What the Supreme Court’s Loper ruling could mean for cybersecurity and MSPs

By Lee Pender, Senior Content Marketing Manager, Acronis

If you’ve watched any congressional hearings related to technology, you’ve probably noticed that many lawmakers are a little less than computer savvy.

Until recently, that wasn’t much of an issue. Regulatory agencies interpreted laws enacted by Congress when issuing regulations, and businesses, legislators and everybody else had to go along with what they said. That included courts, which had to treat a regulatory policy as essentially correct and almost unassailable if an entity sued to challenge it.

In late June 2024, all of that changed. The Supreme Court issued a landmark ruling in a decision officially called Loper Bright Enterprises v. Raimondo but sometimes referred to simply as Loper or even as the Chevron decision. The ruling overturned a 1984 decision, Chevron U.S.A. v. Natural Resources Defense Council, Inc., more commonly known as the Chevron doctrine, involving the oil company that established the authority of regulatory agencies in the courts.

You might have heard a pretty significant uproar about Loper — particularly from environmental groups. But whatever you think of the ramifications of the decision, the bottom line is that it gives courts much greater authority to interpret legislation and strike down related regulations.

For 40 years, any person or group who sued to alter a regulation not specifically spelled out in the law faced a massive barrier to entry. The Chevron doctrine dictated that the court had to assume the regulation as authoritative … something close to set in stone. The Supreme Court has effectively leveled the playing field with Loper, meaning plaintiffs will have a much easier time arguing in front of courts that no longer have to show deference to regulatory policy.

Practically speaking, federal cybersecurity regulations aren’t likely to be the first policies opponents will look to challenge. But they could change and likely will. The result will likely be chaotic, at least for a while.  

One reason goes back to members of Congress and their limited understanding of technology. Because cybersecurity is a dynamic field, many laws and regulatory policies are based old, outdated precedents. The Center for Cybersecurity Policy and Law puts the issue in stark relief:

“The U.S. cybersecurity legal framework relies heavily on federal agency interpretation of laws that are often unclear regarding their application to new technologies. The cyberthreat landscape evolved significantly over the past decade, but legislation has not kept pace. As a result, agencies applied older statutory mandates to protect consumers and ensure safety to newer attacks such as ransomware.”

Essentially, Congress has punted cybersecurity policy to regulatory agencies in large measure, relying on them to build a patchwork of policies — or a house of cards  — based on old rules dealing with old threats. Now, all of those policies are much easier to challenge. So, some alteration of cybersecurity policy could lead to positive results and a stronger stance against, say, ransomware, which current policy doesn’t adequately address.

The problem, of course, is getting to some sort of workable and relatively settled policy stance. Multiple agencies in the federal alphabet soup touch cybersecurity policy somehow, including the Federal Trade Commission (FTC), Federal Communications Commission (FCC) and Department of Homeland Security (DHS), among others. Of course, the courts are a labyrinth that bounce cases to and from each other on a regular basis.

So, the process of settling cybersecurity policies, should various entities bring credible suits to challenge it, could be long and arduous, to say the least. And it won’t ever necessarily end, either. With policies more open than ever to challenges, there is no real limit on the number of cases that could affect cybersecurity regulations.

What’s more, while cybersecurity regulations are much less likely to be targets of lawsuits than, say, environmental regulations, they’re also more prone to undergo changes from court rulings. That’s because cybersecurity rules are newer and less established than, for instance, financial or labor regulations.

There is no way for anybody to know right now what will change, when or how often. And while that can pose major challenges for MSPs and their clients, it also opens up opportunities.

Cybersecurity presents a huge opportunity for MSPs. More than half of MSP clients approach service providers, at least in part, to solve issues with cybersecurity. But it’s also a difficult discipline to get right.

A potential world of regulations in constant flux presents something of a double-edged sword for MSPs. On the plus side, they can sell keeping up with changing regulations as part of their value-added services to clients. Already, helping clients navigate cyber insurance and regulatory issues is a selling point for MSPs. It could be a much stronger one as soon as regulations change. In fact, just the prospect of rapid change makes for a solid enticement, as most businesses don’t like uncertainty.

Of course, the other edge of the sword involves MSPs themselves keeping up with regulatory changes, which could prove to be a challenge. But courts move relatively slowly compared to many businesses — the two sides in Loper argued for nearly six months — so managing change might actually be manageable. But MSPs will need to be sure they’re able to follow through on their promises to clients.

Cybersecurity should sell itself, but most MSPs know it often doesn’t. SMBs become acclimated to hearing scary stories and dire numbers, and they still believe a cyberattack “couldn’t happen here,” even when it very much could. But regulatory issues introduce a different area of concern. Failure to keep up can lead not only to a devastating cyberattack but also to fines and legal issues, including lawsuits from SMBs’ end customers.

So, MSPs need to hone their messaging around the potential changes coming to the regulatory environment. But they also need to make sure they’re ready for what’s coming. One major move they can make is to simplify how they deliver cybersecurity services. Having multiple employees handle multiple products from multiple vendors is inefficient and expensive, and it takes away time MSPs could be using to counsel with clients about regulations or just about anything else.

MSPs need a comprehensive cybersecurity service that one person can manage from a single dashboard. That’s exactly what Acronis Cyber Protect Cloud provides. With Cyber Protect Cloud, MSPs can spend time providing value to clients rather than running around trying to monitor multiple disparate applications. Employees could even spend found time keeping up with regulatory changes.

Cybersecurity moved fast enough before the courts had nearly unlimited power to change regulations. Now, chaos could ensue — and if it does, you need the technology and processes in place to meet whatever comes next.