Cyber security risk of customers is becoming a hot topic among MSPs. Recently, I have heard comments from some providers who have been struggling with customers that are demanding that thei MSP take on very high levels of responsibility for cyber security incidents.
Some of the providers commented that they have clear terms in their SLAs that say “best effort only”. Others say they have cyber insurance as a backstop. This may be enough, in many cases, but is it really the best way to manage those risks?
But there will always be customers who don’t read the fine print before engaging in a confrontation when a security incident occurs. In addition, having cyber insurance is not a “get out of jail free card”, especially if you aren’t keeping your end of the agreement, as you may find that the fine print imposes requirements for training and other things that you may not be complying with.
Here are 6 ways you can you can work with your customers, to avoid a confrontation or even legal liabilities for cyber security incidents:
- Review your own cyber insurance policy’s terms to ensure that you are doing what you need to in order to avoid having a claim denied.
- Advise each customer to do the same, and if they insist on holding your MSP liable for any damages, make sure your own insurance coverage will cover it (and again, make sure you can comply with requirements).
- Don’t lie in your insurance applications or claims, as more insurance companies are becoming stricter on proving you have complied with requirements.
- If the insurance company offers free cyber security awareness training for your end-users, make sure you make the most of it, if possible. If that training seems inadequate, or if they don’t offer any, ask if you can get a premium discount from putting a more effective gamified awareness program from Click Armor in place.
- Document all potential cyber security incidents, and involve the customer’s top management as soon as it is ascertained that it may have been caused by a customer’s employee.
- If a customer asks your MSP to take on complete responsibility for cyber security, tell them that security is a joint responsibility, at best. The customer must own their corporate policies, which will have a major impact on their own risk. An MSP can’t take on all security responsibilities. But you can offer to review and suggest updates their entire set of corporate policies, to reduce risks (and adjust your price accordingly, to allow for this effort). If they don’t have a set of corporate policies, you should have a set of policies on the shelf that you can provide as a baseline.
Remember, as tempting as it may be to agree to accept responsibility, if you don’t control the customer’s policies, you have little control over what end-users might do to put business systems at risk.
Cyber Security
Phishing Defense
Phishing threatens businesses and opens the door to ransomware. Fight phishing and spear phishing attacks with gamified learning.
Social Engineering Defense
Social engineering scams are a serious hazard to businesses. Fight back with Click Armor.
Cyber Security Awareness for Remote Workers
Home-based workers are vulnerable to cyber attacks. Build team immunity today.
Privacy and Compliance
PCI Compliance Awareness
When team members work in an environment where they may encounter cardholder data, they need to know what to do to protect it.
Gamified HIPAA Compliance Awareness
If your business is a supplier to a healthcare provider in the USA or Canada, your team needs to know what to do to protect Protected Health information (PHI).
Gamified Learning Platform
Active Awareness Platform
Experience the power of tailored gamified learning with Click Armor. Take your security awareness training to the next level.
