Don’t Let Your MSP Become the Next Big Headline, Part 2

In part one of this blog series, I looked at the first three lessons I believed MSPs could learn from three recent legal cases to strengthen their cybersecurity practice. You can read that blog here. In this blog, I’m going to look at the remaining three lessons MSPs should take away from these cases.

If you haven’t read the first blog, here are links to the legal cases I’m referencing:

• California: Law Firm Sues MSP Over Black Basta Ransomware Attack
• Maine: IT Consulting Firm Blames MSP for Data Breach
• Ohio: MSP Sued By Customer After Phishing Attack

And lessons 1-3 were:

• Ensure you have a signed, written contract in place with Every. Single. Customer
• Ensure your agreements clearly define your scope of services to set expectations and limit your exposure
• Ensure you build your cybersecurity business in a way that pushes liability and risk back onto the customer

And here are the final three lessons:

4. Ensure your customers have their own cyber insurance

Another way to encourage customers to be accountable for their own risk and to share the cybersecurity responsibility, is to ensure that they each have their own cybersecurity insurance policy in place. More and more MSPs are starting to make it a contractual requirement that their customers invest in their own cyber liability insurance coverage to help mitigate as much risk from their MSP as possible. They are acknowledging that although they are the customer’s MSP, they can’t assume and carry ALL of the liability and cyber-risk for their customers. For this reason, they are mandating that their customers go and source their own cyber-liability insurance coverage to offset part of the risk.

This may be a trend you want to consider as well; insisting your clients obtain their own cyber liability insurance policy, if they don’t have it in place already. Of course, if you do put this requirement in place, to qualify for that insurance policy, the customer will have to be enrolled in your Advanced Cybersecurity Program, as the requirements listed on many cyber liability insurance application forms are requirements that make sense to include in an Advanced Security Program. So, the two align well and can act as an upgrade path for you to transition and standardize your clients into that more comprehensive set of protection services.

5. Be consistent in your service delivery

Another big takeaway from these court cases is that MSPs need to be disciplined and consistent in how they deliver their recommended security programs to their customers.

This means that whatever services are documented in your managed services statement of work and outlined via your agreement, are actually being delivered as promised. Because when we look at the Ohio court case, it was discovered that a few critically important elements of their agreement were overlooked and were not being delivered as agreed upon. Details of negligence included: Machines missing vital anti-virus software (even though the service order stated that they would provide virus and malware protection); and quarterly business reviews that were never scheduled and completed. These are big oversights in their onboarding and service delivery processes that never should have happened.

The lesson here is to not become complacent in the delivery of your own cybersecurity program and to ensure that you are continually auditing your service delivery processes and the team assigned to completing those tasks, to confirm that your MSP is delivering what it has committed itself to.

And what I believe to be the biggest takeaway of them all…

6. Ensure that you are delivering your quarterly business reviews!

Quarterly Business Reviews are the cornerstone of any good cybersecurity program. They are needed to keep the lines of communication open, and to ensure that both parties are on the same page in terms of setting and meeting expectations and accountability standards.

Because, if you are not regularly speaking to your clients via a QBR, then they could be feeling – just by virtue of them paying you a fee every month – that your MSP is doing everything possible to protect their network from cyber-attacks and that they are completely safe. But if you know that’s not the case – if you know that they have gaps in their cyber-protection and resiliency coverage – then this perception needs to be corrected and corrected quickly. In all three of these lawsuits, it seemed apparent that these critical customer engagement meetings were not happening. The clients assumed that they were being properly protected by their respective MSPs, when they really weren’t.

In both the California and Maine cases, in the MSPs’ minds, these clients didn’t sign up for, nor did they agree to pay for, any type of cybersecurity protection coverage – so they didn’t think they were responsible for it. This resulted in the clients not being sufficiently covered despite thinking that they were.

The unfortunate truth is that all three of these court cases could have been completely avoided if these MSPs had been having regular QBRs with their customers. Because if these MSPs had been speaking to their customers on a regular basis then:

1. These risk conversations would have been happening
2. These potential security deficiencies and holes in the organizations’ cybersecurity protection coverage would have been uncovered
3. And these assumptions would have been dealt with before they translated into real problems with severe financial and reputational consequences for both the client and the MSP

So, if you are not having regular interaction with your customers and talking to them about their risk exposure, then as a final lesson here: Commit to reaching out to every one of your customers and start lining up meetings so you can have these critical risk and security conversations. And resist pre-objecting ahead of time and thinking, “Some of my customers will never buy into my security services so I won’t bother reaching out to them.” Be sure to connect with all of your customers, because there is no room for ‘assumptions’ when it comes to something as serious as an organization’s cybersecurity protection coverage.

If you are interested in learning more, then consider registering for my upcoming bootcamp Don’t Let Your MSP Become the Next Big Headline.  And I also encourage you download a copy of my new security e-book: Defend & Prosper: Maximizing the Cybersecurity Opportunity.

Stefanie Hammond is Head Sales and Marketing Nerd at N‑able. You can follow her on LinkedIn