When it comes to falling victim to cyberattacks, MSPs are no different to any other business in terms of risk, but as service providers they may have even more to lose.
If one of their customers is breached it could end up costing MSPs a lot more than they bargained for, because they could well be liable for all their customer’s costs if they haven’t taken out any form of cyber insurance or made any legal provision to cover their own backs in their customer contracts.
It’s important for MSPs to be as prepared as possible for a customer being breached and to make sure both sides know exactly where they stand should the unthinkable happen, according to panelists during a session at CompTIA’s 2022 EMEA Member & Partner Conference.
A cyber insurance policy is the best way to stay safe. But is it worth it? In short, yes, according to moderator and CompTIA COO Courtney Fong, and two top legal experts: Richard Nicholas, a partner at Browne Jacobson LLP, and Stuart Davey, partner at Pinsent Masons.
To help MSPs, CompTIA has released a UK Legal Playbook, which includes 10 sections packed with expert advice on topics ranging from setting up an MSP business to data protection. The playbook complements Legal Resources for Tech SMBs, which was launched for U.S.-based companies last year.
The main benefit of a cyber insurance policy is peace of mind, said Davey. “A cyber insurance policy gives you access to panels of expert advisors if you encounter a cyber-attack,” he said. “The costs of managing response to a cyber-attack can be quite significant, so having cost certainty in a crisis situation is important.”
MSPs Face Significant Financial Risk
Surprisingly, the panel revealed that under English Law, the one thing that isn’t covered under a cyber insurance policy is the fine itself, should you be unfortunate enough to break GDPR rules. This is something that must be covered by the breached company alone, and it is important to consider this when drawing up service contracts, because the customer could definitely come after you as their supplier and demand you reimburse them for the fine.
This could happen even if you know it is not your fault as the supplier and you have done all you can to protect your customer.
“As an MSP you can be fined by the ICO, but you can also be liable to customers and liable for third party claims,” said Nicholas. “Of course, a customer is going to try and pass the blame onto their supplier for any breach, so unless it is stated in your customer contract, you have to cooperate and run the risk of being held liable.”
As an aside, Nicholas said many insurance policies will cover money paid under ransomware demands, which is viewed differently by insurers.
Shore Up All Service Contracts
Because of the risky position MSPs may find themselves in after a customer is breached, you cannot be too specific when it comes to drawing up customer contracts, the legal experts advised.
“Work out in the contract who is responsible for doing backups and security patches,” said Nicholas. “If you don’t put this in the contract the customer may well assume it is your responsibility, leaving you liable.”
“It would be wise to have a list of services you are providing in your contract and a list of those you are not,” added Davey. “Otherwise, a customer might expect patches and backup to be provided, and if it is not in the contract, they could have a fair argument. Be as clear about what you do as possible and then you are more protected should anything go wrong.”
Certainty in a customer contract is a gold standard to aim for, Nicholas added.
Other Steps to Protect Your Business
MSPs can also implement other measures to avoid a potentially crippling fine such as running training and awareness programmes both internally for their own employees and externally for customers, and even filling out a Record of Processing Activity (ROPA) document that will let them easily locate the exact data that has been breached and give them all the necessary answers ahead of time.
If a customer has refused a certain service or piece of advice, make sure it is documented so again, if a breach occurs, you are fully protected and able to prove it was offered.
Forewarned is forearmed as the saying goes, and when it comes to potential litigation situations over a cyber breach, being as prepared as possible for any eventuality is definitely not a bad thing and will allow you to show resilience in the face of extreme adversity.
“It is a question of when, not if a breach occurs,” concluded Davey. “Do you have the right people out there to call when it happens?”
Nicholas said ultimately it was about reputation. “Companies like BA and Marriott are big enough to survive these types of breaches because they are big businesses in niche areas, but smaller companies like MSPs are competing against each other all the time. It matters, and it matters to their customers that they get it right.”