Understanding the MSP regulation debate and what MSPs can do
The MSP industry should consider implementing certification and insurance standards before more states follow in Louisiana's stead and begin to pass MSP regulation laws.
There is a debate going on about whether and how MSPs should be evaluated and potentially regulated. I want to address the key issues surrounding this debate and present a prescription for MSP regulation and MSP best practices.
The topic of MSP regulation is timely, and all MSPs seemed to be concerned with it. Simultaneously, MSPs are experiencing significant increases in demand for their services.
As providers of managed services continue to rise in popularity, so have the attacks on these organizations. The cyberattacks on MSPs and their clients (the real targets) are part of a larger story of cyberwarfare and crime targeting public and private sector institutions. These cyberattacks are happening all over the world to institutions large and small. The only thing standing in between the cybercriminals and their prizes are the MSPs.
The MSP regulation issue is not unique. The MSPAlliance community has been discussing this very issue for many years. Instead of talking about what type of regulation the professional MSP community will accept, we need to explore whether there is a replacement for MSP regulation to satisfy both regulators, legislators and clients. Let's examine it more closely.
Certification and insurance
There are two general areas of assurance surrounding MSPs. First is certification, audit and licensure. I use these interchangeably as they all attempt to solve the same issue of communicating the provider's credibility to clients. The second area involves insurance as a risk transference vehicle. Insurance and certification are crucial parts of any profession. Each plays a role in helping professionals communicate and demonstrate assurance to the broader public. The same holds for the managed services profession.
Insurance is about risk transference. If you insure your car and get in an accident, the insurance will pick up the risk and pay for the repairs. Similarly, if your MSP has insurance and your organization suffers a data incident (there are many different kinds of data incidents, not all of them involve MSP wrongdoing), it should provide some form of risk transference.
Cybersecurity insurance products are beginning to grow in number and accessibility due to increased attacks and threats against MSPs and customers. While there is still a long way to go in the area of MSP and cybersecurity insurance, it has come a long way over the last decade.
Cyber insurance companies are fearful of the increased activity in the cyberwar. Increased attacks on organizations of all sizes in all areas of the globe are undoubtedly taking place. The fear has caused some insurance carriers to step back from offering cyber insurance products altogether. I would argue the insurance industry's fear is not due to the MSPs and their behavior, but instead due to their lack of understanding around cybersecurity.
MSP insurance is essential and an integral component of the managed services profession's ongoing evolution.
Certification plus insurance equals MSP regulation
There is a strong argument that the right combination of MSP certification and insurance is a useful proxy for MSP regulation and licensure. To be clear, MSPAlliance does not believe in MSP licensure. Such action would not guarantee improved managed services to customers, nor would it encourage growth and innovation within the MSP profession.
MSPAlliance does believe that if properly written, governments have the right to pass legislation demanding accountability and transparency into MSPs and how they operate.
This does not mean states and regulators should not act to enforce such "professional best practices." Taking such an approach would allow public policy to form without requiring lawmakers to understand the intricacies of managed services and cybersecurity, areas they manifestly do not understand, and for good reason. Cybersecurity and managed services is an incredibly diverse and complex profession.
Public policymakers, legislators and regulators should take a closer look at tools already existing in the open market. It may help ease the burden of excessive and unnecessary MSP regulation.
About the author
Charles Weaver is the CEO and co-founder of the International Association of Managed Service Providers (MSPAlliance). Since its inception in 2000, the organization has grown to more than 30,000 members worldwide. Under Weaver's management, MSPAlliance has expanded its reach and influence to include education, standards of conduct and certifications for managed services professionals and companies. Author of the book The Art of Managed Services, Weaver writes and speaks extensively about the managed services industry.