How Secure Is Your MSP?
For a long time, the business of being a managed service provider (MSP) has been largely unregulated. However, attacks on MSPs such as this summer’s attack on Kaseya and the data breach of provider Cognizant in April 2020 showed just how vulnerable MSPs can be and what the consequences of attacks on MSPs can cause. Most notably, in the case of a breach within an MSP, this not only puts the MSP at risk, but also all of its clients. As such, MSPs are expected to be increased targets of ransomware attacks due to the wide reach that one attack could have for an attack group. Thus, government regulation is being pushed to minimize the risks of these attacks in order to better keep MSPs and their clients safe
There has been a strong push to put some form of regulation on service providers working as contractors with the federal government.
On October 6, the Department of Justice announced the Civil Cyber Fraud Initiative . The initiative intends to use the False Claims Act to go after contractors who knowingly put government entities at risk through faulty cybersecurity systems. This can include a wide array of actions such as not properly implementing proper security controls and not reporting breaches when they occur. As well, the initiative includes a provision for whistleblowers who come forward to report misconduct by contractors that provides them protection. This initiative does two main things. First, it ensures that companies who are not following sound cybersecurity practices are not
receiving government money and not handling government assets and data. Second, it ensures that government systems stay better protected by forcing contractors to properly protect these systems or lose their contract.
There has also been some change to MSPs’ relationships with state government.
Namely, the Louisiana government passed a law in June 2019 that went into effect in February of this year that radically changed how MSPs operate with the state. This law, the first of its kind, puts new requirements into place for MSPs in the state. Namely, the law requires that MSPs entering contracts with public bodies register with the state (with the registration lasting for two years, after which they will have to re-register). As well, the law requires that these MSPs notify the Louisiana Fusion Center within 24 hours of gaining knowledge of a cyber incident as well as reporting any ransom payments within ten days of payment. This puts much more stringent standards on MSPs than ever before in the state. If this is any indication of what is to come, many more states may follow suit in the near future.
Lastly, a less legislative form of regulation for MSPs is on the horizon as cyber insurance companies begin to change their policies.
Many MSPs lean on cyber insurance to cover expenses in the case of a cyber incident. However, this insurance is no longer as easy to get as it was in the past. Insurers now have stricter requirements for implementation of proper cybersecurity controls for MSPs to make sure that they are taking on less of a liability. As well, with the increasing size of ransomware payouts, premiums are rising to compensate for these losses. In fact, insurance companies will often pay out ransoms rather than take on the costs associated with restoring a system without paying the ransom. In order for MSPs to get insurance at an affordable premium, they are being forced to adhere to these stricter requirements.
So, what does this mean for your organization? As more regulation is handed down, MSPs are going to have more and more requirements to meet to stay in operation. Your organization is going to want to ensure that any MSP you sign on with complies closely with whatever regulations have been passed and may be passed in the future. At CIT, we continually make sure that we are compliant with any government orders and we are always looking out for your organization’s best interests!
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.
Written by Michael Honrine