A Response from the MSP Profession Concerning Cyber Attacks
A Position Paper on Public Policy, Legislation, and Private Sector Changes Needed to Fortify Cybersecurity, Managed Service Providers, and Their Customers
By Charles Weaver & Robert Scott
Introduction
Over the past few years, the rate and severity of cyberattacks against all organizations has risen significantly. While the origins, methods, and targets of these attacks vary, we are all vulnerable to cyberattack. The recent ransomware attack involving managed service provider supply chain vendors raises a unique issue involving the professional managed service provider community. These questions involve IT security and the legal implications when large scale cyberattacks cause injuries to services providers and their customers.
Managed Service Providers (MSPs) are the front line of defense in the global war against cyberattacks and cybercrime. Whether it is ransomware gangs out for profit or state sponsored hackers attempting theft of information, intellectual property, and other intelligence, MSPs often find themselves as the sole guardians against these attacks, often the only entities protecting their customers who have little or no cybersecurity resources. The recent attacks on MSPs and their supply chain vendors proves the importance of MSPs in the global cybersecurity battlefront. The attacks also reinforce the need for updated and effective public policy measures to counter these threats and support the frontline MSP defenders.
Since the advent of cloud services and the proliferation of IT in all sectors of public and private enterprise, the MSP industry has been struggling to answer the following questions: what obligation do supply chain vendors have in the delivery of managed services, and is the current market risk balancing model, as evidenced by the contracts between vendors, MSPs, and end-user customers, equitable and serving the public.
We believe that the current approach to risk balancing among the vendor, service provider and end-user customer needs to be re-examined. This flawed approach has placed too much risk onto the MSP and does not provide an equitable distribution of risk amongst all the relevant parties.
Cyber Risks to MSPs & Customers
As guardians of the IT universe, MSPs regularly find themselves standing in front of cyber attackers desirous of accessing and/or stealing customers information. MSPs have a risky job but they do it anyway. Small and medium organizations (even larger enterprises) who cannot do everything internally, frequently find that the MSP is the best solution to handling the increasingly challenging world of IT management and cybersecurity.
MSPs absorb these natural risks as part of their daily operations. What MSPs should not have to bear is the breach of their “downstream” supply chain vendors with no regard to the impact on the MSP or the MSPs’ customers. In the case of RMM Vendor, all the impacted MSPs were innocent victims in this attack.
When the legal agreements state that the MSPs shall bear much of the burden, even when the vendor supply chain was at fault (or if not at fault, certainly responsible for the remediation of the attack), we have an industry wide problem that must be addressed.
MSPs must be able to have reasonable participation from their vendors when apportioning culpability or responsibility for cyberattacks which involve MSPs and their clients.
An Industry Response from MSPAlliance
Besides the work it does in certifying and educating the global cloud and managed services profession, MSPAlliance has deep history of working alongside the hardware and software vendor community so they might better understand and serve MSPs. While the vendor community that serves MSPs and customers has a lot at stake, the managed services profession must reassess the balance of risk currently at work between vendor, MSP, and customer.
Towards this goal, MSPAlliance is currently evaluating feedback from its global membership along the following areas:
- Enhance penalties for attacks on MSPs and their clients
- Cyber liability insurance guidance for MSPs, customers, and vendors
- Standardized contractual guidelines for MSPs and vendors
- Certification and audit of vendor cloud environments and platforms used by MSPs
- Greater vendor transparency concerning cloud security, resiliency, and remote access
MSPAlliance has articulated the following positions in order to help legislative and public policy professionals understand the threats facing the managed services community and the customers they serve. Furthermore, these positions can be used to codify legislation and public policy guidelines to better serve all private and public sectors involved in the cybersecurity fight.
Enhanced Penalties for Attacks on Managed Service Providers and Their Clients
MSPs are both protectors of customers data and IT assets, as well as counselors in matters of cybersecurity and general IT management. The attacks on MSPs and their supply chain vendors is ultimately an attack on the customers protected by the MSPs. Some of these customers are banks, public agencies, governments, as well as private sector businesses.
To curb these cyberattacks MSPAlliance advocates for enhanced penalties for those individuals and entities who participate in cyberattacks against MSPs and high profile or sensitive infrastructure customers. MSPs who protect customers in critical industries such as banking, financial services, healthcare, energy, or any entity whose access to sensitive infrastructure or data would represent a national threat.
