Cyber security risk of customers is becoming a hot topic among MSPs. Recently, I have heard comments from some providers who have been struggling with customers that are demanding that thei MSP take on very high levels of responsibility for cyber security incidents.
Some of the providers commented that they have clear terms in their SLAs that say “best effort only”. Others say they have cyber insurance as a backstop. This may be enough, in many cases, but is it really the best way to manage those risks?
But there will always be customers who don’t read the fine print before engaging in a confrontation when a security incident occurs. In addition, having cyber insurance is not a “get out of jail free card”, especially if you aren’t keeping your end of the agreement, as you may find that the fine print imposes requirements for training and other things that you may not be complying with.
Here are 6 ways you can you can work with your customers, to avoid a confrontation or even legal liabilities for cyber security incidents:
- Review your own cyber insurance policy’s terms to ensure that you are doing what you need to in order to avoid having a claim denied.
- Advise each customer to do the same, and if they insist on holding your MSP liable for any damages, make sure your own insurance coverage will cover it (and again, make sure you can comply with requirements).
- Don’t lie in your insurance applications or claims, as more insurance companies are becoming stricter on proving you have complied with requirements.
- If the insurance company offers free cyber security awareness training for your end-users, make sure you make the most of it, if possible. If that training seems inadequate, or if they don’t offer any, ask if you can get a premium discount from putting a more effective gamified awareness program from Click Armor in place.
- Document all potential cyber security incidents, and involve the customer’s top management as soon as it is ascertained that it may have been caused by a customer’s employee.
- If a customer asks your MSP to take on complete responsibility for cyber security, tell them that security is a joint responsibility, at best. The customer must own their corporate policies, which will have a major impact on their own risk. An MSP can’t take on all security responsibilities. But you can offer to review and suggest updates their entire set of corporate policies, to reduce risks (and adjust your price accordingly, to allow for this effort). If they don’t have a set of corporate policies, you should have a set of policies on the shelf that you can provide as a baseline.
Remember, as tempting as it may be to agree to accept responsibility, if you don’t control the customer’s policies, you have little control over what end-users might do to put business systems at risk.