In Pennsylvania, the Senate has passed Senate Bill 726, which prohibits state and local governments from using taxpayer money to pay ransoms. The bill defines ransomware and requires managed services providers to notify the proper official in a state agency within an hour of a ransomware discovery. A declaration of disaster emergency allows for an exception to the ban on payment.
In the UK, too, a focus on MSPs. The UK government proposes ramping up fines on MSPs who don’t implement adequate cybersecurity measures. As part of its £2.6bn National Cyber Strategy 2022, the government says new laws are needed “to drive up security standards in outsourced IT services used by almost all UK businesses.” If the measure moves ahead, MSPs will have to comply with the same regulations as other industries – which could lead to up to £17m. The proposal is in a three-month comment period.
CISA Director Jen Easterly told city officials to make cybersecurity a “kitchen table” issue. “Cyberthreats, ransomware, have become a kitchen table for all of us,” she said. “People don’t necessarily like to think about it because nobody wants to get attacked. My hope with all of you is to make cybersecurity a kitchen-table issue.
Why do we care?
Managed services providers are explicitly named in the bill and given specific direction – and that’s ONE HOUR for notification. Add Pennsylvania to the list of states with MSP-specific regulations.
About a year or two ago, I discussed the idea that politicians would see protecting business as a political winner. That feels more and more obvious now. With a call to the local government to add security to the “kitchen table” list, we’ll see what uptake is.. but be forewarned.