The managed IT provider business is on the rise in the US, and MSPs are operating in every public and private sector of the economy. Many private-sector organizations working with sensitive data were forced to operate under certain compliance regimes, such as HIPAA for the medical sector. These regimes make strict stipulations about the way sensitive data should be managed and IT infrastructure secured in an organization.
At the same time, the number of cybersecurity threats and attacks is growing each year. Malefactors target both MSPs' clientele, in order to inject malware and demand a ransom or to breach financial or payment systems, and MSPs themselves, so as to gain access to their customers’ IT infrastructure, log-ins, passwords, and other sensitive data.
It was inevitable that managed IT providers working with US public institutions would, at some point, fall under some sort of compliance. Although that has not yet happened nationwide, in June 2020 the state of Louisiana signed a law prescribing the registration of all MSPs working with public bodies in that state.
In this article, we will overview the act and discuss the nature and the consequences of that legislation for MSPs across the US.
Overview of the Law
Beginning February 1, 2021, any managed services provider and managed security services provider working with public bodies in the state of Louisiana will have to apply for official registration. The official register will then be accessible to any public bodies in the state. The registration will be effective for two years. Renewal requests must be sent 90 days prior to the expiration of the registration.
Registered MSPs or MSSPs working with public bodies should then report any data breach or successful ransomware attack to the Louisiana Fusion Center within 60 days of the incident.
Below, we will break down the law in detail. The full text of the legislation can be found here.
- MSPs, MSSPs - any person or company, providing information technology services under a contract
- Public body – any public or quasi-public company, branch, department, etc., operating in Louisiana
- Louisiana Secretary of State – the body where you apply for registration
- Louisiana Fusion Center - Department of Public Safety and Corrections, the office of the state police, Louisiana State Analytical and Fusion Exchange. The bodies where you should report data breaches and ransomware attacks.
The Purpose of the Law
This new law has three main aims:
- Create a register of MSPs and MSSPs who work with Louisiana public bodies. This will allow Louisiana state to monitor the work of outsourced IT companies and thus manage public IT security better.
- Allow Louisiana public bodies to gain information about managed IT providers. This way, public bodies will be able to choose between approved MSPs and MSSPs. No non-registered MSPs or MSSPs will be able to work with Louisiana public bodies.
- Register any cybersecurity incident and/or the amount of any ransom paid in connection with the IT infrastructure or end-user systems of public bodies.
Any managed services and security services providers outside of Louisiana but working with Louisiana public bodies should be registered
Details Needed for Registration
To apply for registration, you need to provide the following details:
- The provider's name and phone number, a contact person and a listing of any owners of more than 10 percent of the shares of the provider
- All organizational documents, including articles of incorporation, organization, association or partnership agreement
- In the event of any material change in your MSP or MSSP business, you should notify the state and provide the required documentation about the change within 60 days of the change.
The Louisiana state can deny or revoke any registration. The exact reasons for revocation are not stated in the law.
Notifications About Cybersecurity Incidents
One of the main reasons behind the law is to create a centralized reporting structure with regard to cybersecurity incidents involving public bodies. Accordingly, incidents should be reported to Louisiana Fusion Center within 24 hours of the incident. If the ransom for the attack was paid, this should also be reported within 10 days of the payment. The report should include the name of the affected body and the name of the MSP or MSSP in charge of the body’s IT infrastructure.
What Does It Mean for MSPs?
The scope of the law is pretty narrow for now – only those managed providers who work with public bodies of Louisiana state. Moreover, the law does not call for any fines or other measures against MSPs who are successfully breached; for now, it's solely informational. However, we believe that this law is a warning to MSPs and MSSPs in the US to start thinking more seriously about their security measures. In the event of a further increase in ransomware attacks, other US states might start to register MSPs. Since public data is considered to be sensitive, it might also be a starting point for the development of the new compliance regulations aimed specifically towards managed providers.
To sum up, the Louisiana law is a positive move for MSPs and MSSPs who do their job well and take security seriously; however, it might very well be laying the groundwork for more severe laws and compliance regimes in the future for public bodies and the managed providers working with them.
Louisiana is the first US state to sign the MSP registration bill. The bill itself is not compliance – it does not call for fines for managed providers, but it’s an indication to all managed IT providers that states have started to take cybersecurity seriously. Accordingly, it’s time to revise the security measures you take and policies you, as an MSP, apply to your customers and your own security.