In June Security Leadership will NOT be an Option
At this moment, your MSP has two options: change or get left in the dust.
In June 2023 the FTC Safeguards requirement will become the new normal. That means many of your clients will need a stronger lead on the security front. And what does that mean? Well, if you aren’t offering security leadership as part of your services, it means your clients will go elsewhere for it.
Until now, maybe you’ve pushed off setting up a chief security officer offering within your MSP. Or maybe you haven’t ever considered it. It’s possible you don’t think you’re qualified. Whatever your mindset, all you are now faced with one very clear question once June 1, 2023 rolls around: you can change and serve your clients at a higher level, or you can watch someone else take care of them.
Here’s a recap of the FTC Rule
The Federal Trade Commission (FTC) announced its update to standards for protecting consumer information through its new Safeguards Rule. This intends to strengthen security requirements for businesses covered. It has also expanded its definition of who is covered. The FTC broadened its scope on what it considers financial services, including businesses that might not consider themselves as such, This list includes check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, and even professional tax preparers.
The main reason for the Safeguards rule is to maintain the confidentiality and security of consumer’s personal information.
The Final Rule consists of BIG modifications, 2 of which have major implications to your MSP’s relationships with impacted clients:
First, it outlines more detailed requirements for security programs.
- Not only does the FTC rule identify controls that need to be in place, it now requires that a complete security program be implemented.
- As an MSP, you can implement tools for Multifactor Authentication (MFA) to access information systems. You also can ensure data encryption and provide disposal services for equipment.
But if you look at the requirement a little deeper, you will see that your clients needing FTC safeguards need leadership.
They need a solid incident response plan.
So, why not just find a template on the internet and call it good? Put yourself in your client’s shoes. If you had just gone through an incident and were given a template to recover would you think that was enough?
Your client will need a documented incident response plan, which means going through scenario-based events and documenting outcomes. This falls completely on the leadership side of security.
FTC also wants you to test the effectiveness of their controls, systems and procedures. Now, you may have tools that fulfill some of those controls, but how do you test them? What about the procedures within your client environment?
Evaluating safeguards is COMPLETELY out of scope of a managed services agreement. That means just adding it to your current offerings will fall flat. Why?
- Your client may not understand what you are doing,
- They might not see the value behind this additional work,
- Or they may opt for someone who has perceived experience with these leadership-level responsibilities
If you aren’t defining your security leadership in a program/service offered to your clients, they will not understand or value your efforts. And if you cannot produce a complete security program because you are only supporting or reselling security tools, someone else will step into this spot. Your client will learn WHY they need a security program and eventually the work your team does will fall below the purview of someone else—maybe even another MSP.
So, what’s the second modification? Your client will be required to have someone who is considered a “Qualified individual”. This person or organization can be a service provider, who performs periodic reporting to their board of directors or governing body. (They will need to be done at least annually.)
If you aren’t the organization who is doing this function, you better believe someone else will be guiding their security (and IT) in the future.
The Big Takeaway?
Plan to take the reins. If you are serious about protecting your clients, this is your moment to step up and lead. Give your client the security program you know they need. Offer them a vCSO engagement and fulfill all of the requirements.
MSPs are turning to vCSO as their solution for FTC Safeguards. This is a one-stop comprehensive program facilitated specifically for MSPs to implement a complete security program solution.
So, the choice is yours: change or get left in the dust because if you don’t offer something like vCSO, someone else will.
