How Louisiana’s MSP regulations could shape the future of the channel

Louisiana is taking steps toward regulating the channel. Effective 1 February 2021, Senate Bill 273 introduces more regulations for MSPs that service the public sector. Many predict that the legislation – the first of its kind in the U.S. – is a sign of things to come, and that similar regulations could be rolled out in other states in the years ahead.  

Read on to learn more about Senate Bill 273 and get a glimpse of what future MSP regulation could look like.   

What is Senate Bill 273?  

In June 2019, following a spate of costly ransomware incidents that ravaged the public sector, Louisiana approved new state law that introduces more regulations for MSPs that provide IT infrastructure to public bodies.  

The bill primarily aims to shift the responsibility of incident disclosure from victims to service providers. It is hoped that the added transparency will enable consumers to make a more informed decision about their choice of MSP which, in turn, will encourage MSPs to elevate their security posture or risk losing business to their better-prepared competitors. 

The bill can be read in its entirety here. 

How will Senate Bill 273 impact you? 

If you’re a Louisiana-based MSP, you must abide by the new laws in order to conduct business with a public body. Under Senate Bill 273, MSPs that provide IT infrastructure to public entities are required to: 

• Register with the Secretary of State 
• Report cyber incidents within 24 hours and ransomware payments within 10 days 
• Provide public access to information, including a record of cyber incidents 
• Be in good standing before they can partner with a public body.   

MSPs that are based elsewhere in the country should keep a close eye on the Louisiana regulations. As MSPs play an increasingly important role in the public sector, it seems likely that similar regulations will be rolled out in other states in the future, possibly at the federal level. It’s also possible that similar models could be applied to other high-risk industries that deal with sensitive data, including the medical, financial and education sectors. 

How to prepare for the coming changes 

The prospect of added regulations will likely be met with skepticism from some MSPs. However, it’s important to note that the legislative intent of Senate Bill 273 is not to make it harder (or more expensive) for MSPs to do business with the state, nor is it to make it more difficult for new MSPs to enter the market. There are no licensing or certification requirements; in fact, the bill doesn’t actually do anything to directly address or resolve cybersecurity issues. Instead, the bill simply aims to improve accountability and transparency, which ultimately enables state entities to make better purchasing decisions.  

While it’s still too early to judge the effectiveness of Senate Bill 273, it seems probable that other states will follow in Louisiana’s footsteps. The best way to prepare for future regulation is to bolster your cybersecurity posture. Service providers must be in good standing to do business with public entities, so it’s critical that MSPs utilize best practices now to avoid cyber incidents that could preclude them from doing business with the state further down the track.  

For MSPs that are secure and transparent, regulation should be viewed not as an obstruction, but as an opportunity to demonstrate cyber resilience and perhaps gain a competitive advantage along the way.  

Conclusion 

Louisiana has taken steps towards regulating MSPs with the introduction of Senate Bill 273, which went into effect on 1 February 2021. The bill builds on existing breach notification laws and requires MPS to register with the Secretary of State and be in good standing before entering into business with a public entity.