Warren Buffett said, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” In a previous ChannelPro article, I wrote about protecting your clients from you. Now we need to talk about protecting you from yourself.
I was an MSP and know that you’ve invested a lot in your company. Hopefully, it’s giving you a good lifestyle, has helped you build a good reputation, and will provide you with a comfortable retirement. But you could lose everything if you are sued. Your best client could quickly turn into your biggest adversary and kill your hopes and dreams.
In January 2020, Involta, an MSP that owns data centers across the U.S., was sued by Boardman Molded Products, after the Ohio manufacturing company fell for a fake invoice phishing scam and lost $1.7 million. The lawsuit said that the MSP should have warned the customer about phishing, that the MSP mishandled the work ticket after the client reported the incident, and that the MSP “was in charge of maintaining a secure environment and was to set security rules accordingly.”
The suit also alleges that the MSP failed to install anti-virus protection on all the customer’s computers, and for two years never delivered the quarterly business reviews (QBRs) that it promised in its managed services agreement. These were simple fundamentals that were in the full control of the MSP.
The lawsuit was not just about what was promised in the MSP’s legal agreement, which contained a lot of fine print. It quotes the MSP’s marketing claims to show potential jurors what the customer was promised.
According to the lawsuit, Involta sold Boardman on the fact it would be their “one-stop shop for all IT needs.” The suit refers to Involta’s website terms and conditions, which said that Involta claimed “there would be no need for any other service providers for any purpose… Let your staff focus on innovation and business-oriented tasks…”
Sound familiar?
Here are 10 steps you need to take right now before you are sued by your best customer, find out your insurance won’t cover you, and watch your business value and retirement fund vaporize.
1. Always use a contract.
Never provide any service—a break/fix repair, assessing a business for free to sell them managed services, or managed services—without a signed written contract.
Your contract should protect your company, state the scope and scale of your work, include any responsibilities shared with the client, and limit your risks.
Don’t think of your contract as an option or a simple piece of paper. Imagine being in court and relying on your contract to protect you from a devastating financial disaster. Never take someone else’s agreement and change their name to yours. Always have your contract created by an attorney familiar with the MSP industry, your business, and the laws of your state. Show your attorney the Involta lawsuit and tell them you don’t ever want to see one with your name on it.
2. Limit your exposure.
Clearly state what is and isn’t included in your managed service fees, and what is not your responsibility or covered under the cost of your services.
Don’t overpromise. Define what services you are offering, and what might prevent you from delivering them, like COVID-19 and the civil unrest events that have recently been in the news.
Don’t get dragged into a client’s mess. If you cause a data breach, you must take responsibility for it. But if your client has a breach, or gets into an IT-related mess like Hillary Clinton did with her email server, how many hours, travel, and expenses are you willing to include for something you didn’t cause?
You should also state that cybersecurity and regulatory compliance are shared responsibilities, and that your client is responsible for their users and ensuring their own compliance. You may be able to help them with that for an additional fee above what they pay for basic managed services.
For example, compliance regulations require written documentation when an audit or investigation takes place. Make sure your client understands they are responsible for providing the documentation. They should not expect you to give them detailed documentation of your services, that will stand up to government scrutiny, unless they have purchased your extended compliance services, that cost more than basic managed services and include the cost of documentation.
3. Limit your liability.
Even if you screw up, it shouldn’t wipe you out financially.
Limit your liability for managed services to just 1-2 months of fees paid by your client. Refunding a month or two won’t ruin your life, even if you must pay it out of pocket.
Make sure you aren’t responsible for consequential damages that result from your failure. That means that if the client loses $1.7 million in a fake email scam, you are not responsible for their loss. It also means that if your client gets hit with ransomware, and misses a bid deadline, a court filing deadline, or a tax deadline, you aren’t responsible for the resulting business losses or penalties.
4. Align your marketing and sales with your contract.
This is a BIG deal. You can’t assume that the fine print in your contract will protect you from the claims you make on your website; what you, your sales reps, and your technical folks tell prospects and clients; and what you put in your proposals.
My attorney once updated our contract and then called me to say we needed to change our website and marketing materials. He read the clauses in our contract limiting our exposure and liability, then read things on our website and in our sales sheets that promised just a bit too much.
Read every word on your website, your marketing materials, and your proposals, and remove any promises like “we will take care of your I.T. so you don’t have to worry about it.”
Think about things you can’t control, like users implementing cloud services; adding Internet of Things devices; third-party vendors; mobile devices; etc. Imagine yourself in a legal deposition or on the stand in a courtroom, trying to clarify why you don’t think you are responsible for a client’s problem when your marketing implied you will take care of everything related to their IT.
5. Audit your service delivery.
Imagine receiving a lawsuit and reading in a legal document that your company had not installed anti-virus protection on all the client’s computers, and that you had never done a QBR, as promised in your marketing and contracts. How mad would you be at your team and at yourself?
Use products like RapidFire Tools’ Network Detective to perform automated internal audits for each one of your clients so you can see from the reports how well you are doing. Repeat these at least twice each year for each client.
LOOK AT THE REPORTS and have the hard discussions with your team if they are not performing at 100%. Your reputation and personal finances depend on it.
At Semel Consulting, we often get cybersecurity and compliance project referrals from MSPs. Almost every time, when we run our ”under-the-skin” network scans we discover that the MSP has missed critical security patches and not installed anti-virus protection consistently, and that critical and regulated data is on systems that are not encrypted or backed up.
