Cybersecurity, liability, and your MSP

MSP cybersecurity providers can feel it is a foregone conclusion they have limited liability for security breaches and data loss when it happens to their clients. At the same time, it is not unusual for businesses who partner with a managed service provider to believe they are liable for any cyber incidents and will take legal action to recover costs for damages, loss of data, downtime, or legal fines. This isn’t a situation anyone wants to be in, and while a court case may not go in favor of the client, legal action is an expensive and time consuming process on its own. 

In this article, we will explain how MSPs can limit their liability and look at how cyber insurance helps 

Why do MSPs need to limit their liability?

Cybersecurity threats have increased exponentially in the last decade, and recent world events have accelerated the rate at which businesses find themself under attack. 74% of SMBs using or planning to use an MSP would take legal action against it if it were attacked. Working with your clients to establish proper service levels is the most effective and respectful approach. 

So what sort of liability cases could you find yourself defending legally? 

• Security breaches: this includes malware, breached firewalls, phishing email attacks, antivirus failures, etc. Your client may have not complied with security strategies and recommendations you have made, but they may still decide to claim your liability.
• Data loss: if recovery time or objectives were not met, loss of back ups, hardware failures, or particle data loss causes downtime, your client may seek damages for loss of revenue
• Compliance failures: any legislative requirements that are not met may result in your MSP being held liable, even if your client has not followed security or compliance advice.  

Overall, clients can decide to take legal action in the event any cybersecurity event occurs that causes a loss of revenue, future business, or other damages. Regardless of the level of cybersecurity services and solutions your MSP offers, it is important to be prepared to avoid spending thousands during a lawsuit, and more if you cannot prove limited liability.  

How to limit liability as an MSP?

MSPs are facing more risks today than ever before, especially when it comes to providing a managed security service to clients. It isn’t only cybersecurity and data privacy concerns, but compliance, technology, and vendor issues, as well as increased competition and maintaining business profitability. To retain customers and enhance customer satisfaction while remaining profitable and reducing risk, MSPs must take steps to limit their liability:

Service level agreements

Your contracts with clients, or the service level agreement, should contain provisions that safeguard you and establish your liability:

• Disclaim any responsibility for third-party hardware or software failures caused by vendors or manufacturers, who disclaim liability in their own terms and conditions
• Disclaim any hardware and software failures relating to backups, and require clients to retain local backups of business-critical data, which is vital as data loss and compromise are the highest risk factor for MSPs.
• Require clients to pay any ransom for their data, or pay for your remediation services as per your standard hourly rate, otherwise, you could be fixing the problem for free as per standard SLA agreement

Create refusal waivers

If your clients do not want to follow or comply with any risk management or security recommendations you make, they should sign a refusal waiver and all discussions about compliance and cybersecurity should be in writing. This will ensure you are unable to be sued for negligence or during compliance audits.

Insurance

It is vital for MSPs to have effective professional liability insurance. If a customer files a claim alleging negligence in the performance of a contract, your company is covered by professional liability insurance. MSPs can also guide their clients to purchase cyber liability insurance, which safeguards their data from cyber liability risks, regardless of the cause of a breach or loss. While this doesn’t directly limit your liability, it helps your clients in the event they experience any downtime or disruption. 

Security best practices

It goes without saying your MSP should be ensuring clients’ security posture is as robust as it can be. This includes implementing user access controls across networks, such as multi-factor authentication (MFA), zero trust security strategy that ensures only verified users are able to access networks, and continuous vulnerability scanning to detect vulnerabilities in the IT environment. 

In order for cybersecurity management to be effective and meaningful, security awareness training should be frequently undertaken, by all employees including executives and contractors, and including regular tests to ensure employees are aware of the latest cyber-threats and are informed about security protocols.

As time goes on, regulations and IT compliance are becoming more stringent, cybersecurity incidents are on the rise. While MSPs may simply want to provide their customers with the right cyber security services, it is important to consider liability and how to be best prepared. Robust cybersecurity management is key to protecting both your business and your clients. The ThreatAdvice Breach Prevention Platform enables MSPs to provide and oversee client cyber security in one simple comprehensive solution. ThreatAdvice also offers MSP partners a Breach Prevention Warranty option as an augmentation to cyber liability insurance. 

Speak to ThreatAdvice today about adding their world-class cybersecurity platform to your MSP security solutions.