Hair stylists and massage therapists are regulated by state governments. Why aren’t the people responsible for safeguarding Social Security numbers?
“MSPs, and I think in general the IT world, is just sort of hanging out there without any checks and balances,” says Kyle Ardoin, Louisiana’s secretary of state.
They are until February 1st of next year, anyway. That’s when Louisiana Act 117 – Senate Bill 273, the nation’s first regulation for MSPs and MSSPs, becomes law in the Bayou State. Ardoin discussed that legislation and its implications for channel pros elsewhere in America during a Q&A appearance today at ConnectWise‘s IT Nation Secure event.
The forthcoming law, which Ardoin spearheaded, came in response to a wave of ransomware attacks last year on cities and agencies across the state. “It started with school systems and local governments,” Ardoin recalls. “In fact, the entire city of New Orleans was shut down electronically at one point.”
That was last December, weeks after an assault affecting election officials that Ardoin found even more disturbing because it took place some seven days before the conclusion of a closely fought gubernatorial race. “Had the attack occurred closer to the election, we could have had a little bit of chaos,” he observes.
Before long, Ardoin was getting calls from the FBI about the incidents. “They started educating me on MSPs. I was not aware of what even an MSP was or that they even existed in any state, much less internationally,” he says. “My concern was who are these people?”
Answering that question is the pending regulation’s central objective. “If I know who the partners are, perhaps we can open up communication,” Ardoin explains.
When it goes into effect, the new law will require MSPs and MSSPs who do business with “public bodies” to register with the state for what Ardoin says is a nominal fee. Providers must also report cyber incidents affecting public bodies along with any ransom payments associated with those attacks, and write those obligations into their contracts. Public bodies, meanwhile, will be forbidden from doing business with unregistered MSPs or MSSPs.
By design, according to Ardoin, a Republican and self-described conservative with little fondness for regulation, those mandates are relatively modest and chiefly aimed at getting MSPs and their public sector customers communicating with each other about needs and capabilities.
“I think it’s important to hopefully encourage both the MSPs and government agencies to ask the right questions and offer the right information to each other, and in a constructive dialogue, without any heavy regulation at this point,” he says.
The “at this point” part of that assertion, however, hints at the potential for broader requirements later in areas like marketing claims.
“I understand that it’s a very costly business to be in cyber protection, but they’ve got to be straightforward with their customers and tell them at what levels they can protect them,” Ardoin says. “And if they’re not being straightforward because they’re concerned about losing business because of costs, well, they’re doing a disservice, an even greater disservice, not just to the entity they’re trying to protect but to the citizens that interact with that agency or their personal information.”
Defining minimum standards of service is also a possibility for Ardoin, who was disturbed to learn that MSPs serving some of the victims of last year’s attacks weren’t using multifactor authentication.
“MFA is just a basic level of protection that everybody should have,” he observes. “If MSPs weren’t utilizing something as simple as multifactor authentication to protect themselves, then they certainly weren’t giving a level of protection to their clients, because that’s how they were infiltrated.”
Rather than enforce adoption of basic defensive tools like MFA through legislation, however, Ardoin is hoping channel pros will make security best practices compulsory themselves. “I would like to see the industry regulate itself and educate itself and the customers before government gets involved and screws it all up,” he says.
ConnectWise Vice President of Cybersecurity Initiatives Jay Ryerse, who conducted the interview with Ardoin, would like to see that too, which is why he included this session in IT Nation Secure’s agenda. The only question is whether or not leaders in the industry are ready to take on that task.
“If we can get the top three or four names to the table to talk about what we can do to align and self-police and self-regulate on security, how much better would we be?” he said in a recent conversation with ChannelPro. And make no mistake, he continued, what began in Louisiana is coming for the rest of the country before long.
“23 states have implemented privacy laws now, and many others are just working through COVID issues within their states before they get back to those types of legislation,” he notes. “What’s that going to mean for our industry?”