Skip to main content
Right of Boom
October 22, 2024

Cover Your Breaches (rescheduled due to Hurricane Milton)

The world of managed services is advancing rapidly, but with new cybersecurity offerings comes increased legal risk. On a recent Cyber Call, experts broke down a real-world legal battle involving LandTech, an MSP sued by a client following a ransomware attack. The client—without cyber insurance—alleged LandTech failed to protect them, despite vague agreements and unclear expectations. The lesson? Clients often assume “the MSP is responsible,” and that assumption can turn into litigation.

Attorney Eric Tills emphasized that traditional Master Service Agreements (MSAs) and Statements of Work (SOWs) are no longer enough. Contracts need to be specific, comprehensive, and legally sound. Critical components include bold, conspicuous limitation of liability clauses, clearly defined service scopes, and detailed responsibilities—what’s included and what’s not. Contracts should also include favorable assignment terms, intellectual property ownership clauses, and, increasingly, client insurance requirements. Requiring clients to carry cyber liability insurance protects both sides and elevates the seriousness of the engagement.

Vague language in SOWs can leave MSPs exposed. Saying “we manage your backups” means little if it doesn’t explain off-site storage, RTOs, and frequency. Be detailed. Meanwhile, cyber insurance isn’t optional anymore—it’s a vital risk transfer tool. Reid Welock of Fifth Wall Solutions explained how the right policy can cover incident response, legal fees, and client support, while also pushing clients to improve their own cyber maturity.

Not every client is worth the risk. If a business refuses to take basic security measures or invest in insurance, you may need to walk away. You can’t carry their liability. If a crisis hits—like an FBI alert—you’ll want to notify the insurance carrier immediately, align with legal advisors, and document every action.

The key takeaways for MSPs are clear: keep contracts up to date and specific, encourage or require client cyber insurance, clearly define service responsibilities, and partner with legal and insurance experts. These steps can protect your MSP from unnecessary liability, improve client trust, and build a more resilient business foundation.

Guests

Andrew Morgan
Gary Pica

Video Transcript

All right. Welcome, welcome, welcome, everybody. Uh, we'll give this a few minutes, as always. Uh, let me just, uh, welcome everybody in chat. Let me know if, uh, you can hear us and see us. Okay. I, okay. Welcome everybody. Okay, Eddie. Thanks for letting us know. And can you see the, Eddie, can you see the, um, visual, by the way, the, uh, the PowerPoint moving?

Just want to confirm that's the first time, um, I've uploaded a PowerPoint into this, so I just wanna make sure you can see it moving okay. As well. Oh, hey, Jason. How are you? All right, sounds good. Alright. Just give it another minute or so. Jeff, wonderful to see you. Hope everybody is doing well. And, um, from Tampa, Florida here, I'm hoping we are done with hurricane season as I look outside.

And, uh, uh, we'll, we'll, uh, we'll, uh, be into the, uh, kind of holiday season without the hurricane. So, alright, so, um, let's get, let's get going as people start to come in here. My name's Andrew Morgan. I'm the host of this event. Uh, if you've heard of the cyber call or write a boom, we're bringing this event to you. I'm joined today with, uh, two awesome people, uh, Eric Tills and Reed Welock.

Um, and we're gonna be talking today, um, about, you know, specifically, uh, in setting the stage with a, a kind of a landmark case, I would say, Eric, um, of maybe what, what to avoid, uh, for lack of a better word, as an MSP and, and how you can get yourself and find yourself in hot water. Um, and so Eric's gonna set the stage and, and after intros, but I'm gonna kind of just set the agenda here.

Eric's gonna, you know, paint this picture of what happened to this company, this MSP in California, what went on with their client. From there, we're gonna kind of talk about what I like to call Eric a left the boom attorney. Um, you know, what things should you be doing ahead of time so you don't end up in a bad situation like this law firm did.

And then we've got Reed, well, with us, president of Fifth Wall, because a lot of what goes into this preparation is not just legal, but it's also comes down to what you have on the insurance side as well. So, decent way of setting the stage there, Eric and Reid. Yeah, Of course. Absolutely. Love it. All right. So, Eric, welcome. Uh, tell us a little about yourself and, and what you do. Yeah, Thanks. Thanks, Andrew. I'm, uh, I'm happy to be here. So I am an attorney.

Uh, I've been practicing for 26 years. 25 of those years has been exclusively for technology companies. And 13 of those 25 years was for my own technology company. Uh, back in the late nineties we started, it wasn't an MS P because MSPs weren't a thing back then, but, um, started a var, became a systems integrator, and then sort of turned into an MSP from there. Um, you know, fast forward 13 years later, we had grown to about 240 employees.

Uh, we exited the company, um, to an organization called logus, which is a global IT service provider, uh, based in South Africa. Um, I went to work for logus as their general counsel, their chief risk officer, their head of information security and compliance, their corporate secretary. Essentially everything that rolls up through ri anything involving risk rolls up through me. Uh, spent about eight and a half years before starting my own firm, uh, where I represent primarily MSPs and MSS ps.

