Image Commercially Licensed from: Unsplash
MSPs understand the evolving cybersecurity landscape and the heightened expectations around data privacy. Clients trust MSPs to keep their information safe – but what does that mean for MSPs?
With new cybersecurity risks and legislation around data privacy, there is a new level of responsibility clients expect MSPs to bear. This is known as fiduciary responsibility.
What Is Fiduciary Responsibility?
Fiduciary responsibility is the legal obligation to act in the best interests of another party, such as a client. Like CPAs, MSPs are responsible for the data and systems entrusted to them by their clients.
This means taking all reasonable steps to protect their data from loss, theft, or unauthorized access – and being transparent about any risks or vulnerabilities. It also means complying with data privacy laws, such as GDPR and CCPA. Meeting these expectations is essential to maintaining a client’s trust and ensuring the client’s success.
“I have always felt that an MSP should be considered an extension of a client’s own business and only provide advice based on the client’s best interest. An MSP is only successful if its client is successful,” said Joe Cannata, Owner of Techsperts LLC.
The fiduciary responsibility of MSPs is a critical part of their role as trusted partners to their clients. “I feel that it’s important that MSPs understand and abide by the regulations of the partners that they are servicing,” said Daniel De Steno, Owner of NOVA Computer Solutions, LLC.
Do MSPs Play a Similar Role and Accountability That CPAs Have?
MSPs are expected to act in their clients’ best interests and exercise a high level of care when it comes to safeguarding their data and systems. In addition, MSPs are held to the same standards as CPAs in terms of liability and accountability for their clients’ data.
Said De Steno, “I feel that it is not only a good step to hold MSPs accountable, and their partners, for the benefit of not only the partner but the MSP and the clientele that that partner services. Being required to abide by the regulations of a specific vertical would probably make that MSP a better partner to their partners. That will certainly put a larger spotlight on the MSPs that are providing the quality service that they should be and shine a much brighter light on those MSPs that are out there flying by the seat of their pants. I think that would also allow MSPs to increase their fees since they are certified or compliant with the regulation of your vertical.”
CPAs and MSPs are all critical assets to their clients. They need to understand not only what fiduciary responsibility is, but also how to uphold it in order to maintain the trust of their clients. “Just as CPAs (accountants) have become critical to businesses’ survivability, MSPs have continued to gain strong traction within the economy providing critical services via technology. With new legislation being discussed more frequently, it’s only a matter of time before regulation hits the marketplace,” said Nick Martin, Director of Managed Services at Mainstreet IT Solutions.
Said Guy Baroan, President of Baroan Technologies, “I absolutely see the role of a CPA being similar to the role of an MSP. Already we are seeing laws coming out that are now starting to put in requirements for technology companies that are supporting clients to take more responsibilities than ever before. As the cyber attacks continue to be more successful and more data is stolen or companies are held hostage for a ransom, the protections and need to have laws in place will be greater.”
“Although I agree with a perspective, in concept, of accountability similar to a CPA, there are a number of issues that are holding back our industry from achieving this. First of all, there are very few, if not any, barriers to entry for someone to call themselves an MSP. This is very different than a CPA, who has to gather a certain level of academic success as well as pass standardized testing,” said Ilan Sredni, CEO and President of Palindrome Consulting.
“Regulation has always struggled with keeping up with the changing needs of technology, and I don’t necessarily see that changing at this point. But what I do see is that MSPs need to be ready for new regulations coming to the industry to ensure best practices are being followed,” said Martin.
Will there be a requirement for additional certifications and other qualifications to become an MSP in the future? The answer is most likely yes. Said Anthony Buonaspina, CEO and Founder of LI Tech Advisors, “I believe that in the very near future you will need to have federal and state compliance certifications in order to call your company an MSP or MSSP. My guess is that this will morph into a new acronym for describing the next generation of Managed Service Providers such as MSSCP for Managed Service Security and Compliance Provider.”
How Do Clients View Their MSPs?
