This article is written by Mike Semel, who created CMMC for MSPs. After leaving his successful MSP business, he became a cybersecurity consultant, and now works as a defense contractor CMMC Certified Assessor and advisor for healthcare and financial services.
If you want to be seen as an advisor or vCISO instead of a commodity MSP, you have to look beyond the systems you manage and into the contracts, insurance documents, and business workflows that actually drive client risk. And AI won’t get you there .
In 2004, after learning about the new HIPAA cybersecurity regulations, I recast my MSP business as a compliance company. We delivered the same technical services as our competitors, but we added documentation and reframed our technical services as compliance services. It worked, and I was able to charge a premium while eliminating competition. Over the years, threats and compliance requirements both increased.
I define compliance as everything someone else makes you do. Compliance stacks up. A doctor that accepts payment cards for co-pays and has a cyber insurance must comply with HIPAA, their state data breach law, PCI-DSS, and their cyber insurance policy requirements–all at the same time. That’s a lot of risk.
Where Risk Really Lives
A lot of the MSPs I speak to as part of our risk assessments say they know their clients better than anyone else. Many say they are the vCISO for their clients.
So, I ask them a simple question: “Are you managing all the cybersecurity for your clients?”
“Yes, of course.”
Some even look at me like I just accused them of incompetence.
Then I ask the next question.
“Do your clients use any line-of-business cloud software you don’t manage? ERP systems in manufacturing? EHR systems in medical practices? HR or payroll systems? Vendor sites to make purchases? Operational Technology (OT), including connected manufacturing machines or connected medical devices? Connected door-locking systems? Connected HVAC systems? Other technology you never touch?”
“Yes.”
Then I ask, “Do you manage access to all those systems and patch all those connected devices?”
“No.”
That is usually the moment when the MSP realizes they are not handling all the cybersecurity for their clients after all. Then I move to compliance.
I ask two more questions, based on my definition that compliance is everything someone else makes you do:
- What contractual cybersecurity clauses have your clients agreed to, and can you show those to me in their client profile?
- What specific requirements in your clients’ cyber insurance applications, policy conditions, and exclusions are you managing and documenting in their client profile?
Too often, the answer is silence.
Now the MSP realizes they are not handling all the compliance requirements either.
That silence is dangerous, because both cybersecurity and compliance risks are often hiding in plain sight.
Not in some exotic threat report.
Not in a dark web forum.
Not in a virtual server buried three menus deep.
They are hiding in ordinary documents the client filed away without sharing with you. Contracts. Security addendums. Cyber insurance applications. Endorsements. Exclusions. Customer questionnaires. They are also hiding in the systems and devices people walk past every day.
These are things you can’t automate with AI.
The Real Cost of Compliance Failures
One of the biggest mistakes MSPs make is assuming they are “handling security” or “handling compliance” because they manage Microsoft 365, backups, firewalls, endpoints, and patching. That is only part of the picture. Real vCISO services have to be comprehensive. They have to cover the client’s entire business, including line-of-business applications, payroll and HR systems, cloud apps, medical devices, manufacturing equipment, IoT, and every other system that affects risk, whether the MSP manages it or not. A comprehensive cyber risk assessment has to cover the full environment, not just the part you manage.
This is where hidden requirements are bigger risks to the business—there can be much greater impact than a regulatory penalty.
Contracts often now contain cybersecurity requirements that are more specific than regulations. I have seen contracts that require formal written security programs, multifactor authentication for all systems, encryption of all data, vulnerability scanning, audit-log review and retention, air-gapped backups, and independent audits—of all systems, not just the ones managed by an MSP.
Some contract clauses simply require compliance with laws like HIPAA, PCI, or CMMC. That means a regulatory obligation becomes a contract issue too, which can lead to canceled deals, lawsuits, and being shut out of future business.
Clients know their contracts are tied to revenue, and often to survival.
After I explained the cybersecurity clauses in a contract to the head of a nonprofit organization who signed the agreement, and showed him evidence they weren’t doing everything required, I asked what would happen if they had an incident and the funding source terminated the contract for non-compliance.
He said his organization would go out of business.
I asked the managing partner of a law firm what it could cost when I showed him they had not implemented the cybersecurity contractually required by their largest corporate client.
He said, “Millions.”
Cyber Insurance Is Your Warning Sign
Cyber insurance can be just as dangerous.
Applications ask detailed questions about controls. Clients often ask their MSPs to help fill them out because they do not understand the terminology. I have seen MSPs tell clients how to answer those questions while forgetting they do not actually know the answers for the systems the MSP does not manage.
Policies may exclude claims if required safeguards were not in place or if the insured failed to comply with applicable laws and regulations. Weak implementation is a problem. Weak documentation is also a problem. If a client cannot prove the controls were in place consistently, over months or years, the financial damage can hit at the exact moment they need coverage most. And that can cost them $1 million, $3 million, or $10 million—the value of the policy.
A cybersecurity questionnaire is often your warning light.
When a customer, prospect, lender, or insurer asks your client to complete one, that usually means hidden obligations already exist or are about to exist. Smart MSPs treat those questionnaires as a signal to ask for the underlying contract language and insurance documents.
Big Risk, Big Revenue
This is also a revenue opportunity.
Documentation-as-a-Service gives clients what audits, investigations, lawsuits, and insurance claims always demand: evidence. Not vague statements. Not good intentions. Evidence. Time-stamped reports, tickets, logs, approvals, policies, reviews, and records that show what was done, when it was done, and whether it stayed in place over time. Tools are not proof; evidence is proof. And reports must be created each month—you can’t print a report today proving every compliance requirement was met each month, going back years.
Before I became a consultant, my MSP charged our managed services clients over our standard per-user fees to manage all their cybersecurity and compliance. I also charged for the documentation they needed to collect every month as evidence of continued compliance and comprehensive cybersecurity.
We made sure the OT devices we could not manage, including some that ran on unsupported computers that came with machines or medical devices, were isolated on separate network segments, so they could not harm the IT systems we did manage. We stopped giving those vendors full domain admin privileges and unrestricted access. We reviewed user lists from cloud services we did not manage to make sure only authorized users had access, because that’s where most of the critical data lived.
Start with the Contracts
If you want to be more than a commodity MSP, ask to see the contracts. Ask to see the insurance documents. Ask to see the technology the client depends on that your team does not manage.
Because if you have not seen those things, you do not fully know the risk.
And if you do not fully know the risk, both cybersecurity and compliance problems may be hiding in plain sight.
Cybersecurity is protecting data against unauthorized access, theft, or loss. Compliance the ability to pass an audit, survive an incident investigation, and win a lawsuit.
Doing both well will elevate you above being seen as just a technical resource—and enable you to charge more.
For more compliance advice, check out how to turn the new HIPAA security rule into more recurring revenue—without increasing your liability.
Mike Semel’s Compliance Mastery for MSPs training system includes a reference tool for quickly identifying the compliance requirements for multiple industries. Included are sales guides and a full masterclass on using risk-based selling to quickly close deals with regulated clients. It can be shared with 10 workforce members.
