The following is a condensed and edited Q&A with attorney Bradley Gross that took place during ChannelPro’s Online Security Summit in April 2023. Gross is the founding partner of the Law Office of Bradley Gross, P.A., a law firm that specializes in transactions involving technology service providers.
ChannelPro: Do both MSPs and their clients need to have a cyber insurance policy?
Brad Gross: For sure. Without insurance, you’re operating without a safety net, and without a safety net, bad things can happen. So, an MSP not only needs insurance for itself, but it should strongly advise its clients to have such insurance. As for what type of insurance an MSP should have, it should be first party, third party, cover cyber piracy, cover data loss, cover errors and omissions. It’s a must.
ChannelPro: Should MSPs fill out or advise clients on those security questionnaires required by cyber insurance companies or brokers?
Brad Gross: With increasing frequency, we are seeing MSPs being asked to fill out these questionnaires that are either provided by insurance brokers or by the insurance companies themselves. These questions can range anywhere from the simple—tell us about what services you’re providing—to the more complex—tell us what vendors you’re providing or tell us how you’re implementing a specific solution to a specific problem. MSPs are now being asked to fill those out because their customers don’t know what to write. Should they be filling those out? And what kind of liability can follow? The answer is, if this were just theory, you’d say the MSP shouldn’t do anything that it isn’t being paid to do. In practical terms, you’re not going to look at your customer and say, “I’m not touching this.” You’re their trusted IT advisor. So, yes, they’ll fill them out, but do it under certain predetermined, agreed upon conditions.
ChannelPro: How does an MSP find the right attorney to review sales and service agreements to make sure they’re well protected against cyber security liability?
Brad Gross: You need to make sure that the attorney understands the technology that you’re talking about and understands the compliance standards that you may need to meet. A lot of attorneys can write good contracts that have limitations of liability and warranties, but do they give thought to and do they know about the underlying technology and what vulnerabilities you and your client might be exposed to? You need to know the vendors. You need to know the technology. You need to know the trends. So as an MSP, ask, “What vendors do you think we should be using? What kind of vulnerabilities have you seen?” If the attorney doesn’t have an answer for you, then he or she is probably not qualified in this area. … If you don’t understand the difference between EDR, MDR, and XDR, how are you going to write a contract for an MSP that might be offering one, if not all, of those services? Look for the handful of attorneys that seem to operate in the area, then do your due diligence. Don’t just assume that somebody who says they do technology work is qualified to help you, because they might do technology work and bankruptcy and wills, trusts, and estates. And to me that’s a little bit broad. You either know this area or you don’t.
ChannelPro: How can I use my master services agreement to mitigate risk?
Brad Gross: That’s your constitution. Your master services agreement is 80% of what you’re going to use to mitigate risk. So, your master agreement needs [to consider] the worst-case scenario—you have totally messed things up, or at least you are being perceived as having totally messed things up. You have to think about what the remedies are going to be. What are remedies that you can live with? What are remedies that your insurance company allows you to offer? Sometimes your insurance policy will limit the types of remedies you can offer. The MSA is your legal backstop. It’s the first line of defense.
To manage expectations, which will lower liability, is to make it very clear to your customers about the scope of the services that you’re providing, the limitations of those services. If you manage expectations, you will not have disappointed customers that want to sue you. So, it’s sort of a twofold thing. You’re going to protect yourself with an MSA and you’re going to provide clear, unambiguous quotes and explanations of your services.
ChannelPro: Is the MSA a living document? Does it evolve as the threats evolve or as the opportunities evolve, and if so, how do you manage that?
Brad Gross: It is not a living document. It is your constitution. And if it’s done correctly, it probably doesn’t need to be updated more than once every three to five years. The way I view it is your MSA is your constitution. That doesn’t change. What changes are the quote, the statement of work, whatever you want to call it, that you are offering to your customer, the document that describes what you’re doing and how you’re doing it, that’s what changes.
ChannelPro: Can marketing put an MSP at risk of being sued? For example, say an MSP’s marketing says, “Hire us and we’ll protect you from every threat.” Can that kind of boast lead to some kind of exposure?
Brad Gross: Yes. A lot of times marketing is used by MSPs to show credibility, or depth of service. I like to call those materials Exhibit A, because that’s usually where they end up: Exhibit A on a complaint. [For example, your marketing says], “You’re going to sleep soundly at night, knowing we have you fully covered.” Do you really have them fully covered? Are there holes? Are there vulnerabilities? You know who doesn’t offer fully covered guarantees? Upstream providers. You as an MSP should not be offering or making marketing claims that your upstream providers aren’t willing to make, because you’re limited by what services they’re offering to you. So always keep tabs on your marketing materials and in your MSA make it very clear that your marketing materials and your website [are] not a binding contract. They are for demonstrative educational purposes. A client should only get and expect to get what you describe in a quote.
ChannelPro: Can the promises a salesperson makes when they sell solutions put an MSP’s business at risk?
Brad Gross: Absolutely. Because the problem is that salespeople, in their zeal to get the job done, will often aggrandize the ability or the scope of a service, or they’ll make promises about extra services that aren’t actually delivered. So, when bad things happen, the first thing that the customer’s going to say is, “Joe or Mary told me I was going to get this and that, and this was covered.” That is why it is so crucial that in your master agreement, you specifically state that things that salespeople say, unless they end up in the contract, aren’t binding. And then in your description of service, whether it is a quote, a proposal, a service statement, whatever it is, you need to describe what a service does and what it does not do so no one can turn around and say, “I was promised this, and you never told me anything differently.”
ChannelPro: If an MSP has done everything right and spelled out everything in the MSA, can the customer still take you to court if there’s a breach or denial of insurance claim?
Brad Gross: Anyone can take anyone to court. I could file a complaint against you because you promised to fix my glasses the other day. Now you made no such promise, but can I bring you to court? Of course. Would I lose and lose badly? Yes. But of course, it would still require you to spend money and time to get to that point, which is why you need to have a weapon, if you will, against baseless litigation filed against you. And that is why every person who has an MSA with their customer must have a provision in that MSA saying, “If we end up in court or in an arbitration, the prevailing party gets its attorney’s fees.”