Press "Enter" to skip to content

The Ransomware Task Force calls out MSPs

The Ransomware Task Force, which is a public-party coalition, has shared a framework for actions to disrupt the ransomware business model.  It’s a list of 48 specific recommendations from the Institute for Security and Technology. 

Outlined are five key priority recommendations, and most are focused on broad governmental response, which you get a feel for in the first:  

Coordinated international diplomatic and law enforcement efforts must proactively prioritize ransomware through a comprehensive, resourced strategy, including using a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals

Also, let’s highlight the recommendation for domestic and international insurance:

Establish an insurance-sector consortium to share ransomware loss data and accelerate best practices around insurance underwriting and risk management

And, then specifically, Action 3.3.3:   Require managed service providers to adopt and provide baseline security measures.

In detail, the program “could include”:

  • Adherence with a cyber-hygiene program (for example, CIS Controls Implementation Group 165 and the NIST Cybersecurity Framework;
  • Mandatory disclosure across the MSP’s customer base if there is a ransomware incident involving the MSP’s service offering; and
  • Forming an MSP-ISAC, an information sharing and analysis center specific to this industry.

The MSP industry in SMB is specifically dinged: “MSPs do not commonly provide extensive security coverage or ransomware mitigations

Why do we care?

The task force explicitly calls out MSPs as not providing mitigations, are calling for regulation to require that, and pushing that broadly.    They are also calling out the involvement of the insurance industry

I swear I wasn’t in any of these meetings, despite it sounding exactly like me.

So a major policy piece aimed at government agencies comes recommends a requirement – IE, a law – around managed services providers.   Yeah, that’s why we care.     Regulation isn’t just coming, it’s the recommendation for those specifically thinking about this field.

The Report is here.