Governance, Risk and Compliance, Compliance Management

5 Compliance Topics That MSPs Need to Know About

Complying with cybersecurity frameworks and promoting compliance with them can help an MSP distinguish itself from its competitors. With a clear understanding of key compliance topics, MSPs can protect their businesses and customers and drive sales and revenues, according to IT security company Beachhead Solutions.

In its new MSP Guide to Compliance and Regulation, Beachhead explores five compliance topics that MSPs face right now:

1. FTC Safeguards Rule

The FTC Safeguards Rule requires financial institutions to maintain an information security program to keep customer data secure and confidential, Jon DePerro, chief compliance officer at Visibility MSP, told Beachhead.

Many organizations want MSPs to provide security protections in accordance with the FTC Safeguards Rule, DePerro noted. If MSPs cannot, these organizations are likely to switch to a service provider that can.

By learning about the FTC Safeguards Rule and all that it entails, MSPs can help financial institutions comply with it. They also can further separate themselves from the competition.


The Health Insurance Portability and Accountability Act (HIPAA) has been in place since 1996. This act requires healthcare organizations to secure their patients' sensitive information.

To ensure healthcare providers comply with HIPAA, MSPs can perform regular risk assessments, Paul Redding, vice president of Channel, Engagement and Security at the Compliancy Group, told Beachhead. They also can develop incident response plans that healthcare organizations can use to respond to cyberattacks and data breaches.

In addition, MSPs can teach healthcare employees about HIPAA and why it is important to secure their organizations' sensitive data.

3. Cybersecurity Assessments

MSPs can perform cybersecurity assessments to analyze an organization's systems, networks, processes and controls. Next, they can identify vulnerabilities and recommend security enhancements, Frank Gurnee, channel director at SecurityStudio, told Beachhead.

It is important for an MSP to go beyond "just checking off boxes" when it performs a cybersecurity assessment, Gurnee noted. MSPs can incorporate cybersecurity assessments into their risk management and reduction strategies. They can explain the business value of their assessment results to customers as well.

Also, MSPs should assess their own systems, networks, processes and controls, Gurnee indicated. This allows MSPs to find ways to optimize their security posture.


Cybersecurity Maturity Model Certification (CMMC) 2.0 compliance is required for MSPs to bid on defense contracts. Meanwhile, MSPs can teach organizations about CMMC requirements, assessment processes and compliance to "ultimately win new business," Aaron Wyant, president of Dispatch Tech, told Beachhead.

MSPs can provide organizations with data protection and access controls, risk assessments and other cybersecurity services that meet CMMC's technical criteria, Wyant said. They also can stay on top of CMMC 2.0 and other new developments relating to the certification and help their customers keep pace.

5. Cyber Insurance

Cyber insurance financially protects organizations after data breaches. The insurance helps organizations cover the costs associated with data breach response and remediation and fines from regulators.

MSPs can teach organizations about the value of cyber insurance and help them get the right coverages, Larry Meador, channel chief at DataStream Cyber Insurance, told Beachhead.

They must also ensure that their customers' cyber insurance coverages are documented, since "the right documentation is the difference between a claim being paid or not," Meador noted.

MSPs Under Pressure to Understand Compliance

Complying with cybersecurity frameworks and promoting compliance is a "strong advantage" for MSPs, Beachhead vice president of Sales and Marketing Cam Roberson indicated.

MSPs that can demonstrate their compliance and provide organizations with the peace of mind that their data security is in good hands are well equipped to foster long-lasting customer relationships, Roberson stated. They also may secure higher monthly recurring revenue (MRR) and better margins than their rivals.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.