senate-bill-273-cybersecurity
Introduction

Legislators have taken notice of a lack of cybersecurity accountability in the IT channel.

Louisiana Act 117 – Senate Bill 273 was signed into law in July and appears to mark the beginning of a trend toward a regulated IT channel.
This is something the industry has been talking about for a while, and most feel that it’s only a matter of time before the government steps in. When you combine the massive growth of the managed services industry (with almost zero external oversight) and the recent spate of cyberattacks targeting MSPs, the inevitability becomes clear.
What does this mean for you? Even if you’re not operating in Louisiana, MSPs and their clients need to prepare for what’s coming. This type of legislation while probably appear in other states very soon. Additionally, all of this press is making the public aware of the fallibility of MSPs when it comes to security, and will therefore cause consumers to be far more selective when looking for service providers.

Senate Bill 273

What is Senate Bill 273 and what does it involve?

overwatch cybersecurity

Senate Bill 273 requires MSPs that manage infrastructure or end-user systems for “public bodies” to register with the state. MSPs and MSSPs must register and be in good standing before they can enter into business with state, municipal, or parish entities.

This bill also builds on existing breach notification laws, requiring MSPs to disclose cyber incidents (breaches, ransomware payments, and others) to the state, shifting the responsibility onto the IT or cybersecurity provider rather than the victimized business.

Read the text of Louisiana State Senate Bill 273 here.

 

senate bill 273 msp
What’s Changing?

How does Senate Bill 272 affect your managed services business?

Beginning February 1, 2021, each provider that manages a public body’s information technology structure, security, or end-user systems in this state shall file an application for initial registration with the secretary of state consisting of the provider’s name, address, telephone number, contact person, designation of a person in this state for service of process, and provide a listing of all officers, all directors, and all owners of ten percent or more of the provider. Additionally, the provider shall file a copy of its basic organizational documents, including but not limited to articles of incorporation, articles of organization, articles of association, or partnership agreement.

A public body shall not enter into a contract, for managed security services, with a provider that has not registered with the secretary of state or has failed to renew its registration with the secretary of state. Such a contract shall be null and void.

Does This Fix the Problem?

Accountability is not a complete solution.

There are several potential issues with this approach. First and foremost, it does not address the actual issue of cybersecurity, only the public face of accountability. In effect, this bill serves only to ensure that if a “public body” is compromised in a cyberattack, the MSP or MSSP will have to report the breach and take the heat.

While this may make affected MSPs more careful with their security, it is certainly no guarantee. It would seem that the only easily enforceable part of the bill is initial registration because it is required before the provider can get the contract.

The Future

Will there be more regulations? Possibly at the federal level?

Everything starts somewhere and if this legislation is successful or appears to be then it will be adopted by more states and on high levels, not just MSPs who support “public bodies”.

 Soon, this type of registration requirement may be applied to MSPs that support any high-risk industries which trade in sensitive data — medical centers, financial institutions, and the like.  This could even be the beginning of the journey to full regulation and licensing requirements.

Solutions

Taking a proactive approach within your MSP.

jason rorie

The solution is to be prepared, and the best way to prepare for tighter regulations is to increase your actual security posture. Remember, the real issue here isn’t so much the regulations but the damages that come from exposing clients to cyberattacks.  

Always work to improve your internal security and document everything you can. As an MSP or MSSP, you should continually test your own policies and process with the help of an objective third-party. Protect your own business and your clients are protected in turn. And when you hit that high state of readiness, regulations and oversight become far less of a threat.

MSP Overwatch helps IT providers reach the 99th percentile of internal security readiness. If you’d like to learn more about becoming one of the nation’s most secure IT providers — and being able to prove it to prospects, clients, and legislators — schedule a demo with us using the form below. 

Get Ahead of Regulations.

Earn your MSP Overwatch badge and show the world that you’re serious about security.
Share your name and email address to set up a demo.