Ransomware and other cyberattacks are driving states across America and other countries to pass laws regulating the managed services industry. This has sparked an ongoing debate in the U.S. about how MSPs should be evaluated and regulated (and if that should be happening at all). If this does happen, how will it impact businesses and organizations? What legislation is working its way through individual states, and can new laws be effective?
Karl Palachuk, a leading MSP consultant recently discussed legislation specifically targeting MSPs. The topic of MSP evaluation and regulation is indeed timely, and many leaders in the industry have been willing to share their thoughts and concerns in the current climate. We wanted to gain insight from MSPs surrounding this current debate and interviewed several leading experts in the field to explore this in more detail.
“I think this could mean good things for us since we already do this for our clients and agree there should be more standards in our industry,” said Nick Allo of Semtech IT Solutions.
Ilan Sredni of Palindrome Consulting stated: ”Not only do I agree, but I’ve also been speaking about this for years. This can create a barrier of entry and definitely separate those that are truly MSPs from those that just call themselves MSPs. I disagree with the thought that liability is the driving force since any service provider already has that liability. Enforcing certain levels of coverage for cyber and E&O insurance would help to separate the real MSPs as well.”
“I know this guy is a bit of an MSP celebrity. Is it possible this is an attention grab? It just doesn’t make sense. He says that two people can’t mutually agree to not hold the other person liable. These are enforceable in Nevada so long as it is not gross negligence. This is generally defined as the absence of even a slight degree of care,” stated Cameron Call, CISSP of Network Security Associates, Inc.
“Will the legislation excuse my company from gross negligence? Also, he makes the argument that this legislation is needed, as an example, for VOIP vendors to not be held liable for data backup if they only sell phones. Doesn’t that seem weird? Can I sue the guy that put locks on my doors if my window gets broken, and I am robbed?” asked Call.
Components of a proposed new legislation
Alexander Freund of 4IT in Miami broke down the components of the proposed legislation and took some time to share his thoughts on Palachuk’s initial remarks. Below are the 4 elements of the legislation that Palachuk has been suggesting:
Registration for IT Service Providers
- Maintained by the State
- Business owners know who they are hiring
- Partner with the insurance industry
- Make the industry more professional
“I think this is a good thing, and will really help to “professionalize” the IT services industry. The government already does this in many industries, so adding IT service providers to the list of businesses or professions that require registration with the state is a good first step for some regulation of the industry. It will provide a degree of transparency for organizations looking to hire an IT services company, and allows for a state-sponsored partnership between insurance companies, which are already regulated by the state, and IT service providers,” noted Freund.
Enforce good standing
- Require a business license
- Registered to do business
- Liability and Cyber Insurance
- Some kind of certification that you know what you are doing
Commenting further on enforcement, Freund said, “Again, I believe this is a very good thing for our industry. Companies that are hiring an IT service company will know that the state is making sure the service provider is being regulated, that they are carrying the necessary insurance as a liability protection, and that they are meeting the minimum standard of competence to be allowed to operate in the state.”
Backups as a requirement of offered services
- Define it as disaster recovery
- Limit of liability when clients refuse to implement
“I think this idea will fail to deliver on the goal. Requiring service providers to have a backup solution offering isn’t going to force customers to implement it. In the co-managed IT model, often the backups are not even being managed by the IT service provider. And even with a backup solution in place, if a disaster recovery test is not successfully executed on a scheduled basis, the solution may not work when it is most needed. This is a common challenge that many IT providers face, and customers are unwilling to interrupt the business to effectively simulate a disaster. Ultimately, I feel like the customer has to be held responsible for making sure they have an effective backup solution in place, and that the solution is being tested to verify it will work when needed,” added Freund.
Notification of Breaches
- Giving the government and public a view into the size of this problem
“This is already in place in Florida, although it does not seem to be well enforced, and the information is not being shared with the public. I actually attempted to get a complete list of all of the breaches that had been reported to the Governor’s Office in Florida, a requirement if the breach affected 500 or more individuals of the state. My initial request was simply denied, and I had to resubmit the request multiple times to even get a confirmation that information would be provided. Ultimately, the list was essentially useless, as every entry submitted to the state was submitted by a law firm on behalf of another company, many of which operate in Florida but are not Florida corporations. Most business owners and consumers in Florida currently have no way of knowing the size and scope of this problem.”
“All in all, I believe that these are generally great first steps for the state to begin to force the IT services industry to adhere to a set of business and professional standards. I don’t think anyone would argue that the level of airline safety in the US could exist without the FAA providing the standards for flight safety and the regulation of the airline industry,” stated Freund.
Rising Cyberattacks on MSPs
As managed service providers continue to rise in popularity, the number of attacks on these providers has also increased. The threats and attacks on MSPs and their clients are part of a bigger story of cybercrime that’s impacting many organizations. Cyberthreats and cyberattacks are happening across the globe to businesses of all sizes. Would legislating MSPs put an end to the rise in cybercrime?
Carl Fransen of CTECH Consulting Group stated: “Legislating MSPs to protect them against being sued over ransom attacks would be akin to trying to herd millions of cats. Anyone at any time can instantly become an IT provider without the need for support qualifications, education, or experience. They can provide any number of IT services from hosting email, reselling a service, various levels of IT support, consulting, etc. Geographical boundaries are not even a consideration for support. With the current technology, anyone will be able to support any system from any location.”
“Also, there is no system in the world that is 100% secure. Even with the most advanced security, there are always ways of penetrating any defense and causing issues. An MSP would never have a perfect guarantee that whatever level of security they place on the system, it would be immune from attack. Let’s say that the client did sign the waiver saying that it doesn’t want a security system. Then the next day, a user comes in infects the system with a personal datakey, but the proposed security system was not set up to stop that. No matter what happens, there will always be that possibility,” added Fransen.
“I was on his call yesterday — very interesting and his idea is that we should start working on it as an industry before we are forced to by the government or insurance companies. I think some controls are good — if they have common sense. Small businesses have no idea what is a good or bad MSP — do they just have to wait to get breached to find out they chose poorly?” said Blake Schwank of Colorado Computer Support.
Professionalizing vs. Regulating
Matt Bullock of Accelera IT Solutions questioned if Palachuk’s proposed legislation will turn into regulating the entire IT industry:
“There is a big difference between “professionalizing” and industry and regulating it. Much like States have a Registrar of Contractors to keep track of reputable construction contractors (make sure they have insurance and required certifications and a history of disputes, etc.), the IT industry needs to become more cohesive in how it presents itself to the world. Anyone can get into the IT business just like anyone can get into the construction business. However, our industry has black marks (more so locally) due to inexperienced technicians positioning themselves as seasoned professionals and then not having any insurance or certifications. Great IT companies (small and large) want to brag about their certifications, experience, high level of cyber-liability insurance, and what they can do for clients. As long as this doesn’t turn into regulating our industry (telling us what and how to sell and support our clients), then a powerful industry lobbying group is a great idea and whose time has come.”
With mounting cybercrime and regulations still falling short, there’s a growing need to find solutions quickly so that organizations and governments can adapt. Have you been affected by a recent cyberattack? Share your thoughts with us.