Awesome. And Reid, awesome. Great to have you with us as always. Oh, it's great to be here, Andrew. Yeah. Um, yeah, quick, quickly about myself. So I'm, I'm the, I think the resident cyber insurance nerd here. I, um, I've been doing cyber risk management for almost a decade, and, uh, I'm part of a company called Fifth Wall Solutions, where we specialize in cyber insurance and also tech e and O, which we'll talk about, uh, I know, uh, later today.

Um, big part of what we do is just help provide more transparency to what's going on and, uh, really leverage what cyber insurance is doing almost from a, like a framework perspective and bringing that into kind of proactive tools and measures that MSPs can utilize and, um, kinda take advantage of. Um, so we're big on education, and we're a phone call away if anyone ever needs a cyber insurance nerd. And you guys have done a great job, Reid. How many, is it like, about four, four years-ish now?

Five years that you guys Yeah. Really? Yeah, we, we, we, we've, when we pivoted into working with MSPs, it was in late 2021, so, um, and it's, it's gone by really fast. Yeah. You guys have done a, a phenomenal job and really helped out a lot of people, and I, I think really matured this whole facet of the, of the industry for MSPs.

So, um, so Eric, um, I love this cartoon, but can, can you kinda level set about this case, I don't know if you call it a landmark case, but this, this case of this Ms. P that's gotten themselves in some hot water. Ha, kind of just unpack it for us, if you'll, Yeah. So there is an MSP in Sacramento, California, and I'll preface this by, I don't represent the MSP, I don't represent their, their customer anywhere, anywhere else. I just have access to the same information everyone else has.

But, um, but the MSP is called LandTech. They're in Sacramento, California. Um, they, um, at least were involved in some litigation with a former customer of theirs. As I understand it, this customer, which is a relatively prestigious local law firm in Sacramento, um, they had a security incident. They had a ransomware attack, and they, uh, they paid the ransom because they did not call Reed. Uh, they were not insured. Uh, at least they didn't have cyber liability insurance.

And my understanding is they paid a, a very, very significant ransom. And, you know, as we'll talk about later, whenever that happens, you know, whoever pays that ransom is looking for someone to pay them back. So, who's the best in, who's in the best position to pay 'em back their MSP? Right? Well, we had a ransomware attack, therefore, the MSP must not have been doing their job is, is, is the gist of this lawsuits.

And, uh, there's all sorts of salacious allegations of, of, uh, you know, oral contracts and, and things like that. Um, that there, there's actually in, in one of the pleadings, there's, uh, there's a mention from the, the, the attorney from the law firm, or one of the employees of the law firm, and they actually said, why do we need, we didn't think we needed cyber liability insurance. We had land tech. Right?

And, um, you know, that should scare the heck out of every MSP who is, uh, who is listening right now. Yeah. So, so Reid, you and Arc work a lot together, like mm-hmm. Can you, you know, kinda unpack what you need to start thinking about before you even get to this situation. You know, when you and Eric get on the phone call with an MSP, you know, they're, they're talking about their MSAs, what kind of insurance, you know, how to protect not only their mm-hmm.

Themselves, but what should they say? Should, you know, this is, you know, kind of a, you know, a lot of good preparation or things can get this, this is the make or break right before we start entering into contracts with our customers. Yeah. Yeah. And, and you know, a big piece of this is just education, right?

So what we really start with is typically, you know, in our world we call it exposure management, but really it's just identifying what are the things that you are exposed to as a business? Where are you liable? And how do we mitigate that risk? How do we transfer the risk? So Eric and I have a really good swim lanes, right? Because we're both in, in regulated industries where, uh, we live on the insurance liability side.

So we can speak all about kind of both from a MSP's perspective for their business, what should they be looking at? Why does that matter? What are the different facets of that? And, but that's only one piece of liability. 'cause the other piece is then the contractual liability, right? And there's other mitigation efforts there. So, um, and I don't wanna speak for Eric, but I feel like a big piece of, of what we do together is you kind of need to make sure that full picture is in view, right?

And it's gotta be painted. And, and it really comes from, 'cause a lot of folks that we interact with, um, I know they come from different places when it comes to how they got to where they, um, are from a business perspective, right? And, you know, there's no specific rule book to say, Hey, always make sure, you know, there's a cart and horse here, right? So when should you get insurance? And what insurance did you get? Right? You're relying on the people, the advisors around you.

So a lot of what we're doing, Andrew, is in a lot of cases, it's going back to just the basic risk conversation, identifying the risks and addressing how we mitigate them. Eric, anything you wanna add there? Yeah, you know, I, I, I tell my clients this when I, when I talk to them about insurance and my, my relatively limited knowledge before I pass it off to you guys.

But y you know, I think of, of risk, you know, you look at the combined legal risk and insurance risk and, and what can be mitigated as the, as the funnel, right? And, you know, the walls of the funnel are, are your, your agreements, the legal side, right? Mm-hmm. And, and, and hopefully those walls almost meet at the bottom, right? But we can't eliminate all risk in our business. And, and so some things will fall out the bottom of the funnel, right?

