Estimated Reading Time: 5 Minutes
Growth-oriented MSPs should master their compliance strategy. To get there, lots of questions need to be answered:
- Which compliance frameworks are the most important?
- What are your strategic verticals?
- How much sleep are clients losing over their compliance mandates?
- How does new world-class technology help clients get and stay compliant?
- And…how do you grow and profit as a compliance-focused MSP?
Answering all these questions is essential. However, one burning question usually tops all the rest: who is ultimately responsible for keeping clients compliant?
In this blog, we will explore the answer to this question and reveal the various other implications for compliance-focused MSPs.
1. Client Legal Compliance: Who is Responsible?
“Responsibility” is one way to look at the problem. The ultimate question is, who is accountable for compliance?
The short answer is that the client is ultimately accountable to legal authorities and governing bodies for their own level of compliance. Nearly every business outsources certain functions to third-party service providers. Outsourcing invariably creates confusion around who is accountable or responsible for work being completed or compliance mandates being met.
It is useful here to introduce briefly the concept of a RACI Chart. A RACI chart stands for:
- Responsible – Person who is completing the task
- Accountable – Person who is making decisions and taking action on the task(s)
- Consulted – Person who will be communicated with regarding the decision-making process and specific tasks
- Informed – Person who will be updated on decisions and actions during the project
For various business functions, a RACI Chart helps clarify precisely who is either responsible for doing the work/performing tasks, who is ultimately accountable for the business results/ outcomes, and who is merely consulted or informed.
When it comes to compliance mandates, the end-user client is accountable to authorities for their level of compliance, even if they rely heavily on third-party service providers – such as an MSP – to do the bulk of the work.
For example, under the Health Information Portability and Accountability Act (HIPAA), a wide range of different entities are accountable to safeguard protected health information (PHI), whether they are doctors, hospitals, insurance companies, or other service providers. The HIPAA law introduces the idea of a “covered entity,” meaning organizations that are covered by the law. Many MSPs serve medical doctors and hospitals with technology services, but no matter what, the doctor and the patient relationship is where PHI is first generated. Therefore, doctors and their practices are covered entities under HIPAA and accountable to follow the law, even if they use third-party service providers.
Mike Semel – an MSP industry compliance expert – often gets asked by MSP leaders the following question: “Am I responsible for my client’s HIPAA compliance?” In Semel’s view, the unequivocal answer is “no.”
2. MSP Compliance: What Then are MSPs’ Responsibilities?
We have established that clients are ultimately accountable for their own legal compliance, even if they utilize third-party service providers. But, how should MSPs think about their own compliance accountabilities and responsibilities?
For vertically focused MSPs serving regulated clients, the MSP will often themselves be a covered entity under various laws and regulations and therefore subject to compliance. For example, under HIPAA, MSPs themselves will nearly always have access to PHI from their medical clients. Therefore, under HIPAA, these MSPs are considered covered entities and the MSPs themselves need to be HIPAA compliant. This means that the MSP should follow the letter of the law on what it means to be HIPAA compliant and take all appropriate measures for cybersecurity controls and processes to get (and stay!) compliant. Furthermore, under HIPAA, a medical doctor using an MSP needs to sign a Business Associate Agreement with their MSP service provider to establish that the service provider will have access to PHI. This Business Associate Agreement does not mean the doctor is accountable for the HIPAA compliance of the MSP, nor does it mean the MSP is accountable for the doctor’s HIPAA compliance. Both are covered entities, and both are accountable under the law to ensure their own compliance.
Obviously, these issues around responsibility and accountability are top of mind for all industry participants. MSPs should thoroughly document areas of responsibility and accountability using a Shared Responsibility Matrix (SRM). An SRM is a form of a RACI document that thoroughly documents who is responsible, accountable, consulted or informed. The format of an SRM will often follow the cybersecurity control requirements spelled out in cybersecurity frameworks, such as NIST 800-171.
To learn more about how a Shared Responsibility Matrix can help MSPs and their clients clarify compliance issues, we recommend this blog from Summit7, which explores how an SRM can help with CMMC compliance for defense contractors when clients are working with an MSP.
