YOU WOULD BE THRILLED if the government strictly enforced policies that required your end-user clients to implement cybersecurity, taking away their ability to say no to protecting the data they manage.
You would be doing handstands if every doctor, dentist, healthcare organization, financial institution, lender, lawyer, accountant, manufacturer, building contractor, nonprofit, and employer (yes, every employer!) was required to implement a cybersecurity program or face real liability and financial penalties that won’t wait for a breach to occur.
You probably wouldn’t be happy, though, if your MSP/IT support company and the vendors of the tools you use and resell had increased liability and financial risks.
Both scenarios are likely based on increased enforcement of current cybersecurity regulations and the likelihood that the new National Cybersecurity Strategy will result in even more regulations. It may also impact your ability to get insurance.
Whether you are an MSP (recurring revenue business model plus projects), IT company (break-fix business model plus projects), data hosting provider, or software provider, you should pay attention to how the new federal strategy moves through the political process.
Fundamental Shifts in Roles and Responsibilities
The National Cybersecurity Strategy calls for increased liability on MSPs and vendors of software tools that manage and protect networks. The strategy is intended to “make fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace.” According to the strategy, the government’s role is to protect its own systems and “to ensure private entities, particularly critical infrastructure, are protecting their systems.”
Two of the strategy’s five pillars of cybersecurity apply to MSPs, IT support companies, and the providers of remote management, backup, and security tools. The other three pillars outline steps the federal government should take to secure its own systems, defeat hackers, and work with other countries to make cyberspace safer.
The strategy’s goals include rebalancing the responsibility to defend cyberspace, harmonizing and streamlining new and existing regulations, and enabling regulated entities to afford security. The strategy emphasizes the need for “cyber resilience” by referring to “resilient” or “resilience” 68 times in the 39-page document.
The government says it will “deepen operational and strategic collaboration with software, hardware, and managed service providers with the capability to reshape the cyber landscape in favor of greater security and resilience.”
The strategy admits that voluntary cybersecurity measures have proven to be inadequate, and that the burden of cybersecurity should shift “away from individuals, small businesses, and local governments … to organizations most capable and best-positioned to reduce risks.”
That includes MSPs and providers of the software tools you use.
The strategy defines trends that need to be managed to ensure a safer technological world:
“Software and systems are growing more complex, providing value to companies and consumers but also increasing our collective insecurity. Too often, we are layering new functionality and technology onto already intricate and brittle systems at the expense of security and resilience.
The widespread introduction of artificial intelligence systems—which can act in ways unexpected to even their own creators—is heightening the complexity and risk associated with many of our most important technological systems.
Next-generation interconnectivity is collapsing the boundary between the digital and physical worlds and exposing some of our most essential systems to disruption.
Our factories, power grids, and water treatment facilities, among other essential infrastructure, are increasingly shedding old analog control systems and rapidly bringing online digital operational technology (OT).
Advanced wireless technologies, IoT, and space-based assets—including those enabling positioning, navigation, and timing for civilian and military uses, environmental and weather monitoring, and everyday Internet-based activities from banking to telemedicine—will accelerate this trend, moving many of our essential systems online and making cyberattacks inherently more destructive and impactful to our daily lives.”
The approach is to move cybersecurity responsibilities away from end users to the “most capable and best positioned actors to make our digital ecosystem secure and resilient … Protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.”
Pillars of Importance to MSPs
Pillar One, Defend Critical Infrastructure, proposes new enforcement agencies and more regulatory authority requiring mandatory controls to drive better cybersecurity:
“While voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.”
The White House plans to work with Congress, states, and independent regulators to implement minimum cybersecurity requirements and close enforcement gaps to ensure a coordinated effort.
The strategy recognizes that businesses and governments “rely upon the cybersecurity and resilience of their third-party service providers,” which includes MSPs and IT support companies:
“The Administration will identify gaps in authorities to drive better cybersecurity practices in the cloud computing industry and for other essential third-party services, and work with industry, Congress, and regulators to close them.”
Pillar Three’s Strategic Objective 3.3, Shift Liability for Insecure Software Products and Services, is likely to have the greatest impact on MSPs and software vendors:
“We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities. Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.
The Administration will work with Congress and the private sector to develop legislation establishing liability for software products and services.”
The proposed legislation will prevent software developers from disclaiming liability in their contracts and provide a “Safe Harbor” that will shield from liability companies that securely develop and maintain their software products and services.
Again, the reference to “services” will likely impact MSPs both by adding liability and providing a Safe Harbor for properly implementing your own internal cybersecurity and delivering your services.
The strategy depends on Congress agreeing to new legislation to tighten cybersecurity and shift the liabilities. You would think that’s not likely, based on the hyper-partisan environment in Washington, where they can’t look up and agree that there are clouds in the sky.
Not so fast.
Looking back on recent cybersecurity legislation, including the 2021 federal law that provides HIPAA incentives for healthcare organizations to implement Recognized Security Practices that include the NIST Cybersecurity Framework, there is bipartisan support for cybersecurity.
The Recognized Security Practices law was co-sponsored by two House reps, a Republican and a Democrat.
Bipartisan. Yes, really.
From the time the House received the bill out of committee, until it was passed by both the House (voice vote) and the Senate (unanimously), then signed by the President, less than 30 days had gone by.
Since the White House says in its strategy that it will work with Congress and the private sector to create legislation, you can be sure that the software industry’s largest vendors will be fighting the attempts to increase their liability.
But who will represent MSPs, who can’t afford to be liable for the millions of dollars in consequential damages their clients may suffer?
Will you be financially liable if a law firm misses a critical court filing deadline, an accountant misses the tax deadline, or a contractor misses a bid deadline, because of a ransomware attack?
Will you be able to afford MSP Errors and Omissions (E&O) insurance if legislation increases your liability?
Will insurers even cover MSPs?
This is something you’ll want to keep an eye on.
MIKE SEMEL is a former MSP and founder of Semel Consulting, which provides advisory services to MSPs and end users for compliance, cybersecurity, and business continuity planning. He worked with CompTIA to develop its Security Trustmark Plus, and with RapidFire Tools to create Compliance Manager GRC.