Cyber Attack Disclosures Could Become The Future for MSPs
A relatively small policy change within the country of Kenya could have significant implications for the future of managed services. Maybe.
The Central Bank of Kenya (CBK) has made it a requirement for its banks to disclose to regulators if there was an "attack" on the bank and how the bank handled the attack. The US banking system has a similar requirement around data security monitoring, and all 50 states now have data breach notification laws.
Now, what is unclear is whether the CBK requires reporting of data breaches or just attacks. Regardless, this policy change signals what is likely to be viewed as a global shift towards greater transparency within the cybersecurity community (which includes everyone) to disclosure breaches (something which already exists globally) and the shift towards disclosure of attempted attacks (which does not currently exist).
Disclosures of Attempted Cyber Attack
Data breach notification requirements make sense to most people (which is why it is becoming law in most developed nations around the world). But, requiring an organization to disclose an attempted attack (before a breach has occurred) presents some challenges. Even the best MSPs could have a difficult time knowing whether an attempted access to a network or system was valid or not. Understanding the intent of an impersonal IP address is practically impossible unless it is coming from a known offender or geographic location known to be hostile.
The point is, requiring MSPs to disclose all the attempted cyber attacks on customer networks (or even the MSP's itself), could quickly become a bureaucratic nightmare and create more security risks for the MSP and its customers. For example, if a cyber attack disclosure report were to be made public, it could help hackers identify more effective paths of intrusion into the customer network.
Cyber Security Prevention Reporting
If reporting attempted attacks would be challenging for MSPs, I think it is perfectly acceptable to discuss having MSPs (via their customers' requirements) create cybersecurity prevention documentation and planning, to demonstrate to regulators and law enforcement that there is adequate protection of the customer's network.
If customers are required to demonstrate that they are taking steps to protect their networks, systems, and data, then the role of the MSP becomes greatly enhanced. MSPs exist so they can provide proactive IT management as opposed to reactive IT management. The last 20 years has been about the shift from reacting to IT problems, to thinking about IT security prevention. Left to their own, most organizations (beyond governments and large enterprises), would not (and are not!) put much consideration into protecting the IT assets and data they control.