Cyber Insurance and other legal tips to protect your MSP business

MSPs need to be prepared for any customer breach and make sure that both sides know where they stand in the event of such an unfortunate outcome. MSPs are at the same risk as any other business when it comes to cyberattacks. However, they might have more to lose as service providers.
MSPs could be held responsible for the costs of a breach of a customer if they don’t have any cyber insurance or make legal provisions to protect their backs.
Panelists at the CompTIA 2022 EMEA Member & Partner Conference stated that MSPs need to be prepared for a breach by a customer and to ensure both sides know where they stand in case of such an event.
Cyber insurance policies are the best way to be safe. But is it worth the risk? According to Courtney Fong, moderator and CompTIA COO, and two top legal experts, Richard Nicholas, a partner at Browne Jacobson LLP and Stuart Davey at Pinsent Masons, it is worth it.
CompTIA’s UK Legal Playbook has been released to assist MSPs. It contains 10 sections that provide expert advice on topics such as data protection and setting up MSP businesses. This playbook is a complement to Legal Resources for Tech SMBs which was launched last year for U.S.-based businesses.
Davey stated that the main benefit of a Cyber Insurance policy is peace-of-mind. He said that a cyber insurance policy provides access to expert advisors in the event of a cyber-attack. “Managing a cyber-attack response can be very costly, so it is important to have cost certainty in a crisis situation.”
MSPs are at significant financial risk
Surprisingly, however, the panel found that cyber insurance policies don’t cover the fine. This is an item that must be covered only by the breached business. It is important to think about this when drafting service contracts. The customer could certainly come after you and demand reimbursement for the fine.
Even if you are aware that the supplier is not at fault and you have taken all precautions to protect your customer, this could still happen.
Nicholas stated that MSPs can be fined by ICO but can also be held liable to customers and third-party claims. “A customer will try to pass the blame on their supplier for any breach. Therefore, unless it is in your customer contract you must cooperate and take the risk of being held responsible.”
Nicholas stated that many insurance policies will cover ransomware money, although insurers may view it differently.
Shore Up All Service Contracts
Legal experts advised that MSPs should not be too specific about drafting customer contracts due to the potentially dangerous position they may find themselves in if a customer is breached.
Nicholas said, “Make sure you have a contract that outlines who is responsible for security patches and backups.” “If you don’t include this in your contract, the customer could assume that it is your responsibility and make you liable.”
Davey said, “It would be smart to have a listing of services you are providing in the contract and a list that you are not.” “A customer might expect patches or backup, but if it isn’t in the contract, they could have an argument.” You will be more protected if something goes wrong if you are as clear as possible.
Nicholas said that the gold standard to aim at is certainty in a customer agreement.
You can also take other steps to protect your business
MSPs can also take other steps to avoid a potentially crippling penalty. This includes running training and awareness programmes for their employees, as well as filling out a Record of Processing Activity document (ROPA) that will allow them to easily locate the data that was breached and provide all the answers.
If a customer refuses a service or piece of advice, ensure that it is documented again. This will ensure that if there is a breach, you are fully protected.
As the saying goes, “Forewarned is better than sorry” and in relation to possible litigation over cyber breaches, being prepared for any eventuality is a good thing. It will help you show resilience when faced with extreme adversity.
Davey concluded that it is a matter of when, and not if, a breach occurs. “Do you have the right people to call when it happens?”
Nicholas stated that ultimately, it was about reputation. “Companies lie”