Organizations that lack an IT team often rely on MSPs to not only manage and monitor their systems but also to keep them up-to-date with the latest security patches and compliance updates. This places a significant burden on MSPs to ensure that their systems are secure and compliant at all times. Fiduciary responsibility means that MSPs are ultimately responsible for their client’s systems and data, regardless of who else might be involved in the process.
“Over the last 19 years, we have had many “impression” calls from clients where they inform us that they were under the “impression” that cybersecurity was being completely “handled” as part of their managed service agreement. After working hard to build a standard cybersecurity tools and services stack as part of our managed service offering, we have been requiring clients to sign releases of liability if they refuse to implement any of our tools or services regarding cybersecurity,” said Alexander Freund, Co-Founder, President, and CEO of 4IT.
Many organizations that have their own internal IT team still rely on MSPs for assistance with specific tasks or projects, such as migrating to a new system or updating their security posture. In these cases, MSPs have a responsibility to ensure that the transition is smooth and does not disrupt or diminish the level of service their clients are receiving. Having a strong trusted relationship with the client will remove some of the barriers, and as long as MSPs are evolving and deploying standards like NIST CSF the client’s risk surface will be minimized, said Robert Giannini, Chief Security Officer and CEO of GiaSpace.
“The agreements between MSPs and clients should be clear and detailed, outlining the specific services that are being provided as well as the expectations around data protection. Our agreements need to be very clear with the customer and make sure we as the MSP are legally protected when the client inevitably denies the cost of implementing a particular solution under the premise “we do not need that”. It is absolutely vital that we do not all use the same boilerplate agreements used from 10 years ago that have circulated throughout the industry”, said Sean T. Fullerton, Principal Consultant at NSN Management.
How Will Fiduciary Responsibility Change the MSP Industry?
The rise of fiduciary responsibility is likely to change the way MSPs operate and do business. In particular, MSPs will need to be more proactive in their approach to data security and privacy. They will also need to be more transparent with their clients about the risks and vulnerabilities associated with their systems.
MSPs will need to make sure they are up-to-date on all compliance regulations, not just GDPR. MSPs will need to be able to prove that they are meeting those requirements. In addition, MSPs will need to be more proactive in their approach to security, proactively monitoring for potential threats and implementing measures to mitigate those risks. This may involve working closely with clients to create a detailed security plan and adjusting it as needed based on changing regulations or the evolving threat landscape.
Said Baroan, “We can’t guarantee that no one will be safe from a breach, however, we can educate them and make sure that their risk is greatly reduced. More and more, I see the role of an MSP becoming a necessity for businesses, even if they have their own staff, it’s almost impossible to keep up with the changes, it’s like drinking water from a firehose. Everyone will need services like these to ensure they are safe and protected.”
Overall, fiduciary responsibility is likely to reshape the MSP industry, making MSPs more accountable for the security and data privacy of their clients. At the same time, this will help to raise standards across the industry and ensure that MSPs are meeting the needs of their clients in a rapidly changing cybersecurity landscape.
Will Clients Wake Up to the Importance of Having an MSP Like They Have a CPA?
Clients are already waking up to the importance of having an MSP. In the same way that they have a CPA to ensure the financial compliance of their business, more and more businesses are beginning to realize that they need an MSP to ensure the compliance of their data and systems.
As data privacy regulations continue to evolve, we expect fiduciary responsibility to play an increasingly important role in the MSP industry. Clients are starting to realize that they need a trusted partner who can help them navigate these complex regulatory landscapes and keep their data secure.
Many businesses are also recognizing that having an internal IT team is not enough – they need the specialized support and expertise that MSPs can provide. This means that clients are increasingly looking to partner with MSPs who can take on fiduciary responsibility for their systems and data, helping them to meet regulatory requirements and mitigate the risks associated with cyberattacks.
“Clients that have come to us after suffering a breach already understand how important the right MSP is, as anyone who has been through the process of dealing with a breach knows how badly it can interrupt their operations, and how much money and time it can cost,” said Freund.
Overall, it seems clear that clients are beginning to understand the importance of working with an MSP. As fiduciary responsibility becomes more common, we can expect to see even more businesses waking up to the need for an MSP to help them protect their data and systems.