In essence, by increasing the repercussions of attacking MSPs and their sensitive clients, we can dramatically call attention to this profession and warn future actors against such foolhardy actions.
Cyber Insurance Coverage Across MSP and Customer Environments
Insurance plays a vital role in the equitable spreading of risk between all parties participating in the managed services ecosystem: customers, MSPs, and technology vendors. Without effective and affordable cyber insurance, businesses and organizations will be forced to seek other means of balancing risk within their IT management relationships.
For many years, the professional managed services community has relied on affordable and accessible cyber insurance. Today, cyber insurance is becoming increasingly inaccessible and costly for the average MSP and customer. This trend must be reversed.
There are several reasons behind these trends but what is important is that we seek out a path forward to resolving these problems before they worsen. One of the reasons behind both the rising costs and the increasing scarcity of cyber policy coverage is the lack of a consistently applied underwriting standard. Insurance companies are NOT experts when it comes to cyber practices and as such, do not fully comprehend what their risk exposure is when it comes to payments made on claims to a cyber insurance policy. Many of the so-called “MSP” breaches in recent years have not even involved true MSPs. Rather, these cyber incidences and claims arise from reactive or break/fix providers who merely respond to cyber incidents rather than proactive managing and safeguarding against them, which is what true MSPs do.
There are numerous IT and cybersecurity standards, including MSP specific standards such as MSP Verify. MSPs need the ability to demonstrate to insurance carriers that they are a qualified MSP and that the services being delivered to their customers are also within the accepted normative behavior of the global managed services professional community. Such a demonstration would allow the cyber insurance community to quickly assess, approve, and underwrite cyber policies for the MSP, and assign market acceptable premiums.
Once we have the majority of MSPs insured, then we can turn our attention to the customers. Today, there is a serious rise of cancellations or premium increases amongst end-user organizations (i.e., consumers of managed services), in part due to the increase in cyber-attacks, but mostly due to the lack of cyber best practices being practiced by the organization. It is important to note that this lack of cyber hygiene is NOT a result of MSP, but instead, due to the organization refusing to implement baseline cyber security and IT management best practices. Implementing these best practices would result in an immediate decrease of successful cyber incidents (privacy and security incidents) and also a decrease in cyber insurance claims and payouts.
Cyber insurance that is affordable, comprehensive, and accessible, can be a reality in the near future. All we need is application of existing cyber standards and effective communication (i.e., transparency) of those standards in order to achieve this goal.
Standardized Contractual Guidelines
MSPs cannot perform their work without the vendor community. In this regard, MSPs and vendors share a deeply symbiotic relationship that must be maintained. The relationship, however, must be rooted in trust, transparency, and shared risk. Only through such a construct can the end-customer receive the maximum benefit and cyber security effectiveness of this thing we call managed IT services.
Standardized Managed Services Contracts
The recent MSP supply chain vendor attacks have highlighted a longstanding issue within the IT channel and MSPs specifically: namely, the unilateral transference of risk from the vendor onto the MSP and their customers.
The vendors accomplish this low-risk position by incorporating the following provisions into their contracts:
Customer Data – by defining customer data as the data that belongs to the MSP and its Users and allocating all risk to the MSP,
For Example:
…except for RMM Vendor’s gross negligence or willful misconduct, RMM Vendor shall not be responsible or liable for the unauthorized access to, alteration of, or deletion, correction, destruction, corruption, damage, loss or failure to secure or store Customer Data. Licensee acknowledges and agrees that it bears sole responsibility for adequately controlling, processing, storing and backing up its Customer Data.
Indemnity – by requiring the MSP to Indemnify the vendor for all claims brought by end-user customers regardless of if claims arise from Vendor’s negligent acts.
For Example:
Licensee agrees to defend, indemnify, and hold harmless each of RMM Vendor, its affiliates and respective officers, employees, consultants, shareholders and representative from and against any and all claims, liabilities, damages, and/or costs (including attorneys’ and expert witness fees, costs and other expenses) arising out of or related to: …(c) any claims by any of Licensee Customers (except claims of infringement or misappropriation arising solely from use of the Software as provided under this Agreement), or arising out of or relating to Licensee’s relationship with any of Licensee Customers; or (d) Customer Data.
Warranty – by disclaiming any warranty that the solution will adequately protect customers data.
