Guide to the New MSP Regulations in Louisiana

Like many other industries like financial services and healthcare, government agencies now have to make the proper steps for secure management of the IT channel. As a result of the massive spike in costly phishing scams and ransomware, the impact of inadequate security has shifted focus to managed services.

Louisiana’s Act 117 (Senate Bill 273) came into effect on 1st February, marking the onset of a trend toward regulated IT channels. The industry has had this discussion for quite some time, with most stakeholders feeling that government action was long overdue.

Combining the massive transformation of the MSP industry with almost no external oversight and the continually growing number of successful MSP-targeted cyber incidents, the inevitability becomes vivid.

At the moment, Louisianan is the only U.S. state to enact such regulations. However, the Federal Government and many other states are considering taking the same steps.

This detailed guide offers a glimpse of what MSPs should know about the new laws.

State MSP Laws Are Now a Reality

Debate on the need for MSP regulating and legislation has been on for years. The move by the state of Louisiana means that it’s just the beginning, and believing that this will not be replicated in other states will be short-sighted.

The state approved the first legislation regulating Managed Security Service Providers (MSSPs) and MSPs that supply IT functions to public bodies in June 2019. From 1st February 2021, channel providers are required to abide by the following Senate Bill 273 requirements:

  • The companies must register with the Secretary of State
  • They’re required to report any ransomware payments and other cyber attacks
  • They must offer public access to information such as but not limited to cyber incidents records

Registration is now a requirement for MSPs who intend to supply products to public bodies, and this must be done in “good standing.” Those who fail to align with the above requirements risk nullifying their contracts with the respective public body. Unless registration is revoked or denied, the contract will stay effective for two years.

MSPs and MSSPs have up to 24 hours to report an incident discovery and are required to report ransomware payments within ten days.

Overall, the bill is focused on providing as much MSP information as possible to public bodies and reduce the impact and frequency of cyber incidents on public agencies. In turn, MSPs are obliged to enhance their security functions and develop practical business continuity strategies. Otherwise, you may face the consequences of dealing with a more informed customer.

SB273 was passed after a chain of ransomware and other cyber incidents on DMV offices, Louisiana school districts, and New Orleans. These led to a shutdown of the entire city, affected over 4,000 government computers, and caused damages worth over $7 million.

Other states throughout the country are considering similar measures as such targeted and complex attacks threaten more consumers, companies, and industries.

The Impact of Implementation on MSP Operations

It’s still too early to judge how applicable, effective, efficient, and costly the new regulation can get. However, the CMMC (Cybersecurity Maturity Model Certification) offers a glimpse of what the IT landscape could look like with the application of the national standard. CMMC can be best described as an offshoot from the previous federal requirements on systems and organizations that manage Controlled Unclassified Information.

Notably, the multilevel approach requires companies to go through five cumulative levels comprising 17 cybersecurity control categories founded on 14 security controls. In addition, its certification includes other compliance regulations such as the Federal Risk and Authorization Management Program, Defense Federal Acquisition Regulation Supplement, and International Traffic in Arms Regulations. It also covers maturity process assessments and additional cybersecurity practices.

The complex structure requires an accredited and authorized independent audit focused on standardizing several compliance elements for contracts with municipalities or government entities.

After developing for years, the regulation still leaves the actual implementation undefined in many ways. While CMMC roll-out may be expected to cover the next six years, the chaos is too confusing for businesses. First, certification alone may cost anywhere between $90,000 and $200,000.

You’ll also need to bear expenses like consulting, audit fees, annually recurring percentages, and hard costs. All these make it financially challenging for growing businesses to conduct business.

It’s said that some of these costs can be reimbursed, but not many details are available regarding the same. For example, training for CMMC in businesses hasn’t been developed yet, and there are no procedures for third-party assessments are still not known.

The managed services industry is predicted to expand by 11.27% annually until 2026. As the growth continues, MSSPs and MSPs should anticipate a more complex regulatory environment and new laws. MSPs continue to grapple with higher cyber insurance rates, more stringent coverage requirements, higher security standards, compliance overheads, and enhanced accountability.

Migration to remote workstations continues to exacerbate cybersecurity challenges, and MSPs now face a more demanding job. This trend is expected to last even beyond the coronavirus situation since more companies are now fully remote or have several full-time employees working remotely.

Step Up Today for A ‘Good Standing’ In the Future

The new legislation has led to higher cyber insurance costs, tighter coverage requirements, higher security standards, compliance overhead, and an emphasis on accountability. The ever-expanding remote work environment further exacerbates cybersecurity hurdles and increases the need for trustworthy recovery solutions. The solutions must be able to span applications and data across workstations and production servers.

In the event of a cyber-incident, the new laws relieve the affected business from the blame. Instead, the MSP who handles their protection will be held responsible. An MSP is only as secure as its business continuity and recovery solutions. As a result, you’ll be better placed if you hire the services of a comprehensive and reliable vendor focused on promoting operation efficiency, accountability, and speed. What’s more, your partner should have a vested interest in your overall success.

Essential Solutions, LLC is your trusted partner for business IT services and technical support. Our experienced tech professionals will take you through the numerous elements of the new cybersecurity regulations, helping you stay compliant and enhance your system security.

Speak with us today for IT guidance.