Louisiana’s MSP registration, which will take effect Feb. 1, 2021, has sparked many debates about regulating the managed services industry. At last week’s IT Nation Secure virtual conference, hosted by MSP software vendor ConnectWise, Louisiana secretary of state Kyle Ardoin explained his intent behind the MSP registration and what he hopes the law will do.
Louisiana is the first U.S. state to introduce a registration for MSPs and managed security service providers (MSSPs). Signed on June 11 by Louisiana governor John Bel Edwards, the legislation will require all MSPs and MSSPs that work with public bodies to register with the state.
According to Ardoin, Louisiana developed its MSP registration law in the wake of cyberattacks on state government. Incidents included a December 2019 ransomware attack that affected the City of New Orleans, resulting in New Orleans mayor LaToya Cantrell to declare a state of emergency.
“Quite frankly, one of the attacks scared me enough because it was within striking distance of an election,” Ardoin noted. “It was about seven days outside of an election. Had the attack occurred closer to the election, we could have had [some] chaos, because we had a very close gubernatorial election going on.”
Ardoin said the FBI contacted him and explained the role MSPs and MSSPs play as “the conduit for these attacks out to these local entities.” At that point, he said, he had never heard of MSPs or MSSPs before. “My concern was, ‘Who are these people? We don’t even know these entities,'” he said.
The thinking behind the MSP registration
Ardoin said he believes MSPs must be transparent with customers about their cybersecurity capabilities. The law aims to facilitate more open communication. “I understand that [cyber protection] is a very costly business to be in … but [MSPs and MSSPs] have got to be straightforward with their customers and tell them at what levels they can protect them,” he said.
“If they are not being straightforward because they are concerned about losing business because of cost, they are doing a disservice … not just to the entity that they are trying to protect but to the citizens that interact with that agency,” he said. “When you open yourselves up to attack and school kids’ personal identifiable information is released, that is problematic.”
He noted that his conservative beliefs about government regulation partly shaped his approach to the MSP registration law. “I think in general the IT world is just sort of hanging out there without any checks and balances. But … coming from a conservative standpoint, I’m not interested in complete regulation,” he said. “I would like to see the industry regulate itself and educate itself and their customers before government gets involved and screws it all up.”
He said he hopes the registration will encourage service providers and governmental agencies to have “a constructive dialogue without any heavy regulation at this point.”
“We are going to see how [the MSP registration] goes once it is implemented … in February, and we will just go from there,” Ardoin said. “I think it’s an important step for our cybersecurity commission, for our federal partners like the FBI, and others to be able to interact with these private [managed services] organizations as we move forward.”
Ardoin’s advice for MSPs, MSSPs
To help stem the rise of cyberattacks on government entities, MSPs and MSSPs must speak up and be open to working with others in the IT industry to jointly solve problems, Ardoin said. He also pointed to IT industry certifications as a means for MSPs to demonstrate their security capabilities to customers.
“I think communication is key and being upfront,” he noted.
Fearing reputational damage, some MSPs may try to conceal IT security incidents when they happen, but Ardoin encouraged MSPs to change their attitudes about the perceived stigma. “One major piece of advice I have for those who are in the business now and are concerned about their reputation: Everybody is getting attacked. No one is exempt from this.”
Additionally, he urged MSPs to build relationships with the FBI, the Cybersecurity and Infrastructure Security Agency, Homeland Security, National Guard, state police and “any cybersecurity commission that is created or entity that is created by state government.”
“Try to be a voice in the process so that everybody learns together,” Ardoin said. “It’s a team approach. Working in silos doesn’t solve anything.”