For Example:
FURTHER, RMM Vendor DOES NOT WARRANT RESULTS OF USE, THAT THE SOFTWARE IS BUG FREE OR THAT THE SOFTWARE WILL PROVIDE ANY PROTECTION AGAINST VIRUSES OR ANY NETWORK INTRUSION OR SECURITY BREACH
Limitation of Liability – by excluding the most common types of damages for business interruption due to ransomware all together and limiting all other claims to 6 months of service fees.
For Example:
FOR ANY INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, LOSS OF PROFITS, LOSS OF USE OR DATA, DAMAGE TO SYSTEMS OR EQUIPMENT, BUSINESS INTERRUPTION OR COST OF COVER) IN CONNECTION WITH OR ARISING OUT OF THE DELIVERY, PERFORMANCE OR USE OF THE SOFTWARE, DOCUMENTATION, ANY OTHER MATERIALS PROVIDED BY RMM Vendor OR OTHER SERVICES PERFORMED BY RMM VENDOR, WHETHER ALLEGED AS A BREACH OF CONTRACT OR TORTIOUS CONDUCT, INCLUDING NEGLIGENCE AND STRICT LIABILITY, EVEN IF RMM Vendor HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES). YOU ACKNOWLEDGE AND AGREE THAT RMM VENDOR WOULD NOT ENTER INTO THIS AGREEMENT UNLESS IT COULD RELY ON THE LIMITATIONS DESCRIBED IN THIS PARAGRAPH.
Example of language limiting liability for direct damages:
(I) FOR ANY AMOUNTS IN EXCESS IN THE AGGREGATE OF THE FEES PAID TO IT BY LICENSEE FOR THE SOFTWARE LICENSED HEREUNDER DURING THE SIX-MONTH PERIOD PRIOR TO THE CAUSE OF ACTION,
When it comes to security, the financial incentives and risk balancing should be structured to yield the best results (for all parties) from the vendor. Vendors with broadly sweeping limitations of liability lack the financial incentives to invest heavily in safeguarding end-user customer data. Shifting all the risk to the MSP, including for the vendor’s own negligent acts or omissions, has been a recipe for disaster. Proper contracting requires transparency and alignment between all parties including the vendor, the MSP, and the end-user. Done correctly each party takes responsibility for that which is within its control and no parties are left without a meaningful remedy or carrying too much of the risk. Done properly, professional liability insurance should be the primary risk transfer mechanism with each provider carrying their own policy that protects its customers. For added protection, end-users should carry their own first party cyber-insurance policy to avoid getting caught in the middle of a finger pointing contest among service providers and vendors.
Vendor Certification
MSPs have been accustomed to demonstrating transparency and compliance to customers for many years now. Programs such as MSP Verify have long been in place to accomplish this communication to customers and their compliance officers, often confirming compliance and other security practices necessary to engage in a managed services relationship.
The time has come for vendors who are part of the managed services supply chain to also demonstrate transparency and compliance. MSPs often have to request compliance documentation from their vendors as part of their certification and audits as their risk now undeniably emanates from (in part, at least) their vendors.
MSPs do not seek any different form of transparency and compliance than they themselves undergo. The existence of such a vendor certification would significantly improve the ability of MSP and customer alike in understanding where the risks are and how they can be mitigated.
Vendor certification differs in some key areas from MSP certification primarily because vendor organizations do not all look the same and because many are software based, their risks can differ significantly from other software companies. Vendor certification (within the confines of managed services supply chains) must focus on unique risks (which are common across the MSP vendor ecosystem) related to downstream risk to the MSPs and their clients. Remote access capabilities, for example, are a common feature amongst MSP vendor tools and must be safe for the MSP to use.
Conclusions
The principles articulated in this paper are not difficult, nor are they unachievable; they are, however, necessary and must be enforced if we hope to achieve these stated goals.
The combination of cyber insurance, public policy guidance discouraging attacks on MSPs and their customers, the restructuring of existing and inequitable risk transference amongst technology vendors, MSPs, and customers, are all within our reach and must be prioritized if we are to achieve any semblance of cyber stability and defense.
The stakes are too high for us not to act. Public and private sector entities must rely on this valuable ecosystem of cyber security and IT management professionals to maintain all that we currently possess. Our banking systems, healthcare, law enforcement, public works, governmental bodies, transportation, communications, and many other sectors all rely heavily on MSPs. The managed services profession is vibrant, strong, and ready for the challenges ahead. What MSPs need now is the backing of legislative and policy makers to understand, accept, and act on this imperative by supporting the aforementioned items in whatever way they deem possible. If this happens, our collective cyber defense will remain strong.