tashatuvango - Fotolia

'Compliance as a service': How to stay out of hot water

Before leaping into IT compliance services, MSPs must make sure they're following best practices. Some mistakes could potentially cost them their businesses.

MSPs are increasingly pursuing compliance work in regulated industries, even crafting "compliance as a service" offerings; in this relatively fledgling area of business, however, mistakes involving liability can prove disastrous.

Industry experts agree that compliance work holds great potential. "It's definitely a goldmine. There's definitely a tremendous amount of opportunity out there," said Raymond Vrabel, senior director of strategic partners at Continuum Managed IT Services. He added that healthcare is one of the fast-growing verticals. "Our [MSP] partners are getting on average more per contract, more per client, more per seat, more in project work than they ever have before once they do get their head wrapped around [IT compliance services]."

Kevin McDonald, executive vice president of Alvaka NetworksKevin McDonald

But this particular opportunity comes with unique risks, noted Kevin McDonald, HCISPP, executive vice president and CISO of Alvaka Networks, a managed services and network security provider. The massive opportunity for financial gain is matched by liability issues. In the small and medium-sized business (SMB) market, the financial exposure to an MSP can outweigh the revenue generated in poorly handled accounts.

"The liability for failure is extraordinary," he said.

Given the high stakes, MSPs with compliance practices should cautiously safeguard their businesses against a range of liability issues.

The problem with 'compliance as a service'

MSPs should carefully consider how they market their offerings and avoid language that could mislead customers into thinking they're getting something they're not.

Charles Weaver, CEO and co-founder of the MSPAllianceCharles Weaver

One ambiguous term seen in the managed services industry today is "compliance as a service." While likely well-intentioned, some MSPs offer compliance as a service when they aren't actually delivering compliance services, said Charles Weaver, CEO of MSP industry association MSPAlliance.

He pointed to MSPs that work with small clinics, physician offices and other SMBs in the healthcare vertical. These MSPs are not providing "compliance" to their customer, he said, but they may be offering a service that would "technically or legally perhaps allow the [customer] to be in compliance with a particular federal law," such as HIPAA (the Health Insurance Portability and Accountability Act). "It's different to say that the MSP is consulting and advising the client on how to be compliant with the federal law, which bleeds over into practicing law without a license in a lot of cases."

McDonald added that MSPs may be practicing law without a license by going beyond the technical and administrative consulting role -- advising the client on drafting legal contracts like Business Associate Agreements, for instance.

McDonald believes the term compliance as a service should be completely avoided. Anything offered under the "as a service" label implies that you control and are responsible for the primary aspects of that service, he said. For example, if you're providing hosting as a service, you are responsible for everything surrounding hosting. A customer's compliance, however, demands "active behaviors and consistency by employees," which is nothing a service provider can completely control.

That's not to negate the "absolute value in external companies … providing services that help people find their way toward compliance," he said. He asserted companies that step in to do challenging tasks, such as auditing, logging and analysis, are offering extremely valuable services. But those services, even in combination with dozens of other services, can't make a company compliant. The onus of compliance ultimately falls on the client, which an MSP can merely support.

For instance, it's the client's obligation to follow the HR policies and procedures required under HIPAA to ensure their employees are trained and acting accordingly. "That cannot be done by a service company," he said.

McDonald suggested "compliance support services" more accurately describes what MSPs deliver. While the distinction may be subtle, it could help customers understand that an MSP's services aren't the only thing they need to meet their regulatory obligations, he said.

Three best practices to protect against liability issues

Correctly marketing compliance-related offerings is one step that MSPs can take to preclude problems. Weaver described three other critical measures, adding that if MSPs don't have them in place, "they're playing with fire and they're in a high-risk situation."

Have solid contracts.

Before signing a new customer, it's important to have well-thought-out service agreements that an attorney reviews, Weaver said. Contracts should reflect the current services and service operations that you use, ensuring you don't take on more liability than is necessary. Additionally, the agreement should document where your risk picks up and leaves off, as well as your client's.

Have insurance with cyberliability and cyber risk coverage.

The liability for failure is extraordinary.
Kevin McDonaldHCISPP, executive vice president, CISO, Alvaka Networks

Weaver noted a trend he's been warning MSPs about for the better part of decade that is now finally hitting: There's a lot more litigation and insurance claims against MSPs for a range of issues, including data loss, data breaches and lack of availability for particular data that's in an MSP's safekeeping.

"Customers have regulatory agencies and departments that they have to answer to, and they have financial fines that they're subject to. They're going to make their MSP subject to those same fines if they can," Weaver said. Having insurance is vital.

McDonald said MSPs should have general liability, errors and omissions, directors and officers, and breach insurance. He added MSPs should cautiously review insurance contracts for any tricky clauses that could nullify coverage under particular circumstances.

Document thoroughly.

Beyond thorough contracts and insurance coverage, Weaver said MSPs need documentation that can prove how they deliver their services.

"It's no longer enough to know internally that they're doing things the right way," he said. "We are now in an era where MSPs have to be able to prove how they do what they do to the customer."

Weaver said MSPs need to show their clients that their policies and procedures ] exist and are being followed. Programs like MSPAlliance's MSP & Cloud Verify and SSAE 16 can demonstrate adherence to policies and help give customers assurance.

"Almost no regulated industry allows for an MSP to demonstrate their policies and procedures without some form of due diligence," he said. "The trends are definitely moving toward third-party audits and examinations [to serve] as proof to customers."

"Documentation of activity and changes is not just good business practice but is part of the statuary requirements under many of the most prevalent regulations that MSPs will need to support," McDonald added.

Next Steps

MSPWorld: Increasingly regulated environment is opportunity and risk

Read about MSPs rethinking their portfolios

Set the ground rules in a business partner agreement

Dig Deeper on Regulatory compliance with cybersecurity laws and regulations