Zerbor - Fotolia
A recently enacted law suggests future regulation on MSPs could be on the horizon.
On June 11, Louisiana's governor signed first-of-its-kind legislation requiring managed service providers and managed security service providers that manage IT for public bodies to register with the state. The law, which takes effect on Feb. 1, 2021, also requires MSPs to notify the state of any cybersecurity incidents or ransomware payments. MSP registrations will be valid for two years and are subject to being denied or revoked.
The law comes on the heels of public criticism of MSPs earlier this year from Louisiana Secretary of State Kyle Ardoin, who claimed MSPs do not offer security tools sufficient for protecting state agencies against cyberthreats.
MSPs and industry observers said the legislation could be a harbinger of things to come, and MSPs in other states could face similar legislation.
Digging into the law
Prior to Louisiana's regulation on MSPs, the state had no visibility into what MSPs were doing.
"They have a right as lawmakers to have some oversight, especially when it involves public and private entities," said Charles Weaver, CEO of MSPAlliance, a managed services industry association based in Chapel Hill, N.C.
Weaver noted, however, there are aspects of the law that MSPAlliance does not agree with. The first is the creation of a list of MSPs doing business in the state, including the names of the MSP's directors, officers, owners and shareholders. If that list was made public, it would become a "targeted hit list" for every hacker in the world. "It's tantamount to putting a bounty on all those directors if it became public" and would have a contrary effect to the intent of law, which is to increase the safety of public bodies working with MSPs, he said.
"We have one board member who went so far as to say that there could be physical harm," potentially, to people whose names are on the list, Weaver added.
The law also requires a list of MSPs that have been successfully breached and paid ransomware, he noted. That list "would be of incredible value to a hacker" as a path to future attacks.
Apart from these concerns, Weaver characterized the law as "very short and well crafted." He views it as an acknowledgment that "MSPs have arrived. There is zero doubt in my mind MSPs are at the forefront of the global fight against cyberwarfare," and no longer "just an adjunct of internal IT departments."
On the flip side, Dave Wilkeson, CEO of consultancy MSP Advisor, said he doesn't see it as a welcome change for the relatively unregulated managed services industry.
"I think the market should regulate the marketplace. If you don't take the proper steps to protect your clients, you will get hacked and sued," Wilkeson said. "I think in most cases, MSPs are driving clients to improve their security -- not the other way around."
Wilkeson said he believes there are "more effective and fair ways of vetting potential service providers than creating a state registration system."
'It's a good start'
Ken Stringer, director of infrastructure services at CMA Technology Solutions, based in Baton Rouge, La., said his company was aware the law was coming and that Ardoin was a CMA client for a long time.
"It's a pretty good law. It's a good start and a step in [the right] direction" so state agencies can avoid MSPs that are unprepared to provide them with secure services, Stringer said.
The law will probably not change how CMA delivers managed services to government entities, which is a significant part of CMA's business, he said. "We should be OK moving forward."
Echoing Weaver, Stringer said the only concern he has is the requirement about listing the names and titles of the officers of a company. "Normally, [that] is not a concern until you have public record requests," Stringer said. "[Now] that means bad actors have the potential to go and pull [information on] all the MSPs and their officers, and that creates a narrower [threat] target."
Ken StringerDirector of infrastructure services, CMA Technology Solutions
Stringer would also like to see further clarification on what constitutes a "director." But overall, he is not concerned about Louisiana's regulation on MSPs, calling it "a welcome change."
"If used properly, this law could provide a positive outcome for companies like us," he said.
Implications for other states
Stringer hopes the Louisiana legislation will pave the way for other U.S. states to adopt similar measures. "It's not that I want our industry regulated, but some sort of guidelines you can work by" would be beneficial, he said.
However, he added that if MSPs become overly regulated, "it might affect someone starting out who may not be able to jump in. We don't want free enterprise to be stifled by regulations. If it's done adequately, I think this would be a good measure moving forward to protect providers and customers of those providers."
Weaver said MSPs in other states should be prepared for similar legislation. He noted there is already a data breach notification requirement in all 50 states as well as in Canada and Europe. "Ransomware payment disclosure is likely going to become more widespread," he said.
Wilkeson said it wouldn't surprise him if other states pass similar regulations on MSPs.
"Best practice dictates that all MSPs should already have a security-first stance in their businesses," he said. "They should be requiring their clients to comply with their security standards, and if the client refuses, either fire the client or, at least, have them sign a release of liability."
Many MSPs already embrace those security best practices, he added. "They'll just have to jump through the extra regulatory hoops or pull out of selling to the covered entities, which would create more opportunities for vertically focused MSPs focused on state/local government."
Wilkeson added that some MSPs may "refuse to engage with entities covered by the law … to avoid the reporting requirements," while others could raise the prices for their managed services for public bodies.