The road to MSP regulation
All good things will eventually receive more government oversight. (At least good things that become less so over time due to new concerns around information security.)
The purpose of this article is to help you leverage the prospect of impending regulation to make better business decisions.
It’s inevitable, why not use it to your advantage?
Managed Services Providers (MSPs) and break-fix IT companies have enjoyed a relatively free and easy existence over the last fifteen years.
Many of the following conditions have created a wide-open, unsupervised, playing field:
- Low barriers to entry
- Opportunities for self-taught techs (with solid people skills) to quickly advance and run their own businesses
- The proliferation of professional services automation (PSA) and remote monitoring and management tools (RMM)
- The growth of cloud solutions that can be resold and managed by third parties – both large and small
- An expanding market willing to engage and/or sign contracts without conducting rigorous vendor review processes
Now consider the non-stop barrage of news headlines related to malware, ransomware, wire fraud, identity theft, data compromises, denial of service attacks, election tampering, deep fakes, and lawsuits…
The drama never ends. No one is immune – government entities, Fortune 500 corporations, SMBs, and everyone else in the supply chain.
It’s no wonder a reckoning is at hand with IT vendors. They have the keys to the kingdom.
Small MSPs, large MSPs, and everyone in the middle will be under a more powerful regulatory microscope.
Can your IT provider pass the test?
Service Organization Control 2 (SOC2) is one variety of a reporting framework from The American Institute of Certified Public Accountants (AICPA).
CPAs and auditors follow AICPA guidelines established in “Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy.”
SOC2 reports contain eleven service organization control objectives for software as a service, managed services, application development, cloud service providers, data centers, and other Internet-dependent technologies.
- Data Governance
- Facility Security
- Human Resources Security
- Information Security
- Operations Management
- Risk Management
- Release Management
- Security Architecture
Updated annually, SOC2 reports are comprehensive. If your MSP has this document in hand, they are going the extra mile in their commitment to operating excellence, cyber security preparedness, and full transparency.
They’re also expensive.
According to Vanta, “Audit fees range from R20,000.00 to R45,000.00 for the SOC2 report itself, but there are many costs beforehand. Most companies engage audit firms for a “readiness assessment” – and those begin at R10,000.00 and scale with company size.”
From my experience, very few MSPs go through annual SOC2 audits.
However, most forward-thinking MSPs partner with larger technology providers who do. (AWS, Cisco, Connectwise, Datto, Dell, Lenovo, Microsoft, Veeam, VMware, etc.)
How forward-thinking is your MSP? Do you know which vendors they use?
MSP Cyber Verify
Created by the MSP Alliance, MSP Cyber Verify (MSPCV) is an industry-specific auditing framework.
While SOC2 was designed for a wider range of organizations, MSPCV offers a unified certification standard for cloud and managed service providers who get evaluated across ten control objectives:
- Policy and procedures
- Confidentiality, privacy, and service transparency
- Change management
- Service operations management
- Information security
- Data management
- Physical security
- Billing and reporting
- Corporate health
Updated annually and verified by independent CPAs, MSPCV reports capture more granular technology details than their SOC2 counterparts.
They also disclose financial details so you can accurately assess the corporate health of your MSP.
As you will see in their objectives and underlying requirements, no stones are left unturned, especially cyber security.
They also offer these services at rates that are more affordable to certain MSPs. The word “certain” is chosen carefully because the United States has 40,000 MSPs with the top 8,000 capturing most of the available revenue.
A third of MSPs report making less than $1,000,000.00 in annual revenue.
Companies in this segment will have a hard time justifying $15,000.00 per year on any kind of audit. They may also have a great degree of difficulty meeting the control criteria.
While the MSP Alliance offers SOC2 as an add-on, I suspect this is mostly targeted to MSPs that need the widely recognized designation to work with clients in heavily regulated industries like insurance, banking, finance, and healthcare.
I hope I have given you a new baseline to evaluate prospective IT providers.
Let’s face it, SOC2 is well-known and you probably just learned about MSPCV today.
Both frameworks have a lot of minutiae to wade through. But I count this as a positive if you are having a conversation of this nature with a prospective MSP.
The importance of independent auditing and transparency cannot be overstated.
If you have any concerns around regulation, compliance, and IT auditing frameworks, the MULTi IT team has decades of experience, and we look forward to guiding you.