3. Limiting Your Liability and Managing Risk
We have explored how to clarify responsibilities and accountabilities around compliance for MSPs and their clients, but disputes will still arise between providers and their clients when a crisis strikes. Today’s IT environments are becoming more complex, not less so. The cyber threat ecosystem continues to rapidly change. Organizations face an unending stream of criminal innovation from hackers and cybercriminals. Most cybersecurity professionals speak of “assuming breach,” meaning all organizations should presume they will at some point suffer a cybersecurity incident of some kind, regardless of their prudent investments in cybersecurity technologies and processes.
In this environment, even extremely well run and mature MSPs should presume that there will be cybersecurity incidents with clients, compliance violations of many kinds, and invariably legal disputes between parties. Therefore, MSPs should think proactively and take contractual and risk management measures to limit their liabilities. Let’s look at some of these steps.
First, an MSP’s managed services agreement is absolutely essential to limiting liability. MSPs should work with an outside legal counsel expert in the managed services space. The managed services agreement should clearly spell out the specific responsibilities of the MSP. The language should be crystal clear: with deliverables and contractually binding service level agreements (SLAs). As we have explored in this blog, in most cases MSPs cannot control client behavior or actions, nor the actions of external threat actors. If there are cybersecurity incidents, data loss events, or compliance violations, the client may ask for the MSP to step in to provide extra assistance, incident response, or remediation. These unanticipated and labour-intensive service needs should be covered by additional, fee-based services, not simply covered under the main agreement. Moreover, clear contractual language on scope and responsibilities will help the MSP greatly if a client files a breach of contract or breach of duty lawsuit when disaster strikes.
Next, MSPs should make sure they are adequately insured. Professional liability and Errors & Omissions (E&O) insurance is a must. MSPs should also carry their own Cyber Liability Insurance, which provides financial coverage and assistance if the MSP themself falls prey to a cyber-attack. Lastly, MSPs should encourage their clients to carry Cyber Liability Insurance as well; as it is the client’s responsibility to procure adequate coverage for their own organization. A huge benefit of Cyber Liability Insurance for clients is that it forces them to evaluate their cybersecurity posture and maturity and then make all the necessary improvements in technology, infrastructure, and processes needed to receive coverage. The interest of insurance carriers and MSPs are strongly aligned here; all parties benefit if clients are investing and raising the bar on cybersecurity.
4. Staying One Step Ahead: Investing in the Best Technology for Your Clients
In this blog, we have explored how MSPs can clarify responsibilities and accountabilities with clients and proactively limit their legal liabilities. Another key way to serve clients well and proactively manage risk is to invest in the best cybersecurity and business continuity technologies and services for clients. While it is vital to be prepared for worst-case scenarios, MSPs that invest ahead of the curve will limit the number of incidents and challenges from the beginning.
Much has been written about the benefits of an in-depth defensive cybersecurity strategy or the need for layered security solutions. The same issues come into play with backup and disaster recovery technologies. With compliance mandates, cybersecurity controls, backup and business continuity measures are nearly always stipulated. Therefore, MSPs should help their clients by protecting everything. File-level backups for file servers, Network Attached Storage (NAS) devices, and endpoints are a must. Image-level backups for critical servers and workstations help with business continuity and operational uptime. It is vital – in today’s cloud-first world – to proactively backup SaaS-based and cloud application data and infrastructure. Too often, MSPs and their clients fail to consider the backup and business continuity needs for cloud and SaaS applications.
Dropsuite helps MSPs backup and protect SaaS-based data in mission-critical applications such as Microsoft 365 and Google Workspace. With Dropsuite as a partner, MSPs can build robust and compliance-centric managed service offerings.
References
- MSP SUED! Are You Ready?
- 3 Cyber Security Legal Issues for MSPs and VARs
- Managed Service Provider: Risk Management and Limiting Liability
- Managed Service Providers Hit with Ransomware Attacks
- A Legal Guide to Managed Services
- MSPs/Cloud Services NOT Responsible for Clients’ HIPAA Compliance
- Understanding Business Associate Relationships Key to Avoiding Liability
- Five Questions to Answer Before You Sign A Managed Services Contract
- Surviving the service provider data breach
- Involta Vs. Boardman
- MSP sued over customer paying fake invoices
- MSP At Center Of Texas Ransomware Hit: ‘We Take Care Of Our Customers’
