Written by Charles Weaver, co-founder of MSPAlliance
MSP registration is finally here. We’ve been talking about this for a long time, and it’s finally here. MSPAlliance has encouraged discussion within our professional community for many years on the role of government in regulating MSPs. While we will undoubtedly have more to say on this matter in the coming months, we now have an actual law to analyze and discuss as a community.
MSP Registration for State Public Bodies
Louisiana Act 117 – Senate Bill 273 (see below for full text), recently signed into law by the governor, goes into effect February 1, 2021. The law requires MSPs who manage infrastructure or end-user systems for “public bodies” to register with the state. These terms are defined in the text of the law and seem relatively clear about their use. What is slightly less clear is the guidance on what “public bodies” means. Again, definitions are provided in the text, but these could become further defined over time.
MSP Disclosure of Cyber Incidents & Ransomware Payments
The law also requires those registered MSPs to notify the state in the event of a cyber incident, including any ransomware payments. While all 50 states (including Louisiana) already have data breach notification laws on the books, this law appears to be further clarifying this rule by requiring MSPs who have made payments to ransomware actors to disclosure such incidents to the states. Previously, data breach disclosure rules have primarily been made to the “impacted parties,” namely, the data owner.
MSP Impact & Analysis
Louisiana will not be the last state to act in this way towards MSPs; there will be others! Almost since the beginning of the MSPAlliance we have been telling MSPs that governmental regulation could come if specific actions were not taken. While the MSP professional community (in general) and the MSPAlliance (in particular) have been proactive in developing rules of behavior, professional standards, and models for interacting with clients, we have vigorously asked the government to stay out of our professional activities. There are too many examples of governmental interference with MSPs that would have harmed the general public, and not helped them. The California anti-spyware bill from the early 2000s is a good example.
Authors Note: MSPAlliance is not anti-regulation. While we have been against licensure for MSPs, regulatory efforts impacting MSPs happen all the time and MSPAlliance has been supportive of many of those efforts. What we have opposed, in the past, are legislative or regulatory efforts attempting to regulate without the input from the MSP professional community.
These advancements aside, nobody (perhaps even myself) could have foreseen the incredibly powerful role MSPs have come to possess throughout our global business community. Such power comes with responsibility, and the cybercriminals understand the role MSPs play. The Louisiana law is not an indictment on the behavior of MSPs as much as it is an acknowledgment of the importance MSPs have in today’s society.
The first question I asked myself was whether this is the beginning or the end of this law’s reach. MSP registration could expand in scope. The Louisiana law already says that an application could be denied or revoked, indicating that the state will have a say in the types of MSPs delivering services to those “public bodies.” While this guidance has not yet been revealed, we can only guess that further proscriptive action by the state could be coming in the future.
Besides other states and governmental bodies taking notice and following Louisiana, look to other market verticals (I.e., banking, healthcare, law enforcement) following this model and developing MSP registration frameworks to protect their constituents. If MSP registration works for state governments, you can bet other regulated sectors will evaluate similar models for dealing with MSP transparency and accountability.
MSPAlliance has long held that lists ranking MSPs did little to nothing for guiding clients looking for safe managed service providers. MSP lists did nothing to advance the professionalism and best practices amongst MSPs.
MSPs who are transparent, secure, and following best practices, should have no problems. The only question that remains is, what does the rest of the MSP community do? Will they rise to the challenge? Or will they be left off the list?
Louisiana Senate Bill 273 - Registration of MSPs
Dick
Posted at 12:23h, 17 JuneWould you anticipate a regulatory audit procedure to “certify” an MSP as safe to do business with?
Charles Weaver
Posted at 13:33h, 17 JuneBased on our conversations with regulators and policymakers, no. Government wants transparency and assurance from the MSP professional community. The last thing they want is to begin regulating through certification. Existing technology standards and testing/reporting frameworks already exist, not the least of which the MSP Verify, SOC 2, etc.
Louisiana is the Model for Future MSP Regulation - MSP Alliance
Posted at 14:21h, 04 February[…] 1, 2021, marks the day the Louisiana MSP registration law goes into effect. MSPs have known about this law since early 2020, and it is now a reality for […]
To Government Regulators: Don't Confuse Break-fix Providers with MSPs - MSP Alliance
Posted at 11:54h, 16 August[…] all the discussion around MSP regulation today, an important question must be asked and addressed: are the threats to organizations really […]
Safe Managed Services Transparency and Accountability - MSP Alliance
Posted at 13:11h, 16 August[…] legislative actions requiring the registration of managed service providers (MSPs) as a prerequisite for […]