Two decades ago, Managed Service Providers (MSP) barely existed. Two years ago, there were still a huge number of people who had no idea what an MSP was or did. In June 2020, the state of Louisiana passed legislation specifically regulating MSPs.
“It’s been a fight for a long time to know what it is we do,” said Amy Babinchak, owner of three IT related businesses and the founder of a recently formed Facebook group to address regulatory changes. For her, the MSP regulation “helps to speak to the maturity of the industry. Louisiana actually wrote the letters MSP into their legislation.”
Dave Sobel who runs the MSPRadio podcast, agrees it’s a big deal. “It’s the big difference between zero and one,” he said. “It’s the first time I am aware of a law specific to the managed service space.”
What does the legislation do?
The regulation demanding greater accountability of providers doing business in Louisiana with government clients. This first-of-its-kind legislation requires managed service providers and managed security service providers (MSSPs) that manage IT for public bodies to register with the state. The MSP regulation is effective Feb. 1 2021. The providers must also notify the state of any cybersecurity incidents or ransomware payments.
Babinchak says registration could prove useful. After all, being on the list, could help you get contracts in Louisiana. At the same time, though, having to report cyberattacks could negatively impact a firm’s reputation. Yet before this regulation there was no way really for businesses to know what quality of firm they would be hiring.
In a TechTarget report, MSPAlliance CEO Charles Weaver criticized the registry as a “targeted hit list” for every hacker in the world.
Yet Babinchak doesn’t see it as being that different from expectations for other professions. Lawyers and engineers, for example, are subject so credentialing measures. Doing the same with MSPs represents the next evolution of the industry’s development. Hackers already know MSP and MSSPs “hold the keys to many other businesses,” she said.
Why did it get passed in Louisiana?
Four of the state’s local school districts suffered ransomware attacks in July 2019. Louisiana took its DMV offices offline in November 2019 due to a ransomware attack. In the biggest hack, cybercriminals shut down the city of New Orleans in December 2019. With more than 4,000 New Orleans government computers affected, damages hit $7 million.
Growth of the MSP market, especially in the midst of COVID-19, also factors in. Spiceworks reports 44% of businesses planning to increase IT budgets have grown in recent years, with IT spending in 2020, up from 38% in 2019. Furthermore, MarketWatch Research predicts the global managed services market will double from USD 155.91 billion in 2017 to USD 296.38 in 2023.
What does it mean for MSPs?
The regulations are coming! The regulations are coming!
Babinchak expects regulatory fervor will spread nationwide. Louisiana’s Secretary of State Kyle Ardoin has already been out speaking at conferences on this topic. Other states are taking a look at the issue.
Speaking to the National Association of Secretaries of State in January 2020, Ardoin said firewalls and system patches and antivirus are no longer sufficient. “As attacks grow more sophisticated, many MSPs have not been upfront with their clients about the need to invest more in security. This leads to serious problems for their clients, and the MSPs themselves.”
In fact, the Times-Picayune in covering another Feb 2020 cyberattack in the Big Easy state noted, “more than 110 local and state governments across the country have faced similar problems.” (The reporters did not say in what time frame those attacks were made). Louisiana’s chief information security officer Dustin Glover told the paper, “these things are happening across the country and aren’t getting reported or aren’t getting called in.”
In a Texas example, 23 local governments were targeted with ransomware in August 2019. When the water system for one city was attacked, the governor was called upon to declare a state of emergency. (Colorado and Louisiana are the only other states who have declared emergencies over cyberattacks).
Keeping up with cybercriminals
More regulation is only a matter of time, Sobel agreed. “We’ve had a breach” is too abstract, he says. If criminals actually broke into a physical business and took people hostage it would cause a massive outcry. Yet, that’s what ransomware is. “We do some cool work,” he said, “but we’re not killing it on cybersecurity.
“We’re losing the war against cybercriminals,” Sobel said. This MSP regulation demonstrates politicians are starting to recognize this fact. Insurance companies are also increasing pressure on MSPs and MSSPs to make more significant efforts. Community insurance rates are jumping. Or MSPs are being denied insurance.
Having considered what the MSP regulation does and how it came to be, we’ll talk about the actions MSPs can take in our next blog.
In the meantime, Calyptix continually improves its software solutions for its MSP and MSSP customers. Learn more about the changes made in our AccessEnforcer version 5.0, including Geo Fence and Gatekeeper which deliver zero trust network access control into the network stack (and in line with the budgets) for SMBs. Gatekeeper has been purposely designed for SMBs for secure authenticated remote access without having to expose the RDP or SSH systems to the public Internet. Contact us today!