In response to the continually changing threat landscape, businesses are facing a growing set of rules and regulations that they must follow to show they are doing what’s necessary to keep sensitive information safe. The requirements that businesses in certain industries must meet are extensive and can require significant time and resources to fulfill. Noncompliance, however, which can result in sizeable fines, bad press — and even the loss of the business — is not an option.
Compliance as a Service can be the answer your clients and prospects are looking for. A managed service provider (MSP) with expertise in regulatory requirements and standards for a specific industry can help its clients stay in compliance in a systematic and cost-effective way. MSPs can manage requirements, automating some processes, to take the burden of manual recordkeeping and documentation from internal staff. MSPs can also leverage their technical expertise to put compliant security solutions in place and monitor them and maintain them.
If you work with businesses in these verticals, you may be leaving money on the table and missing an opportunity to build solid, long-term business relationships if you aren’t providing Compliance as a Service:
Healthcare providers and their business associates must comply with Health Insurance Portability and Accountability Act (HIPAA) provisions. HIPAA includes the Privacy Rule, Security Rule, and Breach Notification Rule. Compliance solution provider Compliancy Group describes HIPAA compliance as “a living culture that healthcare organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information.” HIPAA compliance requires audits, remediation plans to address gaps that audits uncover, developing formal policies, employee training, compliance documentation, and business associate management. It also has strict requirements for notification in the event of a data breach.
Compliance as a Service providers serving healthcare organizations can provide periodic auditing and gap analysis, remediation, development and updates to policies and procedures, employee training, reporting and incident response.
Industrial compliance requirements can cover areas including environmental, health, safety, and industrial hygiene, enforced by various federal and state agencies or by specific customers. Manufacturers may also need to meet industry standards such as ISO 9001 for quality management.
Compliance as a Service offering for manufacturing businesses can cover on-site inspections or audits, permitting requirements, quarterly or annual reports, operating procedure and policy development, implementation and maintenance of required systems, periodic testing, and training.
3Retail and Restaurant
Merchants that accept payment cards must comply with the Payment Card Industry Data Security Standard (PCI DSS). The standard requires that merchants protect cardholder data with technology, including firewall, antivirus, and encryption. PCI compliance also requires putting policies and best practices in place, such as not using vendors’ default passwords and restricting access to sensitive information based on the employee’s role.
Compliance as a Service for merchants can include the required testing of security solutions and processes, maintaining and updating systems, monitoring access and logins to systems that use cardholder data, documentation, and updating policies as needed.
Businesses that work with the federal government are required to protect Controlled Unclassified Information (CUI) according to NIST Special Publication SP 800-171 Rev. 1. This regulation requires that the business identify and protect all sensitive information, control permissions, monitor changes made to CUI, and immediately respond to security incidents.
Your Compliance as a Service offering can help businesses cross the t’s and dot the i’s on this relatively new compliance requirement and provide the monitoring and documentation it requires.
5Data Collection and Marketing
Some businesses collecting consumer data for marketing or statistical purposes are subject to regulations designed to protect personal privacy. The European Union began enforcing the General Data Protection Regulation (GDPR) in 2018. GDPR applies to all companies collecting data in the EU regardless of whether they are located there. GDPR gives EU residents control over their data, requiring consent to collect it, an easy way to withdraw consent, and the right to request that all data about them is erased.
The California Consumer Privacy Act, which will be enforced as of January 1, 2020, also gives consumers control over their personal information and holds companies that store it accountable for data security.
Compliance as a Service for companies collecting consumer data can include solutions that help manage data, search for information on specific individuals that want to see how their data is used or to have it erased, automate reporting, monitor systems, and respond to security alerts.
Start the Conversation
You may know your clients’ IT systems in and out, but do you understand the regulations and standards their businesses must meet — and whether the solutions you’ve put in place are helping them to comply? Ask your clients about their compliance requirements, including whether newer regulations like GDPR, NIST SP 800-171, or the California Consumer Privacy Act pertain to them. Those conversations may reveal some gaps that your MSP business can close to get their businesses into compliance and avoid punitive fines.
For your MSP business, those conversations might be the impetus for new offerings that yield new recurring revenue and stickier client relationships.