I told one MSP that his client’s servers were missing hundreds of patches. The MSP investigated and found out that his senior engineer responsible for managed services, without discussing it with anyone or getting approval, had arbitrarily decided that Microsoft’s critical updates were not all critical. He stopped installing them, even though the MSP’s marketing, their contracts, and the cyber insurance policy questionnaires they helped their clients complete said they install all critical patches within 30 days of their release.
6. Don’t investigate incidents (which doesn’t mean you shouldn’t respond).
I’m not suggesting that you not respond to an incident, but it isn’t your role to investigate it.
I was a firefighter for years, and several times had to put out fires at crime scenes. Once the fire was out, certified investigators came in. They knew how to follow the laws requiring the proper handling of evidence, how to maintain a legal chain of custody, and were approved by courts as expert witnesses. That’s required if you are going to put someone in jail.
Your engineers may like to think they are detectives who can investigate a client’s breach or hack. You may offer incident response in your contracts or have read magazine articles saying you need to up your incident management game. You may think this means investigating the incident.
Don’t.
Hacking and ransomware are crimes. They often result in criminal investigations and lawsuits, and you may be sued because of your responsibility to manage the client’s network. Never touch any evidence because it may be used against you.
Criminal and civil court cases require proper chain-of-custody procedures, so evidence is admissible. Expert witnesses must be court-approved based on their certifications and experience.
So what should you do?
a. Contain the incident by disconnecting devices, shutting down services, etc.
b. Tell your client to get their attorney involved, right from the beginning. Involving an attorney early on may protect your client’s conversations and investigation with attorney-client privilege, preventing embarrassing things from being included in depositions and court filings.
c. Advise your client to follow the U.S. Department of Justice’s recommendations in its “Best Practices for Victim Response and Reporting of Cyber Incidents,” which says:
“…an organization should ensure it selects (an incident response firm) that is well acquainted with forensically sound methods of evidence collection that do not taint or destroy evidence. An incident response firm should also be capable of preserving data in a manner that will allow it to be used later as evidence.”
Note that your client’s cyber insurance will determine what lawyers and forensic experts will be hired and paid. You may end up doing a lot of work for free if you aren’t a pre-approved forensics company authorized by your client’s insurance company. In short, unless you’re certain:
a. your staff is certified in forensics and follows proper chain-of-custody requirements;
b. your client’s insurance company will pay your investigation fees; and
c. you won’t be sued by your client,
then you should stay away from incident investigations.
Also, make sure that none of your employees talk to a client after a reported breach, scam, or ransomware attack until you have been informed and have talked with your attorney about your risks and how you should proceed.
7. Be compliant with regulations.
Laws require you to comply with regulations based on the services you provide and the clients you service. Advertising your compliance or placing a seal on your website is not a substitute for thoroughly following the applicable regulations.
Implementing the NIST Cybersecurity Framework (NIST CSF) in your own business, and aligning your managed services to the NIST CSF, will help you sell more services, deliver a high level of security, and stand up to the scrutiny of an audit, breach investigation, or lawsuit.
As an MSP, I had to comply with HIPAA, defense contractor regulations, state laws, our insurance and our clients’ insurance policies, and contracts.
Using a HIPAA-only solution is a big mistake. My attorney told me that providing clients with a compliance seal would open me up to liability because of the things we cannot make them do and because they could make changes we couldn’t see. You don’t want to be held liable for verifying a client’s compliance.
8. Be consistent.
Consistency is required in cybersecurity and compliance. Schedule and repeat regular audits. Spot-check your service delivery. Train your employees and hold them all to high standards.
9. You are the owner. Take full ownership.
No matter how many employees and clients you have, it is your pain if you lose a lawsuit and can’t make payroll, if your reputation is destroyed, and if you must sell everything and empty your retirement fund. Meanwhile, your employees will move onto other jobs.
Get hands-on. Check the work of even your best employees. Validate that things like anti-virus are consistently managed, that you are delivering on your QBRs, and that you have documentation to prove everything if you are challenged or sued.
10. Have great insurance, but don’t assume it will cover you.
I left this to last, because you may have been thinking all along that you have Errors & Omissions (E&O) insurance that will protect you.
Don’t be so sure.
Remember that Involta was sued for not installing anti-virus and not delivering the QBRs they promised? I think you will agree that those alleged failures don’t live up to the quality standards expected of MSPs. If Involta promised things and didn’t deliver them, that might be considered false and deceptive advertising, right?
My company has a good E&O insurance policy underwritten through Lloyds of London. I worked hard with my agent to make sure it had the coverages I need to pay legal fees if I am sued and to cover any settlements if we screw up and must settle a claim.
It’s a great policy but this exclusion means that it will not pay if we don’t do what is expected of us or we fail to deliver things we promised:
The coverage under this Policy will not apply to any Loss arising out of:
Deceptive Business Practices, Antitrust & Consumer Protection – any actual or alleged false, deceptive or unfair trade practices, antitrust violation, restraint of trade, unfair competition, violation of consumer protection law, false, deceptive or misleading advertising, inaccurate cost estimates or failure of goods or services to conform with any represented quality or performance.
This means you can’t insure yourself out of claiming that you will deliver services and then not doing it consistently or at the quality level you promised.
You must deliver every day. Which is why I religiously follow these 10 steps in my business.
MIKE SEMEL is a former MSP and founder of Semel Consulting, which provides advisory services to MSPs and end users for compliance, cybersecurity, and business continuity planning. He worked with CompTIA to develop its Security Trustmark Plus, and with RapidFire Tools to create Compliance Manager GRC.