IT service providers spend a lot of time discussing protection. Whether consulting with clients or developing plans to boost internal defenses, those conversations often center on data and the systems that store or transmit critical and sensitive information. With cybercrime on the rise, many technologists are more inclined to invest in more solutions and implement measures that will help keep providers and the businesses they support safe from IT-related threats.
While those defenses are critical, MSPs must look closely at legal liabilities associated with those IT ecosystems. Cybercriminals are directly targeting IT services companies since they hold the “keys to the kingdom,” with access to clients’ networks, business systems and, by default, their data. SMBs rely on MSPs’ security expertise to protect those assets. With the escalating attacks on organizations of every size and mission, the threat vectors are continually shifting and evolving.
The financial costs of a cyber failure are too big to ignore. Unfortunately, some SMBs are not taking the appropriate steps to secure every system, perform regular backups and protect all their important data. The lack of an effective cyber defense significantly increases their legal liabilities.
That last point is essential. No matter how well MSPs lock down information and secure critical infrastructure, if someone (or something) finds a way to get into a client’s systems, the provider will likely take some, if not all, of the blame. In a highly litigious society, that exposure can damage, if not cripple, a small business. Worse yet, if cybercriminals gain access through a provider’s network, they can expect other clients and prospects to scrutinize their practices. The costs, from both a public relations and legal perspective, could be enormous and threaten the MSP’s viability.
Why?
Because cybersecurity is a matter of trust. When companies sign up with an MSP, they expect that team to provide complete protection for their businesses and assume, as cybersecurity professionals, they will implement industry best practices across every part of their operation. If even one client becomes the victim of ransomware or a cyberattack, especially through a provider’s compromised system, the trust may erode quickly.
Cover the Risks
Despite the rising threats, there is hope for MSPs. Careful preparation on the business end of an IT service firm’s operations can lessen those liability concerns considerably. That’s why providers should always seek legal advice from attorneys who understand the MSP business model and appreciate the threats against your company and clients. Those professionals should have the know-how to minimize the firm’s liabilities in the event of a cyberattack and work collaboratively with insurers to support the best interests of providers and their clients. An IT services-skilled attorney will be an invaluable resource to prevent things from going sideways.
Consulting with someone with extensive expertise supporting the legal needs of MSPs provides peace of mind. A good tech attorney can craft, review or amend services contracts and master agreements and offer guidance on a variety of industry-specific issues, as well as general business processes and policies. MSPs need that type of oversight today. Quality counsel will proactively address potential issues before they become problems and minimize the exposure when things go bad.
Those professionals help keep an MSP safe from potential lawsuits and bureaucrats (think regulatory compliance) regardless of the threat landscape and legal environment. Think of them as a firewall for cybersecurity experts.
The Fine Print Matters
A key reason for working with IT-experienced attorneys is their understanding of professional services delivery and the documents that outline the various responsibilities of MSPs and their clients. The “legalese” in customer agreements could be a major fact in whether the firm continues to thrive, let alone survives, following a cyberattack.
That’s a major reason for updating your managed services-related documents. Attorney Brad Gross, a recognized authority in IT services law, suggests that companies with antiquated agreements may find themselves in worse shape than those without contracts.
“The devil is in the details,” he emphasizes. His recommendation to MSPs is to partner with a proven IT attorney to review and strengthen their critical business documents to minimize cybersecurity-related liabilities. For example, any promises IT services providers make, whether explicit or implied, must be based on reality, not marketing prowess. “You can be confident, but your confidence needs to be based on both tangible and intellectual honesty,” adds Gross. “The way to achieve that is to have agreements in place that manage customer expectations, and then have the technical background and ability to perform under those contracts.”
A poorly constructed MSA (master services agreement) or SOW (statement of work) can increase your liability. The language in these documents can expose an MSP to litigation following a breach or malware attack. Knowing what to put in and what to leave out are decisions best left in the hands of those properly trained to deal with those legal concerns.