MSP Disclosure Rules Could Be Coming
For years, software developers have had programs to help them identify flaws in their code. Well-meaning coders (white hat hackers) and not so well-meaning coders (black hat hackers) have circled this industry for a long time. But, could this ecosystem be coming to managed services?
According to a recent article from IDG Connect, both the US Federal Trade Commission (FTC) and Department of Justice (DOJ) have been openly discussing the idea of a mandatory vulnerability disclosure program (VDP). What is a VDP you ask?
A VDP is a method for organizations to disclose security issues to external entities who wish to help in remediating those vulnerabilities or at least should be aware of them. In the software community, working with internal and external researchers on security vulnerabilities is not a new concept. What is new is the formalization of this practice into civil and possibly criminal law.
VDP Applied to Managed Services
Now, you may be saying to yourself what a VDP policy aimed at software developers has to do with managed service providers. Good question.
Similar to VDP, laws are being enacted all over the world pushing organizations (including MSPs) towards disclosure of certain types of behavior related to security intrusions and data theft: data breach notification laws. These data breach notification laws exist in all 50 of the United States, throughout all of the European Union due to GDPR, and in many other countries.
The point is a data breach notification law is just that: notification after a breach has happened. A VDP is a notification before a breach. What would an MSP possibly have to disclose under a managed services applied VDP scenario?
There are some hypothetical scenarios where an MSP might have an obligation to report a possible vulnerability. First, we have seen reports (mostly international) of MSPs being targeted by hackers to gain access to their customers. MSP has evidence of attempted network or system attacks, internally or aimed at customers
MSPs also collect a lot of information on the health and status of networks and systems. Identifying cyber attacks (whether successful or not) is part of what an MSP does. Disclosing those cyber attacks to relevant authorities could help law enforcement (not to mention the customers) more effectively deal with attacks and data loss.
Alternatively, creating a VDP for a managed services relationship is different from vulnerabilities in software code, and could have long-term negative impacts on the managed services profession. What are your thoughts on a possible managed services VDP?