The Four Pillars of Risk Management for MSPs - Contract Language
The one constant in the MSP business is change. In order to address the constantly changing threat landscape we must take a holistic view of risk management and reexamine all aspects of our business. This four-part series will look at the threat landscape for MSPs from several angles.
We are used to thinking of the threats as acts perpetrated against us by bad actors. We mitigate those risks through the use of firewalls, anti-virus/malware software, SIEM/MDR solutions, and end user training, etc. Job done! Right?
Nope! The threat landscape for MSPs extends way beyond "the bad guys". The sources of risk for your organization also include your vendors, employees, and even your customers. Because your customer's network is an extension of your own, your customers expose you to risk if their network is not secured at least as well as your own. The customer that refuses to make adequate investments in security exposes your organization to unnecessary risk and puts everyone in jeopardy.
As we will see throughout this series, the steps we take to mitigate risks will involve how we interact with our customers at all levels.
There are four pillars to risk management in the MSP world:
Contracts
Policies and Procedures
Insurance
Regulatory Risks
Contracts
Those of us that have been in the business for many years developed our contracts at time when the MSP world was a simpler place. At that time, we provided most of the services using our own team and a small set of tools to manage our clients' networks. As such, our contracts barely spoke (if at all) of third party vendor products used in the delivery of service. Today, with the proliferation of cloud based services, we have become more of an aggregator of services to our clients.
Every third party vendor we engage with presents us with a contract in which we agree to hold them harmless and indemnify them in the event of a failure of the product or a security breach regardless of whether it was their fault (think Kaseya). Many of them go even further and stipulate that you have shared their end user agreement with the clients to which you are providing the service. How many of us can say we have actually done that? Your contracts now should reference every third party vendor's End User Agreement with a link to it on the vendors website. When the client signs your contract, they are acknowledging that they have seen the third party vendors' contracts. According to Robert Scott of Scott and Scott LLP, "third party service provider risk, channel related risk, is probably the biggest thing you need to solve for in your contracts today."
Another threat that did not exist when we created our contracts was that of ransomware. In recent years, organizations of all sizes have been hit by ransomware attacks. Recovery from an attack can be expensive and time consuming. In many cases MSPs have performed lengthy recovery projects that the client assumed was covered under their contract. Regardless of the resolution, most likely the relationship was damaged if there was a disagreement on payment. Your contract should be clear up front. In the event of a ransomware attack, your customer may choose to pay the ransom, or pay for your services at the current rate to remediate. Any work related to ransomware recovery is not included in the contract.
We'll discuss the issue of regulatory risks in more detail later in the series, but suffice it to say many of our clients are bound in some way to regulatory requirements. Common regulations include HIPAA, SOX, GLBA, GDPR, etc. The list is quite long. It is impossible for any MSP to know all of regulations any individual client is bound to. The onus of identifying those regulations to the MSP must be placed on the client. Therefore your contract should clearly state that there is no inherent compliance with any regulation in your Master Services Agreement unless a separate Data Processing Agreement is in place. The client must request a DPA for the regulation in question. If your business agrees to abide by those regulations, you should have standard DPA available to provide to the client for that regulation rather than allowing the client to provide you with theirs.
Later in the series we'll also discuss cyber insurance in more detail as well. However, our contracts should address the need for the client to carry their own first party cyber insurance policy. Clients should not be relying on your cyber insurance policy to kick in should a breach occur that is potentially due to negligence on your part.
Given the changing landscape, contracts today need to be somewhat dynamic. Robert Scott recommends moving to a web-based contract management system that can automate the signing, linkage, storage, and maintenance of contracts. As changes in contracts occur, clients can access their updated contracts through a web-portal. This dramatically simplifies the process of keeping contracts current and adapting to new threats and regulatory requirements.
Contract language strikes at the heart of the value of the MSP business. Robert Scott states that "when you are thinking about risk balancing, when you are going to sell your managed services business, or if [you] are looking to buy IT Managed Services businesses…you want to be looking at what is the exposure in the paper." Because your contract base is your biggest asset as an MSP, if contracts are weak on provisions for Limitations of Liability, Indemnity, and Insurance requirements, your business won't be worth as much.
In our next post in the series we will look at policies and procedures MSPs should have in place to mitigate risks.