MSPs in the Regulatory Spotlight: Fix Your Policies Before They Fail You
Australia’s cyber and privacy rules have shifted fast. If you run a small IT service provider or MSP, what kept you compliant 18 months ago may now expose you to regulatory, contractual, and insurance risk. Here’s how to get ahead—practically.
1) The situation: new compliance obligations meet rising cyber risk
IT service providers are now squarely in scope. Enforcement under the Privacy Act 1988 (Cth) and the Notifiable Data Breaches (NDB) scheme is intensifying; reforms to the Privacy Act are strengthening expectations; and for critical infrastructure, the Security of Critical Infrastructure Act 2018 (SOCI) brings incident-reporting duties to the fore. If you serve APRA-regulated clients, CPS 234 expectations flow down to you. Cross-border support and offshore tooling sharpen focus on APP 1.2 (governance), APP 8 (overseas disclosure), and APP 11 (security). Emerging ransomware payment reporting under Australia’s evolving cyber laws also raises the bar.
- Type of situation: new compliance obligations + cyber/data privacy/operational risk + industry trend
- Business impact: faster reporting timelines, higher evidence standards, and third-party accountability
2) Why your 18‑month‑old policies and MSAs may already be misaligned
Policies and contract packs drafted before the latest changes often miss key allocations and evidence requirements.
- NDB scheme: unclear thresholds and owners for “eligible data breach” assessment and OAIC notification
- SOCI: who reports what to the ACSC, and when—especially if a client is in a critical sector
- APRA CPS 234: board visibility, third‑party risk, and assurance expectations push obligations onto MSPs
- APP 1.2/8/11: governance, cross‑border handling, and security safeguards often left vague in MSAs
- Insurers: claims scrutiny on evidence, decision logs, and notification timing
3) The crunch moment: an RMM compromise with offshore backups and a critical client
Picture this: your RMM tool is compromised; backups sit with an offshore SaaS vendor; a client in the energy sector is affected. The clock is ticking.
- Who determines “eligible data breach” status under the NDB scheme?
- Who notifies OAIC and affected individuals—and shares scripts, FAQs, and contact windows?
- Who lodges the SOCI/ACSC report—and how are draft artifacts reviewed and approved?
- Which logs prove containment and timing to the insurer and the client’s board?
Without documented roles, runbooks, and a single source of truth, hours are lost and risk escalates.
4) Fix 1: allocate RACI for breach triage and reporting
Make responsibilities unambiguous—before an incident.
- Responsible: Lead incident handler; evidence custodian; communications drafter
- Accountable: Executive or client sponsor who signs on “eligible data breach,” OAIC, and SOCI submissions
- Consulted: Legal/privacy counsel, insurer, key vendors (RMM/backups), client’s compliance lead
- Informed: Client executives/board, service desk, affected partners
Map RACI to specific tasks:
- Determine NDB eligibility and prepare OAIC notification
- Prepare and send individual notifications (content, timing, channels)
- Lodge ACSC/SOCI reports within required timeframes
- Record any ransomware payment reporting steps required by emerging legislation
- Brief insurers and client boards with time-stamped facts
5) Fix 2: evidence-first operations that withstand scrutiny
Build your “show-me” packet
- System-of-record logs: RMM, identity, EDR, backup, mail, network; synced time sources
- Chain-of-custody notes: who captured what, when, and how
- Decision log: eligibility rationale, notification timing, approvals, counsel advice tracked
- Contact directory: OAIC, ACSC, client execs, vendors, media/PR
- Data map: what data lives where (including offshore) and who can access it
- Vendor proofs: security attestations, breach SLAs, jurisdiction and transfer clauses
“Document your business or get out.”
Centralize this in a single source of truth so remote workers can follow instructions precisely under pressure.
6) Fix 3: codify cross‑border handling and uplift security controls
Meet APP 8, 1.2, and 11 with intent and evidence.
- APP 8 (overseas disclosure): record where data goes, due diligence on recipients, contractual safeguards, and client disclosures
- APP 1.2 (governance): maintain a privacy management program, roles, training, and a change-controlled policy register
- APP 11 (security): enforce least privilege, MFA, segmentation, encryption-in-transit/at-rest, tested backups, and offboarding
Resolution path: put these into your MSA, DPA, and runbooks so decisions are made once and followed every time.
7) Practice makes compliant: runbooks and a 90‑minute tabletop
Schedule a short, focused tabletop to validate your design.
- Scenario: RMM compromise affecting a critical-infrastructure client; offshore backups implicated
- Objectives: prove RACI works; generate OAIC/ACSC drafts; validate evidence capture; check insurer notice timing
- Artifacts: updated runbooks, call trees, template notifications, and an action backlog
- Metrics: time to triage, decision on eligibility, draft to approval, and client/board briefing quality
Outcome: your remote teams can execute playbooks consistently, reducing downtime, fines, and reputational harm.
8) 30‑day action list for owners and directors
- Audit and refresh your data protection policy, MSA, and DPA to reflect NDB/SOCI/CPS 234 and APP 1.2/8/11
- Add a clear RACI for breach assessment, OAIC/individual notifications, SOCI/ACSC reporting, and ransomware payment reporting steps
- Define your evidence requirements (logs, timestamps, chain-of-custody, decision records)
- Map cross-border data flows and update client disclosures and vendor contracts
- Create or refine incident runbooks and a single source of truth for remote teams
- Book a 90‑minute tabletop to test the end-to-end process
Leadership takeaway: compliance is a system, not a scramble. Document it, test it, and improve it before the next incident tests you.
