All good things will eventually receive more government oversight. (At least good things that become less so over time due to new concerns around information security.)
The purpose of this article is to help you leverage the prospect of impending regulation to make better business decisions.
It’s inevitable, why not use it to your advantage?
Managed Services Providers (MSPs) and break-fix IT companies have enjoyed a relatively free and easy existence over the last fifteen years.
Many of the following conditions have created a wide-open, unsupervised, playing field:
- Low barriers to entry
- Opportunities for self-taught techs (with solid people skills) to quickly advance and run their own businesses
- The proliferation of professional services automation (PSA) and remote monitoring and management tools (RMM)
- The growth of cloud solutions that can be resold and managed by third parties – both large and small
- An expanding market willing to engage and/or sign contracts without conducting rigorous vendor review processes
Now consider the non-stop barrage of news headlines related to malware, ransomware, wire fraud, identity theft, data compromises, denial of service attacks, election tampering, deep fakes, and lawsuits…
The drama never ends. No one is immune – government entities, Fortune 500 corporations, SMBs, and everyone else in the supply chain.
It’s no wonder a reckoning is at hand with IT vendors. They have the keys to the kingdom.
Small MSPs, large MSPs, and everyone in the middle will be under a more powerful regulatory microscope.
Can your IT provider pass the test?
The Louisiana Precedent
Louisiana Senate Bill 273 is a new law that requires MSPs to register with the Secretary of State (SOS).
In effect since February 1, 2021, the legislation was prompted by state agencies/public bodies who needed transparency and full-disclosure safeguards in place to lower their risk when partnering with MSPs.
For example, in addition to submitting detailed contact information, business definitions, and operating details to the SOS, MSPs are required to report any cyber breaches or ransomware events to the Louisiana Fusion Center within 24 hours of each incident.
Managed services providers and managed security services providers are also required to report any payments of ransomware within ten days of each transaction.
Learn More: The New Bill
I concur with Charles Weaver, Co-Founder of the MSP Alliance, who recently remarked, “…The state’s motives are genuinely favorable to the cause of MSPs everywhere. A “hostile legislative” act towards MSPs would have made it much more difficult for the state (and its respective agencies and departments) to maintain their IT assets with MSPs’ assistance. The MSP registration law attempts to make it easier for the state to outsource to MSPs…safely!”
Learn More: Future MSP Regulation
The stars are now aligned for a precedent that will probably extend way beyond the borders of the creole state.
That’s simply the way laws tend to behave.
SOC 2 Audits
Service Organization Control 2 (SOC2) is one variety of a reporting framework from The American Institute of Certified Public Accountants (AICPA).
CPAs and auditors follow AICPA guidelines established in “Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy.”
SOC 2 reports contain eleven service organization control objectives for software as a service, managed services, application development, cloud service providers, data centers, and other Internet-dependent technologies.
- Compliance
- Data Governance
- Facility Security
- Human Resources Security
- Information Security
- Legal
- Operations Management
- Risk Management
- Release Management
- Resiliency
- Security Architecture
Updated annually, SOC 2 reports are comprehensive. If your MSP has this document in hand, they are going the extra mile in their commitment to operating excellence, cyber security preparedness, and full transparency.
Learn More: SOC 2 Controls Matrix PDF
They’re also expensive.
According to Vanta, “Audit fees range from $20,000.00 to $45,000.00 for the SOC2 report itself, but there are many costs beforehand. Most companies engage audit firms for a “readiness assessment” – and those begin at $10,000.00 and scale with company size.”
Learn More: Audit Cost Ranges
From my experience, very few MSPs go through annual SOC2 audits.
However, most forward-thinking MSPs partner with larger technology providers who do. (AWS, Cisco, Connectwise, Datto, Dell, Lenovo, Microsoft, Veeam, VMware, etc.)
How forward-thinking is your MSP? Do you know which vendors they use?
MSP Cyber Verify
Created by the MSP Alliance, MSP Cyber Verify (MSPCV) is an industry-specific auditing framework.
While SOC2 was designed for a wider range of organizations, MSPCV offers a unified certification standard for cloud and managed service providers who get evaluated across ten control objectives:
- Governance
- Policy and procedures
- Confidentiality, privacy, and service transparency
- Change management
- Service operations management
- Information security
- Data management
- Physical security
- Billing and reporting
- Corporate health
Updated annually and verified by independent CPAs, MSPCV reports capture more granular technology details than their SOC2 counterparts.
They also disclose financial details so you can accurately assess the corporate health of your MSP.
As you will see in their objectives and underlying requirements, no stones are left unturned, especially cyber security.
Learn More: MSP Auditing Objectives
They also offer these services at rates that are more affordable to certain MSPs. The word “certain” is chosen carefully because the United States has 40,000 MSPs with the top 8,000 capturing most of the available revenue.
A third of MSPs report making less than $1,000,000.00 in annual revenue.
Companies in this segment will have a hard time justifying $15,000.00 per year on any kind of audit. They may also have a great degree of difficulty meeting the control criteria.
While the MSP Alliance offers SOC2 as an add-on, I suspect this is mostly targeted to MSPs that need the widely recognized designation to work with clients in heavily regulated industries like insurance, banking, finance, and healthcare.
Next Steps?
I hope I have given you a new baseline to evaluate prospective IT providers.
Let’s face it, SOC2 is well-known and you probably just learned about MSPCV today.
Both frameworks have a lot of minutiae to wade through. But I count this as a positive if you are having a conversation of this nature with a prospective MSP.
The importance of independent auditing and transparency cannot be overstated.
If you have any concerns around regulation, compliance, and IT auditing frameworks, the Integris team has decades of experience, and we look forward to guiding you.