dealing with tight margins.
That’s the word from Ben Nowacky, senior vice president of product at data protection technology developer Axcient, who Thursday told an audience of MSPs during the XChange+ March 2021 virtual conference one state, Louisiana, has already approved a law for MSPs to register that on Feb. 1 went into effect.
The XChange series of conferences are run by CRN parent The Channel Company.
[Related: The 2021 Managed Service Provider 500]
“MSPs [in Louisiana] must be publicly registered with the state and establish minimum requirements for doing business,” Nowacky said. “This includes methods, offerings, and calls for reporting of cyber incidents to the state for monitoring and public disclosure.”
Louisiana said it enacted the regulation in the wake of high-profile cyberattacks and the desire to prevent future attacks in the state, and other similar regulations could follow, either at a state-by-state level or at the Federal government level, Nowacky said.
“Many of you might think, ‘Hey, this is a good thing. We need a minimum bar so anyone who knows how to reboot a computer can’t simply call themselves an MSP,’” he said. “But think for a moment what that actually means. With regulations and approvals comes a higher minimum bar, but it also creates a higher operating cost to MSPs to conduct business. Not only will what services you provide start to be controlled, but necessary business things like cyber insurance premiums and other insurance offerings will start to increase as well.”
The requirement to publicly disclose cyber incidents raises a lot of questions that MSPs will have to be aware of, Nowacky said.
“While Louisiana’s stature requires reporting of any incidents within 24 hours and disclosure of any ransom paid, it doesn’t describe what a cyber incident clearly is, or what constitutes a ransom,” he said. “So does clicking on a phishing email require notification? Or does an employee accidentally sending a gift card to somebody over email fall under a ‘payment made?’ The lack of clarity could severely hurt the reputation and public image of MSPs abiding by the letter of the law while others are simply finding new loopholes to avoid this disclosure.”
The public disclosure requirement means information on cyber incidents are going into a database that cyber insurance companies can access before underwriting a policy to help assess risk and determine the premium, Nowacky said.
“And worse yet, you’re starting to see these [insurance] carriers starting to act like virtual CISOs where they’re mandating products that can be offered and at least how services should be offered,” he said. “All this means a higher operating cost to MSPs working on already tight margins.”
The idea of formally registering MSPs is a good one in principal given the ease at which small computer companies can hang a shingle outside their door and call themselves MSPs without even having a business license, said Dale Pinney, owner of Olaf Solutions, an MSP based in Metairie, La., next to New Orleans.
However, Pinney told CRN, the State of Louisiana has not done a good job of putting a registration system in place, starting from the fact that it didn’t publicize the fact that it went into effect on February 1, primarily because it seems to be focused more at MSPs doing business with governmental bodies.
“I would also bet that it hasn’t been communicated to many of the government bodies,” he said.
The registration form itself is simple to the point of nonsense, Pinney said.
“Basically like a second registration with the secretary of state showing owners and registered agent,” he said. “No qualifications are required, so it’s nothing more than paper work. Also there is no fee to register.”
The Louisiana law includes only one other requirement in addition to the registration, that MSPs report to the Louisiana State Police Fusion Center all cyber incidents that happen to public bodies, Pinney said.
“There already is the requirement to report any breach activity that may have compromised personal identification Information to the State Police for any cyber breach,” he said. “So it’s a repeat of an existing law.”
Should states not be able to mandate MSP regulations, one alternate that could happen is regulation at the Federal level, possibly via the Cybersecurity Model Maturity Certification, or CMMC, which provides a possible example of what a unified set of rules might look like, Nowacky said.
CMMC was created as an offshoot of the NIST 800 cybersecurity framework as a way to standardize several compliance regulations including FedRAMP, NIST, ITAR, and others, primarily in the government and municipality market.
There are five different levels of CMMC certification depending on the type of data. It requires audit that, for a level-3 certification could cost between $100,000 and $250,000, Nowacky said.
“The costs imparted to businesses seeking certification make it cost-prohibitive to all but the largest companies and MSPs with deep pockets that can afford the necessary pieces to get accredited,” he said. “While CMMC today mainly applies to government contracts or anyone dealing with classified and controlled data, it‘s not a huge leap to see CMMC branching out into other roles such as finance and FINRA compliance, or healthcare and HIPAA. And, in fact, we’ve seen several references to CMMC and its framework and its accreditation in discussions with health and human services as a set of guidelines that marry well with HIPAA guidelines already created.“
As an alternative to the “Big Brother” of regulation and certification, MSPs should take the lead in adopting strong security stances and making them mandatory in their security offerings, Nowacky said.
“[You‘ll help] hold industry to a higher bar and vendors to higher standards that everyone will be forced to adopt,” he said.
This includes self-auditing of security practices and planning for what to do when an attack happens and not if it happens, Nowacky said.
“If you think it won‘t happen to me, you’re doing a dis-service to your customers and your business,” he said. “Security should be a mandatory protection for both MSPs and customers, and not a choice for a security-first MSP.”
A push to regulate MSPs comes as cybersecurity issues are growing, Nowacky said.
“Phishing and malware attacks are on the rise, with an exponential increase since COVID and remote work has become more widely deployed,” he said. “Ransomware payments have increased 13 percent in 2019, from $36,000 to $41,000, with an average worldwide of $71 billion being made in ransomware payments.”
It is a tough environment for MSPs and security, Nowacky said. He said, without citing the sources, that 65 percent of phishing attacks in the U.S. are successful, 60 percent of small businesses will close their doors because of an attack, and 15 percent of individuals who are successfully phished with be phished again within a year.
“So, 60 percent of companies that are shutting down are spreading that risk to new companies, further propagating the attacks and risk,” he said.
In addition to spreading malware and ransomware, phishing attacks also result in data loss, financial loss, identity theft, and loss of trust in an organization. Furthermore, the initial attack is often not the end goal, but a way to create new attacks, Nowacky said.
“In short, these attacks are truly business ending-level events that are high stakes for any organization connected to the Internet,” he said.
Data protection from a company like Axcient is a critical part of a layered security approach, Nowacky said.
“Having the confidence of knowing you‘ll never pay the ransomware as we advocate means having a strong backup product,” he said. “With Direct-to-Cloud, Axcient has created the most robust backup and business continuity product on the market today, giving you choices on deployment with appliance and non-appliance, as well as endpoint and server backups. And with airgap being built into everything we do, we create another physical layer that separates your data from attackers and the ability for them to delete it, giving you further protection and knowing that you have good, safe backup points you can recover data from in an emergency.”