MSP Regulations: What Legislation Exists Today and What’s on the Horizon?

Judge gavel and scale in court. Library with lot of books in background

Any mature industry, at some point, will be regulated by local, state, or federal laws. Restaurants did not always have to have food safety inspections. Gas stations did not always have to have pumps calibrated and certified. Vehicles have not always required seat belts. As a society, we are well served by these regulations that help keep us safe and protect consumer interests.

Lewis Pope, head nerd,
Author: Lewis Pope, head security nerd, N-able.

And now we are beginning to see regulations that are directly calling out the Managed Services Provider business model by name and indirectly in the language of state bills that have already been passed and other legislation that is currently being pursued. In this blog, I’ll take a look at what’s currently on the books in a few states as well as what’s possibly coming down the line and make a few predictions about where we might find ourselves in a few years.

The journey so far

There has always been a litany of privacy and compliance regulations that MSPs must follow like any other businesses, but recent legislation has called out Managed Services Providers by name and provided for rules and regulations that are unique to MSPs and no other type of business, which is new territory.

MSPs in their current form have only been around for roughly 15 years. As the digital revolution has modernized even the smallest of businesses, the IT support needed by those SMBs has increased exponentially with the number of MSPs that have been founded, merged, acquired, or matured into Managed Security Services Providers (MSSPs) keeping pace.

This growth, paired with the rise in ransomware attacks, data exfiltration, BEC, and other scams, have raised the visibility and public knowledge of the important role that MSPs play in keeping today’s economy humming along. That recognition also invites scrutiny that MSPs traditionally have not been subject to.

In the US, if you wanted to start an MSP 10 years ago, you could have started out as a sole proprietorship with no insurance, bonding, or business license. That might not have been the best way to go about it, but there was nothing stopping you from doing so. We have seen a shift away from that not just out of a sense of self-preservation on the part of those starting new MSPs but also due to the wisdom of the community through lessons learned being more widely available now than ever before.

Before we continue, let’s make a distinction between compliance to standards vs legislation targeting an MSP as a unique type of business. Standards or frameworks like NIST 800-171 are not an operational requirement that an MSP must follow in order to be a properly licensed business in a US state.

With the exception of Louisiana, which we will get into deeper below, there are no state legislations that say you must do X or that you must implement specific standards or security frameworks in order to operate in that state as an MSP. There are of course numerous regulations that will affect how and what services are delivered to clients, but there are only a few that call out MSPs directly which we will cover below.

Louisiana Senate Bill 273

ACT 117 – LA SB273 was the first federal, state or local legislation that applies directly and exclusively to MSPs as specific business entities. Passed in 2020, it requires “registration with the secretary of state by managed service providers and managed security service providers servicing public bodies; to provide requirements for doing business; to provide for definitions; to provide for exceptions to public records law; to provide for time limitations on the reporting of cyber incidents; and to provide for related matters.”

The short version is that if you are an MSP in the state of Louisiana servicing any state, parish, or municipal government entity, you have to register with the Secretary of State of Louisiana and you must report any “cyber incident” within 24 hours or “ransomware payments” within 10 days to the Louisiana Fusion Center.

Failure to register or allowing registration to lapse means a public entity cannot enter into a contract for services from the MSP and, if an MSP allows its registration to lapse, any contracts with a public body “shall be null and void”.

This legislation did not provide for any requirements of how an MSP should operate or what services an MSP should offer so you have MSPs registered with the state that are providing widely varying scopes of service and cyber security. There is no meaningful barrier to entry in this legislation if you want to provide MSP services to a public body in Louisiana, you just must be willing to register with the state and report major cyber incidents.

North Carolina Senate Bill 105: Section 38.13

Passed by the North Carolina General Assembly on April 5, 2022 as part of the state’s 2021-2022 budget, it states “No State agency or local government entity shall submit payment or otherwise communicate with an entity that has engaged in a cybersecurity incident on an information technology system by encrypting data and then subsequently offering to decrypt that data in exchange for a ransom payment” as well as requiring any affected entity to notify the Department of Information and Technology in accordance with G.S 143B-1379. It is the first state legislation in the United States that outright prevents ransomware payments by public bodies.

Section 38.13.(c) does not require but encourages private sector entities to report cybersecurity incidents to the Department of Information and Technology, but nothing in the law prevents private entities from engaging with and paying ransomware attackers.

So, what does this all mean for an MSP in North Carolina? If your clients do not include a state or local government entity as defined in the bill, then nothing is required of you. If you do support one of the covered entities, then you will not be able to directly engage with a ransomware attacker or pay the ransom without first consulting with the NC Department of Information and Technology.

This means if you find yourself in a situation were paying the ransom is the only option to recover data or otherwise restore operations, your hands may be tied, and decision-making may be coming from the Department of Information and Technology instead of you or your client. That should be all the encouragement you need to ensure that backups of all data and mission critical systems is being securely backed-up offsite, monitored, and audited.

Pennsylvania Senate Bill 726

Section 7678 of SB726 defines that “after December 31, 2021 state or local taxpayer money or other public money may not be used to pay an extortion attempt involving ransomware.” With the exception that the governor can authorize a ransomware payment with the declaration of a disaster emergency.

Passed in its current form on January 18, 2022, Pennsylvania SB726 enacts legislation similar to North Carolina’s SB105. A noticeable difference is Pennsylvania SB726 is an 11-page standalone bill where North Carolina’s SB105 only includes 637 words in Section 38.13, but the end result is still similar in that an MSP doing business with a state or local government entity may find certain options for recovering from a ransomware incident being unavailable.

Barring extraordinary circumstances, enough to warrant the governor to declare a disaster emergency, paying the ransom to restore data or operational capabilities is off the table. This puts an onus on MSPs supporting local or state government bodies in Pennsylvania that disaster recovery  and business continuity are part of your services and that those backups are offsite and secure.

What’s to come?

There will likely be additional legislation passed at local, state, and federal levels in the future. Some will be vague, some may be over burdensome, and others may create requirements for following established best practices like following the NIST CSF. If you are an MSP in Pennsylvania, North Carolina, or Louisiana and this is the first time you have heard about these legislative actions, I hope that you will continue to learn more about them and the impact they have on your MSP and clients. If you operate outside of those states or have operations in other countries, it’s not unlikely that similar laws or legislation may be on the way.

While it is undoubtedly in an MSP’s best interest to stay informed about legislation that affects them, it is a challenge keeping apprised of current and future developments. There is currently no one-stop-shop for this type of information. Joining peer groups, watching the social feeds of those in the channel like ChannelE2E, or following advocacy organizations like the National Society of IT Service Providers (NSITSP) can help keep you in the loop.

While it’s impossible to know what future legislation will look like, whatever the laws call for may share commonalities with the NIST CSF, CMMC or CIS Controls. When these laws do start to materialize, MSPs that have already implemented cybersecurity frameworks in the delivery of their managed services will be positioned to take advantage of the situation instead of reacting in a panic because contracts are being threatened.

Lewis Pope is the head security nerd at N-able. You can follow him on Twitter (@cybersec_nerd), LinkedIn (thesecuritypope) and Twitch (cybersec_nerd). Read more N-able guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.