Last week, MSSP Alert published a story about a small MSP in Sacramento, California being sued by a small law practice after the firm was hit with a ransomware attack that shut down its systems.
The suit alleges there was no contract between the two companies, only an oral agreement and a handshake.
In the MSSP and MSP community it is believed to be the first lawsuit of its kind.
Can MSSPs and MSPs be found liable if their customers suffer a cyberattack? Where are the lines drawn on the responsibilities of each party? What can MSSPs and MSPs do to protect themselves from liability?
Guidelines to Avoid Legal Trouble
Eric Tilds, is the founder and managing partner of the Law Offices of Eric Tilds. Tilds was a partner in regional MSP Netarx until it was acquired in 2011 by Logicalis, a publicly traded multi-billion dollar managed service provider. Tilds served chief legal officer of Logicalis until he started his own firm in 2021.
Tilds offered the following seven guidelines for how MSSPs and MSPs can protect themselves from liability if their clients experience a cyberattack.
Here are seven must-do’s for MSSPs and MSPs to lock down their engagements with customers:
1. Any MSP that does business without a signed written agreement is asking for trouble. And a well-written MSA (master service agreement) isn't enough. You need a solid managed services statement of work (SOW) with specific language around what the MSP is going to do, what they're not going to do, and the customer's responsibilities.
2. There should be language in the SOW indicating that not all security incidents are preventable. The MSP could be doing everything right and there could still be a security incident; that's not the MSP's fault.
3. This lawsuit is why MSPs should require their customers to carry cyber liability insurance. I haven't reviewed the pleadings in this case, but it looks like the law firm did not carry sufficient insurance.
4. Too many times, customers see the MSP as their insurance policy. If I had a nickel for every time I heard a customer say, "I'm hiring you [MSP] to protect me. I don't need cyber insurance."
5. This should be a wake-up call to all MSPs to reach out to their own insurance broker today to make sure they are adequately covered from an E&O (errors and omissions)/professional liability perspective. Make sure the broker knows exactly what the MSP does for their customers, and make sure it's in writing. If there's a claim down the road that their insurer will not cover, the MSP might have a claim against their broker.
6. Not all business is good business. If your customers won't sign a contract, should you still do business with them? What if they won't obtain cyber liability insurance? MSPs should not be afraid of walking away from customers that pose too much risk.
7. Be aware of reputational harm. This MSP's name is all over the news, and not in a good way. All press is not necessarily good press. Even if they've done nothing wrong and have great insurance to cover claims like this, it's too late.
Lessons Learned
It’s important to remember that businesses don’t often know what they don’t know about cybersecurity, like there being no airtight security solution to guarantee an organization won’t experience a cyber event at some point.
There are a lot of strong, smart defenses out there, but that is no guarantee an organization won’t experience a breach. The question for MSSPs and MSPs is how to put your best foot forward in an engagement.
