After years of inflicting ever-mounting damage, ransomware has become the stuff of almost daily national headlines. In response, cyberinsurers are jacking up rates, Congress is working on a host of new laws, and the Biden administration, in between firing warning shots at foreign governments, has issued an executive order on cybersecurity that calls out IT service providers by name.
All of that, cautions Karl Palachuk, is just the beginning. “Legislative bodies have discovered who we are and they’re going to regulate us,” he says.
Indeed, they already are. Recently enacted rules in Louisiana, observes Palachuk—an author, business coach, technology consultant, and former MSP—are the first of what’s sure to be a string of state decrees that, among other things, spell out the meaning of terms like “managed service provider” and “MSSP”.
“That’s a hard thing to change once it gets defined incorrectly,” Palachuk notes, which is exactly what will happen if MSPs watch from the sidelines while lawmakers act.
“We need to basically invite ourselves to sit at the table and help figure out where this industry is going,” he says.
He’s not the only one who feels that way, either. The architect of Louisiana’s law, Secretary of State Kyle Ardoin, is all but pleading with MSPs to take charge of their future too.
With that in mind, Palachuk is spearheading the creation of a membership association for channel pros tasked with nothing less than “determining what constitutes professionalism in our industry.” Called the National Society of IT Service Providers, the new group held a critical early organizing meeting online today.
Creating a template for laws governing the SMB channel is one of the group’s top initial priorities. Left to their own devices, Palachuk warned meeting attendees today, state legislatures are likely to create well intentioned yet “completely inappropriate” regulations. “On the other hand, if somebody is standing there on the side, ready to hand them a piece of draft legislation, they will start with that,” he said.
A template for future state laws is already available on the group’s website. In seven pages, it defines IT service provider and managed service provider; requires everyone who meets those definitions to register with the state; and obliges the state in turn to create a searchable online list of those firms. Like Louisiana’s law, it also requires providers to report cyber incidents and tell authorities when cybercrime victims opt to make ransom payments.
Critically, the proposed law bars businesses that refuse to pay for backup services from suing should they be struck by ransomware. That’s the only surefire way to shield channel pros from legal action by negligent end users, according to Palachuk, who believes the waivers many MSPs now require clients to sign when declining recommended services are all but useless.
“If there’s a cyberattack and they end up paying a million dollars in ransom, their insurance company is going to sue your insurance company, period,” Palachuk says. “There’s no way to be relieved of that liability without the state providing a way to say, ‘these people cannot be held liable.’”