Estimated Reading Time: 4 Minutes
Introduction
Industry and regulatory compliance are areas where MSPs should flex their muscles. In today’s cyber threat ecosystem, clients rely on their MSP to guide them through the complex patchwork of laws and industry regulations that govern businesses of all sizes. Companies need to worry about not just overlapping local, state and federal laws, but also specific privacy laws and unique industry regulations, along with a slew of emerging and different cybersecurity standards.
There is a lot at stake. Companies can face fines, sanctions, or even criminal penalties if there are violations of privacy and cybersecurity laws or regulations. Just as important, meeting and exceeding cybersecurity and operational controls makes good business sense. High standards build trust with customers, vendors, and business partners. Excellence in cybersecurity also protects employees and their productivity. And the last thing anyone wants is the negative PR or reputational damage that comes from a hack or a data breach. While it is virtually impossible to eliminate every risk in today’s environment, staying out of the news and avoiding cybersecurity incidents altogether pays big dividends.
One area of specific concern is private industrial regulations. Many industries have self-governing bodies, which regulate industry participants or specify operational standards. Wisely, most industries want to pursue sound self-regulation to cut lawmakers off at the pass. Self-regulation that is tailored to operational realities is far superior to poorly crafted laws or mandates, especially if they just increase red-tape and other operational costs.
MSPs have a special role to play in helping their clients comply with industry regulations. MSPs need to not only consult and advise their clients on standards and operational requirements but ensure that their own, internal cybersecurity standards and controls are up to scratch.
Here are the four ways MSPs can raise the bar on regulatory compliance for their clients.
1. Know Your Verticals
It is wise for MSPs to develop vertical market expertise. When an MSP focuses on one or a handful of verticals, everything becomes a lot easier. For instance, with marketing and sales, a vertical focus makes it easier to define your target market, craft unique messaging, and prospect into the target market.
It is also easier to devise technology solutions that meet the unique requirements of the vertical. For example, an MSP may decide to focus on defense contractors, lawyers, and financial firms. All three of these verticals require advanced cybersecurity solutions and are governed by laws and regulations which mandate strict protections of private client information. By developing expertise in key verticals, MSPs can craft assessments and audits which are tailored to industry requirements.
Not surprisingly, decision-makers in these segments appreciate MSP analysis and recommendations, which not only raise the bar on cybersecurity standards, but also ensure certification and compliance with vital industry regulations. For certain industries, such as defense contractors, this is often a matter of business survival, as regulations such as CMMC require certification just to bid on projects and compete for new business.
2. Select Industry Standards
Cybersecurity standards are another area where MSPs should beef up their knowledge and expertise. Various regulations often point to other third-party cybersecurity standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF is a comprehensive list of cybersecurity best practices and controls, which enable an MSP to thoroughly analyze and benchmark the cybersecurity maturity of a client. Cybersecurity standards like NIST CSF are critical tools to help MSPs perform risk assessments on prospects or clients.
Other industry regulations point to standards and special publications by NIST. For example, the Securities and Exchange Commission (SEC) recommends that registered investment advisors follow NIST CSF to improve their cybersecurity standards and maturity. In another example, the CMMC regulations which govern defense contractors specify adherence to NIST special publications, such as NIST 800-171. Suffice it to say, written cybersecurity standards are critical resources for MSPs to manage the cybersecurity controls at clients and to help them comply with various industry regulations.
3. Embrace Self-Regulation
MSPs and their clients should embrace self-regulation. The reality is that most industry participants should voluntarily improve their level of attention and adherence to industry regulations. The threat of audit, inspections, or sanctions is helpful to nudge the complacent or recalcitrant in the right direction. Nevertheless, most industry regulations rely heavily on self-regulation to drive compliance and follow-through.
For example, the Financial Industry Regulatory Authority (FINRA) is a private, self-governing entity that specifies rules, best practices, and standards for financial industry participants. FINRA is designed to give industry participants clear guidelines on operations and standards, above and beyond state and federal laws that govern the industry. While FINRA can sanction non-compliance, the general goal is to drive self-regulation at the firm and professional levels, leaving most MSPs to educate themselves on the FINRA Rules on Preserving and Archiving Books and Records.
Self-regulation has also emerged as an important element in the defense contracting space. The Department of Defense in November 2021 announced a host of changes to CMMC regulations, which have now been dubbed CMMC 2.0. These new rules call for self-certification for the vast majority of defense contractors governed by the regulation. All Level 1 and part of Level 2 firms will be required to self-certify compliance with CMMC cybersecurity standards. The takeaway for MSPs is that they are key participants in the overall process of helping clients voluntarily comply with various industry regulations.
4. Raise the Bar: Consider SOC 2 Compliance
In the spirit of self-regulation, another option for MSPs is to seek a SOC 2 certification. MSPs, like other professional service providers such as accountants and lawyers, have access to vast quantities of private and confidential client information. When MSPs deliver outsourced IT services, they usually have access to nearly everything the client does. Therefore, an MSP relationship is necessarily high trust.
SOC 2 compliance was developed by the American Institute of Certified Public Accountants (AICPA) to provide an audit process to validate that third-party service providers – such as CPAs or MSPs – are securely managing the information assets and privacy of their clients. SOC 2 measures a service provider along five different dimensions, including security, availability, processing integrity, confidentiality, and privacy.
Passing a SOC 2 audit is a high bar for most MSPs. Those MSPs who have invested and achieved this certification level will find it much easier to establish trust and credibility with prospective new clients.
SOC 2 audits are performed by independent, outside auditors. The auditors will inspect that the MSP is operating at high levels of trust and is following through on service level agreements and other contractual elements, especially as they pertain to the five dimensions spelled out in SOC 2. An example is that MSPs supply backup and disaster recovery solutions to clients to ensure data protection and operational resiliency.
A SOC 2 audit process may involve having the MSP demonstrate that they can easily restore and recover SaaS data such as emails, calendars, and chats backed up from the client’s Microsoft 365 environment. Availability of information assets is a key SOC 2 test and MSPs need to not only have comprehensive and complete backup solutions for their clients, but operational experience to quickly recover and restore client data and infrastructure.
At Dropsuite, our IT infrastructure is designed and managed in alignment with security best practices and a variety of IT security standards, including:
- SOC 1, 2 and 3
- FISMA, DIACAP and FedRAMP
- DOD CSM Levels 1-5
- PCI DSS Level 1
- SO9001 / ISO27001
- ITAR
- HIPAA
To learn more about the protection that Dropsuite provides for MSPs and their customers, visit our webpage on data security.
