After years of inflicting ever-mounting damage, ransomware has become the stuff of almost daily national headlines. In response, cyberinsurers are jacking up rates, Congress is working on a host of new laws, and the Biden administration, in between firing warning shots at foreign governments, has issued an executive order on cybersecurity that calls out IT service providers by name.
All of that, cautions Karl Palachuk, is just the beginning. “Legislative bodies have discovered who we are and they’re going to regulate us,” he says.
Indeed, they already are. Recently enacted rules in Louisiana, observes Palachuk—an author, business coach, technology consultant, and former MSP—are the first of what’s sure to be a string of state decrees that, among other things, spell out the meaning of terms like “managed service provider” and “MSSP”.
“That’s a hard thing to change once it gets defined incorrectly,” Palachuk notes, which is exactly what will happen if MSPs watch from the sidelines while lawmakers act.
“We need to basically invite ourselves to sit at the table and help figure out where this industry is going,” he says.
He’s not the only one who feels that way, either. The architect of Louisiana’s law, Secretary of State Kyle Ardoin, is all but pleading with MSPs to take charge of their future too.
With that in mind, Palachuk is spearheading the creation of a membership association for channel pros tasked with nothing less than “determining what constitutes professionalism in our industry.” Called the National Society of IT Service Providers, the new group held a critical early organizing meeting online today.
Creating a template for laws governing the SMB channel is one of the group’s top initial priorities. Left to their own devices, Palachuk warned meeting attendees today, state legislatures are likely to create well intentioned yet “completely inappropriate” regulations. “On the other hand, if somebody is standing there on the side, ready to hand them a piece of draft legislation, they will start with that,” he said.
A template for future state laws is already available on the group’s website. In seven pages, it defines IT service provider and managed service provider; requires everyone who meets those definitions to register with the state; and obliges the state in turn to create a searchable online list of those firms. Like Louisiana’s law, it also requires providers to report cyber incidents and tell authorities when cybercrime victims opt to make ransom payments.
Critically, the proposed law bars businesses that refuse to pay for backup services from suing should they be struck by ransomware. That’s the only surefire way to shield channel pros from legal action by negligent end users, according to Palachuk, who believes the waivers many MSPs now require clients to sign when declining recommended services are all but useless.
“If there’s a cyberattack and they end up paying a million dollars in ransom, their insurance company is going to sue your insurance company, period,” Palachuk says. “There’s no way to be relieved of that liability without the state providing a way to say, ‘these people cannot be held liable.'”
Palachuk, who calls the draft regulation’s scope deliberately modest, has bigger ambitions in mind for the group he’s formed. “I’d like to see as few limits and regulations as possible at the state level, but I’d like to have an association that steps up and says, ‘here’s what we do. Here’s what we stand for,'” he says.
In pursuit of that aim, Palachuk wants the society to articulate codes of professional conduct, like those posted for consideration on its website now, that buyers of managed services can use to distinguish skilled, diligent providers from fly-by-night firms that call themselves MSPs, do shoddy work, and then abandon their customers when something inevitably goes wrong.
“They affect everyone’s reputation,” Palachuk notes. “We can never stop bad actors from behaving the way they behave, but what we can say is, ‘these are the lines that define the way a good actor behaves.'”
Palachuk chose to launch a new organization when existing ones like CompTIA, whose ability to lobby legislators is restricted by rules governing its non-profit status, declined to get involved. “It’s kind of left a vacuum,” he says. “At the end of the day, it’s not about who should do this, it’s about who does do this, and so somebody had to do it.”
Palachuk has no intention of doing it alone, however. His eventual hope is to recruit at least one volunteer in all 50 states, plus every province in Canada, the U.K., and Australia, to drive legislative action, and to build a network of local chapters as well.
As an interim step, however, Palachuk simply wants to attract as many members to the group as possible. There’s no fee to join for the moment, and the society will use the contact information it collects solely to keep people informed about recent activities and forthcoming meetings.
The next such meeting is scheduled for July 28th. Agenda items include fundamentals like defining the organization’s mission, vision, and values, along with forming committees. Those kinds of chores can be painstaking work, Palachuk acknowledged during today’s meeting, but there’s little time to waste.
“There will be another major cybersecurity incident that makes international news,” he predicted, “and when lobbyists and legislators see something like that, they take action.”