Written by: Charles Weaver, CEO of MSPAlliance
As the entire world debates the issues around regulation of managed service providers (MSP), relatively few address the issue of insurance and certification as a proxy for MSP regulation. The topic of MSP regulation is timely, and all MSPs seemed to be concerned with it at the moment. Simultaneously, MSPs are experiencing significant increases in demand for their services.
The MSP regulation issue is not unique, having been discussed for many years within the MSPAlliance community. But, instead of talking about what type of regulation we will accept, we need to explore whether there is a replacement for MSP regulation to satisfy both regulators, legislators, and clients alike. Let’s examine it more closely.
Private Market Regulation Through Certification & Insurance
There are two general areas of assurance surrounding MSPs. First, is certification, audit, licensure. I use these interchangeably as they all attempt to solve the same issue of communicating the provider’s credibility to clients. The second area involves insurance as a risk transference vehicle. Insurance and certification are crucial parts of any profession. Each plays a role in helping professionals communicate and demonstrate assurance to the broader public. The same holds for the managed services profession.
Insurance is about risk transference. If you insure your car and it gets in an accident, the insurance will pick up the risk and pay for the repairs. Similarly, if your MSP has insurance and your organization suffers a data incident (there are many different kinds of data incidents, not all of them involve MSP wrongdoing), it should provide some measure of risk transference.
Cybersecurity insurance products are beginning to grow in number and accessibility due to increased attacks and threats against MSPs and customers. While there is still a long way to go in the area of MSP and cybersecurity insurance, it has come a long way over the last decade.
Cyber insurance companies are fearful of the increased activity in the cyberwar. Increased attacks on organizations of all sizes in all areas of the globe are undoubtedly taking place. The fear has caused some insurance carriers to step back from offering cyber insurance products altogether. I would argue the insurance industry is fearful not of the MSPs and their behavior, but instead due to their lack of understanding around cybersecurity.
Even with the most stringent MSP licensing and regulatory frameworks, MSPs and clients unable to obtain adequate cybersecurity insurance coverage would be unprotected against the rampant forces of cybercriminals. MSP insurance is essential and must not be understated as an integral component of the managed services profession’s ongoing evolution.
Certification + Insurance = MSP Regulation
There is a strong argument that the right combination of MSP certification and insurance is an effective proxy for MSP regulation and licensure. Certification to cover industry best practices and cyber hygiene, and insurance to handle the risk transference.
This does not mean states and regulators should not act to enforce such “professional best practices.” Taking such an approach would allow public policy to form without requiring lawmakers to understand the intricacies of managed services and cybersecurity, areas they manifestly do not understand, and for good reason. Cybersecurity and managed services is an incredibly diverse and complex profession.
For public policymakers, legislators, and regulators, take a closer look at tools already existing in the open market. It may help ease the burden of excessive and unnecessary MSP regulation.