Skip to content

6 Key Steps to Ensure Minimum Client Compliance

Estimated Reading Time: 5 Minutes

Compliance can be a slippery term. It may mean a lot of different things to the various stakeholders in any organization. For most MSPs, compliance comes down to how you are helping your clients comply with the laws and industry regulations relating to the use of technology and their data. Things are rarely black and white. For example, many industry regulations require organizations to self-certify their level of adherence and compliance on a routine basis. In other cases, organizations may not even be required to self-certify, but are simply expected to be compliant and then subject to periodic audits. And even when organizations are audited, the standards are often not clear-cut. Instead, they rely on the judgement of an auditor.

Therefore, MSPs need to think about compliance as more of a process than an end state. Generally, the work is never done – as firms continue to grow and evolve the bar only gets raised as their budgets and sophistication increase.

Nevertheless, there are several best practices MSPs can implement to help their clients consistently meet and exceed minimum compliance thresholds. In this blog post, we will explore six key best practices to drive minimum compliance.

1. Verticalize Your Approach

If an MSP wants to get serious about compliance, the first order of business is to narrow your focus to a few key verticals. If an MSP serves clients in a dozen different verticals, it is often hard to specialize and develop the level of expertise that your clients require. According to Kaseya, in their 2020 MSP Benchmark Survey Results Report, 66% of MSP clients struggle to meet industry compliance requirements. Moreover, over 60% of clients turn to their MSPs for advice, consulting, and compliance services to help them meet their requirements. Clients are looking for expertise and an MSP needs to build a critical mass of knowledge and experience in a vertical to truly become a trusted advisor with the client.

The Kaseya benchmarking report mentioned above highlights HIPAA, GDPR, and PCI DSS as the most important laws and regulations which need MSP attention. However, compliance is an area with a long tail and lots of industry niches. Virtually every industry has its own set of laws and unique regulations which govern industry participants. For example, while doctors are clearly governed by HIPAA, there is a long list of other industry players that are also covered by HIPAA, including nursing homes, pharmacies, home health care providers, and non-profit health agencies, to name just a few. In the case of the financial vertical, investment advisors are governed by the SEC and FINRA, while commercial banks are subject to the CFPB and federal laws, such as the Gramm-Leach-Bliley Act (GLBA).

Suffice it to say, MSPs need verticalized expertise to help clients with their compliance and cybersecurity requirements.

2. Understand the Certification and Audit Procedures

Once an MSP has developed expertise around the legal requirements and regulations, the next question is: how are the rules enforced? Again, while there are some broad-based legal frameworks, each industry will have its own unique certification and audit procedures. For example, CMMC 2.0 – which governs defense contractors to the United States federal government – requires companies to self-certify compliance at Levels 1 and parts of Level 2. For contractors working on “prioritized acquisitions” at Level 2, third-party auditors are required. At Level 3, only the federal government itself may perform the audit and certification for larger, more sophisticated government contractors. This is just the process for defense contractors. Every industry, from medical to financial, has its own set of procedures.

All of these regulations are detailed and complex. MSPs should develop expertise in every aspect to help their clients: including the legal requirements, the process to implement standards and controls, and the overall process to certify compliance or successfully navigate an audit. Developing compliance expertise makes great business sense because even in those cases where client self-certification is required, smart companies will turn to outside experts to help them understand the rules and properly implement the necessary controls, standards, and procedures. The stakes are simply too high for non-compliance, which can include fines, sanctions, loss of bidding privileges, or even criminal penalties in some cases.

3. Select a Minimum Cyber Security Standard

Cybersecurity is the foundational element of most technology compliance initiatives. Once an MSP has staked a position in various industry verticals, it is wise to try to dial in a set of minimum-security standards and controls for each class of clients. For example, an MSP may serve both legal and financial clients. The standards for financial clients may well be much higher than for legal clients. The key idea here is to select industry standards for different kinds of clients, rather than customizing things for each client. For instance, many MSPs are leveraging the NIST CSF or CIS cybersecurity standards, since they are specifically called out in compliance requirements for verticals such as defense contracting and finance. In turn, some MSPs then simply are leveraging these more stringent standards and raising the bar for all clients, regardless of vertical, since more security investment is needed across the board in today’s complex threat ecosystem.

4. Perform Regular Assessments

Cybersecurity assessments are a great idea at the beginning of a client relationship and regularly thereafter. When working with prospective clients, a cybersecurity assessment is going to drive higher levels of prospect engagement during the sales process and provide the MSP with more opportunities to establish trust and expertise. Moreover, MSPs never want to discover new surprises after a contract is already signed. Therefore, it makes great sense to bake a technology and cybersecurity assessment into the regular sales process, so issues or problems can be discovered and surfaced early. With a clear understanding of known issues, an MSP can properly scope a win-win managed services agreement, identify critical improvements or changes that are required immediately, and propose special projects or upgrades that can be addressed down the road.

Regular cybersecurity assessments should occur on an annual basis going forward. Whether the client is growing rapidly or not, the cyber threat landscape is always changing. Cybersecurity practices which were considered “enterprise” just a few years ago may now be standard for smaller clients. In general, industry consensus is that investments in cybersecurity and business continuity will only continue to increase moving forward.

5. Operationalize Your Assessment Process

If every new prospect should have an assessment performed, it makes sense to operationalize your assessment process. This means you should standardize the set of tools used in the assessment process and standardize the cybersecurity frameworks that are used to measure or characterize the prospective client’s environment. Lots of leading MSPs have had great success building their assessment process around the NIST CSF. A common framework for all prospective and existing clients helps to bring clarity to the scoping, quoting, and pricing process. And with a common approach, the MSP realizes better economies of scale as the organization performs more and more assessments.

6. Productize Minimum Compliance for Your Selected Verticals

Lastly, MSPs should leverage compliance thinking to design better and more robust managed service offerings. A key part of operational maturity is standardizing the service offering and technology and stack that powers it. By leveraging the same tools, processes and standards across all clients, an MSP realizes better economies of scale, controls labor costs, and delivers better customer service and support. A compliance mindset can help MSP leaders better define service offerings that easily meet and exceed the various minimum requirements for the most important verticals, while still giving enough opportunities for more customization for larger and more sophisticated clients. In this way, minimum compliance standards help MSPs build better services for their clients.

Every single day of the year Dropsuite helps protect thousands of firms around the world who must meet strict regulatory and legal compliance requirements for data protection and archiving. Dropsuite helps MSPs design and deliver robust and profitable managed service offerings, which incorporate backup and business continuity technology and services. We research the backup and archiving needs of most regulations to ensure permissions, retention and recovery are all within compliance. Helping MSPs meet the compliance challenges of their clients is perfectly aligned with our passion for helping MSP partners succeed.

Share on