How Can MSPs Avoid The Next $1M Lawsuit
It was bound to happen, and it will happen again. A law firm relied on its Managed Service Provider (MSP) as its outsourced IT department. The firm became the victim of a ransomware attack and has now sued the MSP for "at least" $1M in damages to cover the ransom payment, incident remediation costs, and lost revenue.
Which leads to the question all MSPs should be asking; "How can we protect ourselves"?
1) Have a written contract with your clients that clearly spells out the services you are providing. Don't assume that clients will know that you are not confirming their data protection or other compliance requirements just because you installed a firewall and you provide help desk support to their users.
This MSP had an oral contract, which puts them in a much more difficult position if they made recommendations that the law firm did not follow.
2) Include requirements that protect you and the client, such as;
3) Advise clients to align to a recognized cyber framework.
Why? Suppose you require them to obtain commercial coverage and meet the other requirements above. What if they have an incident like the law firm, file their insurance claim, and the claim is denied because they didn't meet the data privacy requirements for their state or some other protection like regular cyber testing or staff training that the insurance carrier claims are needed to provide "reasonable" protection of the data?
It's time MSPs make it clear to clients that cybersecurity and compliance must be ongoing initiatives, and that clients are accepting all risk if they do not follow a recognized framework.
Don't go it alone. We're here to help with SIEM/SOC-as-a-Service, ongoing managed autonomous testing, and managed compliance to fill in any gaps and provide separation of duties and protection for your clients and for you.