The old joke about taxes has evolved: “Nothing is certain except death and compliance regulations.” As more regulations encircle thousands of companies, MSPs have a unique opportunity to build their own compliance programs — turning regulatory requirements into a profitable service offering.
In fact, compliance is quickly becoming a new profit center for MSPs.
Start with a Solid Framework
Before helping clients, MSPs must put their own compliance house in order. A basic framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, is a good starting point, advised Blair Dawson, a member at Chicago law firm McDonald Hopkins, who specializes in compliance for MSPs.
However, Dawson emphasized that a compliance program should not be based solely on internal needs.
“Your compliance program should be driven by what your clients need,” she said. “Those in highly regulated industries, like healthcare under HIPAA, will require you to learn the compliance framework for that industry.”
For businesses in less regulated sectors — such as small businesses and manufacturing — a more basic compliance framework like NIST is often sufficient. This is why Dawson recommends that MSPs start with NIST internally and expand based on client needs.
A Growing Market Opportunity
Shrav Mehta, founder and CEO of Secureframe, saw firsthand how challenging compliance can be. Every one of his previous employers struggled with compliance frameworks. “Spreadsheets were manual and impossible to keep up with, so I started building automation scripts,” Mehta recalled. “Then, I realized other businesses were dealing with the same compliance burdens.”
Shrav Mehta
One key insight Mehta discovered was that many frameworks share significant overlap. In fact, 70% to 89% of requirements were the same across multiple frameworks, just phrased differently.
This overlap presents a significant opportunity for MSPs to streamline compliance across multiple frameworks. “Every company has compliance needs, even NFL teams,” added Mehta.
Another significant example: With CMMC 2.0 (Cybersecurity Maturity Model Certification) set to take effect in 2025, more than 250,000 businesses in the defense industrial base will need certification to secure government contracts.
For MSPs serving defense contractors, this means compliance is mandatory. Under CMMC 2.0 rules, MSPs must be certified at the same level as their defense contractor clients or risk preventing clients from passing their own assessments.
The Insurance Connection: Why Compliance Matters
Beyond regulatory requirements, compliance also plays an essential role in securing cyber insurance.
“Having a compliance framework in place makes it less onerous to get cyber insurance and streamlines the application process,” Dawson explained. “Even if a business isn’t subject to industry-specific regulations, data privacy laws, breach notification requirements, and class action risks still come into play.”
Yet many MSPs mistakenly assume that if their clients aren’t regulated, compliance isn’t necessary. That’s a dangerous assumption. “If something happens to your client, an MSP needs to protect itself with compliance and documentation, in case things go sideways,” Dawson warned.
For example, one major cyber insurance provider denied a breach claim because the company claimed it had multifactor authentication (MFA) in place. Although the policy existed on paper, it had never been implemented.
Unfortunately, companies often have policies, but don’t follow them — and regulators hate that, Dawson said. “Compliance is not a destination but a journey.”
Blair Dawson
Staying Compliant Is an Ongoing Process
Keeping up with compliance requires constant monitoring and documentation, Mehta advised. “Many frameworks, like ISO, call for continuous compliance.”
That means regular reporting and real-time security monitoring. Mehta’s company even offers a public-facing security page that provides live compliance updates for clients and auditors.
Documentation is key, since many compliance frameworks require reporting obligations, Dawson added. Clients often don’t realize they need this level of detail until an audit happens — and that’s when they rely on their MSP. “Track what you do all year and document everything. It’s great to have the information at your fingertips if there’s a problem.”
Without proper records, MSPs and their clients risk failing compliance audits or facing legal consequences. “It’s tough to convince a regulator that retroactive records are accurate,” warned Dawson. “Saying ‘We always do Patch Tuesday’ is not enough.”
The Bottom Line: Compliance Is an Opportunity, Not a Burden
While compliance and insurance applications can seem daunting, failing to implement these frameworks can be far more costly, Dawson cautioned.
Mehta echoed this sentiment: “There are lots of security standards coming out, each a bigger burden.” What was once manageable manually is now overwhelming.
The good news for MSPs? Compliance represents a competitive advantage. Those who invest in compliance services now will not only protect their clients but also build a high-value, recurring revenue stream in the process.
Key Steps to Build a Compliance-as-a-Service Program
Here are some strategies for MSPs to build a profitable CaaS program, courtesy of Dan Hernandez, CEO of PCS Technology:
Dan Hernandez
1. Establish an Advanced Security Stack
- Begin by offering an advanced security stack. This sets your program up for success and helps convert initial rejections into approvals on cybersecurity insurance applications. Additionally, it supports compliance by meeting industry standards.
2. Conduct a Third-party Assessment
- Implement an independent assessment to identify, discuss, and mitigate risks. This evaluation serves as an essential tool for validating your security posture and highlighting areas for improvement.
3. Partner for Policy Documentation
- Choose a reliable partner to assist with documenting policies and frameworks. Effective documentation is critical for maintaining compliance and ensuring clear communication of security protocols.
4. Start with a Pilot Client
- Launch your program with a small-scale client opportunity. Offering a discounted service initially can help establish credibility and refine your process. For instance, we began by assisting a nonprofit organization in achieving HIPAA compliance.
5. Engage Dedicated Security Personnel
- As demonstrated by our experience at PCS Technology, hiring a security coordinator can be highly beneficial. This role involves engaging with clients on policy development and guiding the compliance process, with regular meetings supported by senior staff to ensure progress.
Featured image: iStock
