IT Service Provider Regulation is Coming

On March 25, 1911, the Triangle Shirtwaist Factory fire ravaged a building in New York City’s Greenwich Village. The doors to the stairwells and exits were locked at the time. The single fire escape collapsed early in the fire, trapping workers, who were mainly women ranging at age from 14 to 23, and resulting in the death of 146 people. This stands as one of the deadliest fires in US history and, as a result, a series of regulations were introduced to improve factory conditions. This tragedy, in a circuitous manner over the decades led to the US Department of Labor’s Occupational Safety and Health Administration (OSHA).

On November 28, 1942, another fire took place at Cocoanut Grove, a popular nightspot in Boston. At the time of the fire, the club was filled to twice its legal capacity, and some exit doors were locked to prevent unauthorized access, resulting in the loss of 492 lives. After this event, new fire-safety laws were enacted, including the banning of flammable decorations and the rule that emergency exits must be kept open.

The High-Tech Equivalent

On July 2, 2021, Kaseya announced he had become the victim of a cyberattack. Kaseya creates software for managing networks and systems used by managed service providers (MSPs) and private enterprises. Kaseya has publicly stated that more than 40,000 organizations worldwide use its software. From a single console, these organizations use the technology for remote control, patch management, ticketing, and endpoint security and backup.

Being the supplier to MSPs that provided technology services to other companies made Kaseya a particularly attractive target for cybercriminals. Three days into the incident, Kaseya estimated that between 800 and 1,500 downstream businesses were affected. This attack was particularly costly to small businesses that rely on their MSPs to support their organizations. The Russian-based ransom gang REvil took credit for the attack and claimed they had encrypted more than 1 million systems and demanded a $70 million ransom payment to fix the affected systems. This cyber-attack caused significant damage and had wide-reaching implications. A week later President Joe Biden spoke with Russian president Vladmir Putin. To quote President Biden, “I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is.” This incident roused small business to the fact that they, and not just large enterprises, were also targets for ransomware. Three weeks later, a universal decryptor tool was provided by an unnamed trusted third party to fix all the infected systems.

Just as the Triangle Shirtwaist Factory and Cocoanut Grove fires have had long-term effects on regulations and caused the overall cost of doing business to rise, these events will impact the regulatory system. The effect is already being felt.

Pressure From the Insurance Sector

The insurance industry was particularly hard hit by this event, and it resulted in several companies exiting the business. Standards are presently not well-defined and often confusing and unclear. A typical insurance company has very little basis for defining what constitutes “best practices” for cybersecurity and therefore is unable to evaluate any individual company. Practicing good cyber-protection hygiene is an exercise that has largely been correctly the responsibility of the individual systems architect and therefore assessing risk exposure is very subjective. However, the situation does not prevent these same insurance companies from mandating the customer implement cybersecurity technology from a set of trusted technology companies that they suggest.

Consider the impact to an already fragile supply chain in 2021, and all the claims made against the cyber-insurance policies in place up and down that supply chain by affected companies. It should be no great surprise that insurance companies are reevaluating the rules of business and what they expect from their customers moving forward. Insurance companies work with a very precise set of known parameters and metrics and if they are unable to generate profit within a very carefully considered margin, they don’t offer insurance to that customer. This is why only the US Federal government underwrites flood insurance. It simply isn’t profitable.

At the most recent MSPWorld event, a group of MSPAlliance members held a meeting to discuss their issues. The MSPAlliance (International Association of Cloud & Managed Service Providers) is a vendor-neutral and has more than 20 years of experience creating globally recognized standards and certifications. A common theme meeting was the high cost of cyber-insurance renewals. Members advised other members to not describe a business as an MSP as that admission could make it uninsurable. At a minimum, an exorbitant rate hike would be charged. Some members related how educating their insurance companies about their internal cyber-practices had helped to keep their rate hikes to a minimum.

Pressure From the Customers

Events such as this cyber-incident have made customers aware that every external vendor they use is a link in their supply chain. Supply chains are only as strong as the weakest link and, in the modern era, consolidated vertical industries have very narrow supply chains. Customers should expect higher deductibles on cyber-insurance policies, and they should also require that vendors clearly spell out that they are responsible for the cost of remediation if their technology results in infiltration of the customer’s environment. In addition, customers should contractually mandate immediate notification of a cyber-breach that affects the vendor.

Leave a Comment