Regulatory compliance is already huge, but all the regulations are expanding. Even if your clients don’t fall under HIPAA or CMMC, changes in the regulatory landscape are impacting data management and security, as states are requiring better protection and privacy for consumers. In this article, you’ll learn how if you own an MSP and aren’t already selling CaaS, then you are sitting on a compliance goldmine!
Even without external requirements, the risks associated with failure to comply has made it a glaring problem and one far too daunting a task for organizations of ALL sizes to do themselves. This highlights the fact that Compliance-as-a-Service (CaaS) is a goldmine for MSPs who are willing to add it to their list of services.
Not only is it a strategic way for MSPs to attract new business, but it also presents a strategic way to increase your revenue by catering to compliance requirements for existing clients.
During a recent TMT Producers Club meeting, a panel of experts discussed why compliance is important, what opportunity it presents for MSPs, and why not adding CaaS could be a death sentence to your MSP.
The panel included four incredible people:
- Jon DePerro, chief compliance officer of Vector Choice, who served as a counterintelligence special agent in the U.S. Army with various global assignments that involved advanced security and threat management roles at Army Intelligence and Security Command and the NSA.
- Jennifer Morris, who served as an attorney for the CIA, a JAG officer for the U.S. Army, and an associate general counsel intelligence and acquisitions for the U.S. Navy and has more than 22 years of legal practice experience and 18 years in-house council for IT companies.
- Paul Tracey, founder of HIPAA-verified Innovative Technologies, a full-service MSSP (managed security service provider), who helps small- and medium-sized businesses mitigate cybersecurity risks and establish a company culture that supports secure and efficient IT.
- Rusty Goodwin, an organizational efficiency consultant at the Mid-State Group, who helps companies with compliance from an insurance perspective.
Why Is Compliance Important For MSPs?
Adding CaaS to your business improves your margins and can increase your growth, but more importantly, it prevents you from losing customers. “If we’re not doing compliance as a service, then we’re putting our business at risk for someone else to come in and do compliance for them,” Paul Tracey said, “and then they’ll use that to take over our business.”
From a legal standpoint, Jennifer Morris said there is a lot more at stake, and she continued, “Without [compliance], you’re extremely at risk and open to liability. Compliance is important for you as MSPs because if you’re not compliant, then you are at risk for a lawsuit liability. If there’s something you are doing to not make your clients compliant or mostly compliant, then they’re at risk.
“All the regulations are expanding, so if you or your clients are anywhere in the U.S. government supply chain, for example, then the host of compliance requirements are vast, and the liability is becoming huge.”
What Is The Liability To MSPs?
Liability comes in different forms, and while insurance transfers some of the liability, you can still get sued by clients for cyber malpractice or get sued by the Department of Justice for fraud under the False Claims Act because you or your client is somewhere in the government supply chain. This can be a potentially bankrupting event because damages can be three times the amount of damages for every invoice. “This can quickly lead up to hundreds of millions of dollars,” Jennifer said. “Recently, Aerojet Rocketdyne was fined. They settled the $29 million case for $9 million, for failing to certify properly on their cybersecurity requirements.
“There was no data breach. All they did was not give enough information about how they were non-compliant, and they were fined $9 million. That kind of liability can potentially be a bankruptcy-type event for small- to medium-sized businesses. It’s significant.”
Why Should You Sell Compliance-As-A-Service?
It Positions You As A Trusted Advisor.
“A huge feature of compliance is that you can align IT solutions you do for a living with a business objective and a goal for a customer,” Jon said. “When you walk through compliance with them, it’s about having a senior leader who is not in IT, because most of our clients hired us because they’re not an IT person, they don’t have an IT guy, or their IT guys are break-fix level IT. They’re trusting us to be that partner and advisor to come to them and say, ‘Hey, this is a risk you’re assuming that you don’t even know about.’ At least walk them through their options.”
It Helps You Differentiate.
“Where else are we going to have different conversations that aren’t around tools, maintenance work, and patching machines that are literally going to take someone else’s business? That’s compliance,” Paul said.
It Gets Your Foot In The Door.
Offer an external audit. “We’ll offer an external review. You could do that as a free service and say, ‘Give me your documents, and I’ll review them for you for free.’ You’ll know immediately looking at it if their MSP is doing it seriously and if that company does it right,” Jon said.
It Adds A Stream Of Revenue.
“We all ask ourselves ‘What are we going to sell next quarter?’ Add compliance to it,” Jon said. “When you talk to clients say, ‘We’re not all there today, but every quarter, we’re going to do another little compliance project, so at the end of a year or two, you’ll actually be compliant.’”
It Helps CFOs And C-Suite Understand Why They Are Writing Big Checks.
Demonstrate how expensive it can be for a company to stay non-compliant. Rusty Goodwin had a client who was already spending quite a bit of money with their MSP and didn’t think they needed to go through any steps for compliance. Rusty walked them through a couple of questions to help them calculate how much it would cost in the event of a breach.
Even if there were no civil penalties and no HIPAA fines, notification alone at $150 per name would cost $3.7 million. Their cyber liability policy only covered $250,000. “I asked if that would be a bankrupting event,” Rusty said. “She said, ‘Yes.’ That makes sense to them.”
In the end, all the panelists agreed that if you aren’t selling CaaS, you’re going to lose business and put yourself at risk.
But if you are taking advantage of the compliance goldmine your MSP is sitting on, and selling it, CaaS will help you win ALL the business. “When you get that good partnership going, they’re going to fire all their other incidental IT companies,” Jon said. “It’s going to be too hard to navigate having a VoIP guy versus having you. Talk about displacing people! I would go in and bottom out compliance stuff. I’d give people screaming deals on helping them get through a gap analysis for HIPAA, CMMC, or NIST. Because I know when we start remediating, I’m going to pull all their MSP work. ALL of it.”
To get access to the entire conversation between these panelists on selling CaaS, go to: https://mspsuccess.com/compliancegoldmine