When channel professionals discuss protection, the conversation typically centers on data and the systems that store or transmit that information. In the era of ransomware and other cyberattacks, there is a natural tendency to focus on measures and tools that keep MSPs and their clients safe from IT-related threats.
One of the less-discussed concerns is your legal liabilities. With MSPs the direct target of cybercriminals and the SMB relying on your security expertise to protect their systems, not to mention the escalating attacks on all organizations, your firm’s risks are rising exponentially. Financial ruin for you and your clients is a distinct possibility if you aren’t taking the appropriate steps to secure every system, backup and protect all the data, and limit your legal liabilities.
That last point is crucial. We live in a highly litigious society today. No matter how well you secure information and critical infrastructure, if someone (or something) finds a way to get into a client’s systems, you might get the blame. Worse yet, if cybercriminals gain access through your network, expect to be put through the wringer. The costs, from both a public relations and legal perspective, could be astronomical and threaten your company’s very existence.
That’s because security is a matter of trust. When companies sign up with your firm, they expect complete protection for their business and assume, as a cybersecurity expert, your team is following similar, if not tougher, practices in every part of the operation. When a client gets hit with ransomware or a cyberattack through your compromised systems, their trust fades away rather quickly.
Despite the rising threats, there is hope for MSPs. Careful preparation on the business-end of your operations can lessen liability concerns considerably. That’s why providers should always seek legal advice from attorneys who understand the MSP business model, appreciate the threats against your company and clients, and know-how to minimize your liabilities in the event of a cyberattack. Those professionals are an invaluable resource for protecting your company, no matter how strong your skills on the technical side.
Whether working exclusively with a law firm with strong IT services expertise or just having them review and amend documents created by a local business attorney, MSPs need that type of oversight today. Good counsel will address potential issues in good times and cover your backside if things go bad.
Those professionals help keep your business safe from potential lawsuits and bureaucrats (think regulatory compliance) regardless of the threat landscape and legal environment. Think of them as a firewall for cybersecurity experts.
The Devil’s in the Details (of Your Agreements)
A key reason for working with IT-experienced attorneys is their understanding of professional services delivery and the documents that outline the various responsibilities of MSPs and their clients. The “legalese” in customer agreements could determine if your company continues to thrive, let alone survive, after a cyberattack.
That’s a major reason for updating your managed services-related documents. “Companies that have old, outdated agreements in place are sometimes in worse (shape) than companies with no agreements in place,” suggests attorney Brad Gross. In a November podcast with the IoTSSA team, the long-time channel advocate with years of experience supporting IT services firms offered up a number of ways for MSPs to minimize their cybersecurity-related liabilities.
For example, any promises you make, whether explicit or implied, must be based in reality, not marketing prowess. “You can be confident, but your confidence needs to be based on both tangible and intellectual honesty,” adds Gross. “The way to achieve that is to have agreements in place that manage customer expectations, and then have the technical background and ability to perform under those contracts.”
A poorly constructed MSA (master services agreement) or SOW (statement of work) can increase your liability. Without getting too deep into the details, the language in these documents can leave your firm open to litigation in the event of a breach or malware attack. Knowing what to put in and what to leave out are decisions best left in the hands of trained legal professionals.
Get more great tips on minimizing your MSP’s cybersecurity liability and improving other areas of your IT services business. Listen to Brad Gross’ podcast episode and subscribe to the series to receive future episodes of IoTSSA’s Secure Connections.
Brian Sherman, Content Director, IoTSSA