WARREN BUFFETT SAID, “”It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”” Translation: As an MSP, you need to protect yourself from yourself, because you could lose everything if you are sued.
This January, MSP Involta was sued by Boardman Molded Products, after the Ohio manufacturing company fell for a fake invoice phishing scam and lost $1.7 million. The lawsuit said that the MSP should have warned the customer about phishing and mishandled the work ticket after the client reported the incident. It also stated that the MSP “”was in charge of maintaining a secure environment and was to set security rules accordingly.””
The lawsuit includes specific allegations that Involta failed to conduct promised quarterly business reviews and to ensure anti-virus software was installed on all of the client’s systems. An audit showed systems missing anti-virus protection.
The lawsuit was not just about what was promised in the MSP’s legal agreement, which contained a lot of fine print. It quotes the MSP’s marketing claims to show potential jurors what the customer was promised. According to the lawsuit, Involta sold Boardman on the fact it would be their “”one-stop shop for all IT needs.”” The suit refers to Involta’s website terms and conditions, which said that Involta claimed “”there would be no need for any other service providers for any purpose … Let your staff focus on innovation and business-oriented tasks …””
If that sounds familiar, follow these steps to protect your business:
1. Always use a contract
Never provide any service without a signed, written contract, and always have your contract created by an attorney familiar with the MSP industry, your business, and the laws of your state. Your contract should protect your company, state the scope and scale of your work, include any responsibilities shared with the client, and limit your risks.
2. Limit your exposure
Clearly state what is and isn’t included in your managed service fees and what services you are offering (don’t overpromise.) Include what is not your responsibility or covered under the cost of your services, and what might prevent you from delivering the services, like the COVID-19 pandemic.
If you cause a data breach, take responsibility for it, but don’t get dragged into a client’s mess.
You should also state that cybersecurity and regulatory compliance are shared responsibilities, and that your client is responsible for their users and ensuring their own compliance. You may be able to help them with that for an additional fee.
3. Limit your liability
Limit your liability for managed services to just one to two months of fees paid by your client. Make sure you aren’t responsible for consequential damages that result from your failure. That means that if the client loses $1.7 million in a fake email scam, you are not responsible for their loss. It also means that if your client gets hit with ransomware, and misses a bid deadline, for instance, you aren’t responsible for the resulting business losses or penalties.
4. Align your marketing and sales with your contract
This is a BIG deal. You can’t assume that the fine print in your contract will protect you from the claims you make on your website; what you, your sales reps, and your technical folks tell prospects and clients; and what you put in your proposals. Remove any language that promises things like: “”We will take care of your IT so you don’t have to worry about it.””
5. Audit your service delivery
Imagine receiving a lawsuit and reading in a legal document that your company had not installed anti-virus protection on all the client’s computers, and that you had never done a QBR, as promised in your marketing and contracts. How mad would you be at your team and at yourself?
Perform internal audits twice a year for each of your clients and have hard discussions with your team if the reports show gaps, such as missing security patches—and then address those gaps immediately.
6. Don’t investigate incidents (which doesn’t mean you shouldn’t respond)
I’m not suggesting that you not respond to an incident, but it isn’t your role to investigate it.
Hacking and ransomware are crimes. They often result in criminal investigations and lawsuits, and you may be sued because of your responsibility to manage the client’s network. Never touch any evidence because it may be used against you.
So what should you do?
- Contain the incident by disconnecting devices, shutting down services, etc.
- Tell your client to get their attorney involved, right from the beginning.
Advise your client to follow the U.S. Department of Justice’s recommendations in its “Best Practices for Victim Response and Reporting of Cyber Incidents.”
Note that your client’s cyber insurance will determine what lawyers and forensic experts will be hired and paid. You may end up doing a lot of work for free if you aren’t a preapproved forensics company authorized by your client’s insurance company.
Also, make sure that none of your employees talk to a client after a reported breach, scam, or ransomware attack until you have been informed and have talked with your attorney about your risks and how you should proceed.
7. Be compliant with regulations
Laws require you to comply with regulations based on the services you provide and the clients you service. Advertising your compliance or placing a seal on your website is not a substitute for thoroughly following the applicable regulations.
Implementing the NIST Cybersecurity Framework (NIST CSF) in your own business, and aligning your managed services to the NIST CSF, will help you sell more services, deliver a high level of security, and stand up to the scrutiny of an audit, breach investigation, or lawsuit.
8. Be consistent
Consistency is required in cybersecurity and compliance. Schedule and repeat regular audits. Spot-check your service delivery. Train your employees and hold them all to high standards.
9. Take full ownership (you are the owner)
Get hands-on. Check the work of even your best employees. Validate that things like anti-virus are consistently managed, that you are delivering on your QBRs, and that you have documentation to prove everything.
10. Have great insurance, but don’t assume it will cover you
You may think that your Errors & Omissions (E&O) insurance will protect you. Don’t be so sure.
My company has a good E&O insurance policy underwritten through Lloyds of London. I worked hard with my agent to make sure it had the coverages I need to pay legal fees if I am sued and to cover any settlements if we screw up and must settle a claim.
It’s a great policy, but the following exclusion means that it will not pay if we don’t do what is expected of us or we fail to deliver things we promised:
The coverage under this Policy will not apply to any Loss arising out of:
Deceptive Business Practices, Antitrust & Consumer Protection – any actual or alleged false, deceptive or unfair trade practices, antitrust violation, restraint of trade, unfair competition, violation of consumer protection law, false, deceptive or misleading advertising, inaccurate cost estimates or failure of goods or services to conform with any represented quality or performance.
This means you can’t insure yourself out of claiming that you will deliver services and then not doing it consistently or at the quality level you promised. You must deliver every day, which is why I religiously follow these 10 steps in my business.
MIKE SEMEL is a former MSP and founder of Semel Consulting, which provides advisory services to MSPs and end users for compliance, cybersecurity, and business continuity planning. He worked with CompTIA to develop its Security Trustmark Plus, and with RapidFire Tools to create Compliance Manager GRC.