The MSPAlliance Position on the Regulation of Managed Service Providers
Recent legislative actions requiring the registration of managed service providers (MSPs) as a prerequisite for performing work on specific clientele is a significant development in our profession. Never before has there been an outright and direct regulation impacting MSPs specifically. Previous legislative and regulatory actions have been confined to indirect activities primarily aimed at the clients or consumers of managed services.
This paper will offer an industry response to such regulation and guidance for regulators and legislators on the impact of registration (and other regulatory) requirements on MSPs.
Need for Transparency & Accountability
MSPAlliance members acknowledge the government’s need and legitimacy to have transparency and accountability when it comes to how MSPs operate. The need for oversight is particularly compelling when it involves public bodies such as state departments, agencies, law enforcement, utilities, and other entities.
Aside from governmental organizations, there is a legitimate need for transparency and accountability to the general public. Private entities need to know their MSPs are operating safely and within the confines of industry best practices.
Regulatory & Legislative Guidance from the MSP Community
While legislators and regulators have the right to expect transparency and accountability from MSPs, those outcomes should not increase the risk of the professional MSP community, including their clients. As such, the following recommendations are offered as guidance for regulatory and legislative actions involving MSPs.
Registration Privacy and Security
MSP registration may offer needed transparency and accountability, but such information could (and likely will) be used by bad cyber actors. For example, MSP registration requiring the listing of MSP corporate officers, directors, and owners, could, if made public, provide a targeted “hit list” for hackers. Furthermore, such hackers would also have a list of MSP executives involved in specific activities, providing valuable intelligence that could be used against the MSP and their clients.
Another risk associated with MSP registration involves targeting of MSP executives, including blackmail, extortion, and possibly kidnapping. Identifying MSPs working on specific projects/clients, and providing lists of high-level executives enhances (not lessens) the risks to all the parties involved.
For this reason, MSPAlliance opposes the public disclosure of such MSP registration lists. Any list should be restricted by design and limited in terms of who can view the list.
Cyber Incident Disclosure Requirements
MSPAlliance believes there are many MSP best practices that can significantly reduce the chances of a successful ransomware attack. Still, some distinctions must be made to fully understand the risks MSPs face every day and the appropriate scenarios in which a cyber incident (including a ransomware payment) should be disclosed to authorities.
First, it is crucial to understand the difference between a ransomware attack on the MSP versus the MSP client. It is historically more common for the client to suffer a cyber incident than the MSP. Why is this so?
MSPs act as outsourced IT management for most of their clients. While MSPs can provide much needed IT management services, they do not always influence or control decisions impacting IT and business management. For example, an MSP may suggest to a client that they backup their corporate data every day. Having an active and current backup strategy can significantly reduce the impact of a successful ransomware attack. However, if the client refuses to invest in backup services when a ransomware attack does occur, the resulting damage can be significant and long-lasting. Either way, the MSP cannot force this behavior and must perform work expressly authorized by the client.
MSPs often are involved in cyber incidents impacting their clients; they frequently have nothing to do with the MSP. A typical example of this would be malware delivered to the executives of the client organization. Even if the MSP provides some form of malware detection (from a third party), these solutions are not infallible. Even the most astute and trained executive can be tricked by malware attackers, especially when surveillance has been performed on the individual or the organization.
Regarding cyber incidents impacting the MSP’s infrastructure, such disclosures are generally supported by the MSPAlliance community, provided minimal safeguards against the misuse of such data.
For example, disclosing a list of MSP organizations who have suffered a cyber incident would be immensely valuable to other hackers and would encourage more cyberattacks against those companies.
Professional Best Practices
While there is a role for government (and other industry regulators) to possess knowledge pertaining to transparency and accountability of MSPs, it should be noted that MSPs have been operating freely in the global market for over 20 years and have a tremendous amount of operational best practices to follow. MSPs have long been obliged to adhere to client imposed laws, regulations, and industry standards and have faithfully fulfilled these obligations, often under direct regulatory and audit supervision.
Any MSP regulation going beyond disclosure and registry requirements should be undertaken only with an understanding of what currently exists within the global managed services profession. A wealth of work has already been done to improve the internal operational security and efficiency of the managed services profession and make transparency and accountability a reality.
Technical Standards
MSP best practices come in several forms, including technical standards and industry regulations mandating organizations’ specific behavior, often extending to the MSP acting as outsourced IT management. Whether these are security standards or models efficient and secure change management, the MSP community has a vast array of technical and business guidance available to it, worldwide.
Certification & Audit Frameworks
Over 15 years ago, MSPAlliance developed a framework (MSP Verify) for guiding and auditing MSPs. Borrowing from existing control frameworks and developing innovative controls and procedures, MSPAlliance created a standard applicable uniquely to MSPs. The controls were adopted from existing non-MSP standards and re-worked to make them explicitly applicable to managed services organizations and departments (MSP division within a larger corporate entity).
From there, the decision was made to utilize the accounting profession for the testing and issuance of the certification and audit reports on the MSP entity. This model has worked successfully as the MSP Verify program has issued audit reports to MSPs on five continents.
Today, MSPs big and small, servicing clients all over the world in many markets, possess the MSP Verify certification as part of their annual cybersecurity preparedness and general corporate governance. While we welcome the opportunity to have a dialog with regulators and legislators anywhere globally, we would reiterate that the professional managed services community has not been idle for the last 20 years. Through the MSPAlliance and other organizations, the global managed services profession has developed significant best practices and expectations for today’s practicing MSP.
MSPAlliance welcomes a dialog with any regulatory or legislative body on MSP governance, transparency, and accountability.