And, and the things that fall do fall out the bottom of the funnel will hopefully be covered, be insured risks, right? They'll be covered by, by insurance somehow. And the problem is, is that with MSPs, their funnel is, is this wide instead of that wide, right? And, and, and that's something that, that, that Reid and I work on together to make sure that, uh, that, that the protection is there from both sides.

So, so Eric, this, you know, when we talk about managing risk and, and contracts, can you mi maybe give us the tale of two MSPs? You know, when you look at, you know, someone comes to you and there's, there, it's really wide. What, what do you see there? Like, what, what are some misses? What are some things MSPs really need to consider, and how do you kind of guide them?

Um, I, I know many times, you know, you and I have talked, and especially since post covid, um, and MSPs have added considerable amount of services, specifically in cyber. Um, and a lot of times, you know, as they add these services, they may not spell out what is, what isn't responsible, who is, who isn't responsible for, and last thing I'll say is I turn it to you and to Reed.

You know, I think about Eric Woodard, um, he's an MSP outta Salt Lake, who, you know, talks very openly years ago, uh, had a very significant incident, um, involving him and his clients who's gotten so proficient now in, you know, aligning to CIS controls, not only in his company, but also his customers.

He's gone to the degree of a shared responsibility matrix taken literally in a, in the context of from the Microsofts and Amazons and Googles of the world, where, I'll give an example and again, punt the ball to you, Eric, but he talks about, you know, for example, inventory, which is one of the hardest things for MSPs, right? And, you know, he uses mobile as an example. He's like, that's where my share of responsibility comes in very clearly.

He's, he always talks to MSPs, uh, the clients about, Hey, so you have mobile devices, right? Yes. Do those mobile devices access M 365? Yes. Okay. Am I able as your MSP to put some type of management software, right? Ringfence what they can can't do when it they're accessing your data and your systems? No. Okay. Well, that specific piece moves out of our relationship. And, and he's very proficient and very upfront about this.

And I don't know if all MSPs are so kind of setting the stage there for you, Eric, but can you kind of take it from there? You just gimme three and a half hours of things to talk about. Good. So, and, and, and I apologize for the background noise. There's some stuff going on in my backyard. But, um, you know, too often, and actually if you wanna flip to the next slide, you know, with, with greater risk comes greater complexity in contracts, right?

And if MSPs are still using the same contract today that they used 15 years ago, they're probably doing themselves a disservice, right? Because there are too many MSPs that think, oh, I have an Ms A and oh, I have a statement of work, therefore I am protected. Right? But to your point, Andrew, that the services that we're offering today are significantly different than the services that we offered two years ago.

And they're really different than the, than the services that we offered five years ago, right? So it's just a matter of making sure your contracts are up to date. And if you look at, you know, a new client comes to me and, and says, Hey, Eric, can you take a look at my contracts? And when I first look at their MSA, I always start with legal terms first. The MSA on a scale of one to 10 is generally around a two or a three, right?

And, and, and it's, it's for all the reasons that are in that last bullet point there, right? Where did the MSA come from? You know, did, did the MSP get it from their buddy and their peer group? Did they get it from, uh, you know, Google? Did they piece it together themselves? You know, there's, there's a lot of different, different resources out there for MSAs.

Um, but you have to look at the source, you know, was it your brother-in-law who's a divorce attorney, who put together the MSA for you? Um, probably doesn't lead to a very, very well-rounded MSA. Um, and then on the statement of work side, you know what we do, you know, the, the MSA, it gives you legal protections, the state and worker, these, I call 'em statements of work, provide the business protections, right?

And, and we'll talk a lot more about that later, but, but making sure that you're specific, because too often MSPs think that by not being specific, that by being vague, you know, they're not gonna be on the hook for anything. You know, oh, I'm gonna manage your backups, you know, and I'm gonna leave it there. Right?

Well, the reality is that if you're not very specific, if you're not, if you don't really expand on what it is that you're doing it and how you're doing it, and when you're doing it, and why you're doing it, and how often you're doing it, it's not that you're not gonna be on the hook for anything. It's that you're gonna be on the hook for everything, right. If you are not specific. So, so the, those are the big, big categories where I see MSPs fall down a little bit on the contracting side.

And I'm sure Reed, you see similar things on the insurance side. I do. And, you know, it's, it's, it's very true what you said, where I think, especially as the pace of business, you don't stop to reevaluate. And I think that's really true for a lot of aspects. But on this side, um, you know, you have the opportunity, so it's a little easy on the insurance side because there is this kind of forced cadence, right?

You have an annualized contract that gets re-reviewed by, um, hopefully a risk professional, someone that's very competent, and they're matching that up to say, okay, based off of what your business does and, and how they operate and the exposure you have, do we, do we still have a good fit here? Right? Where though the MSA can go into, well, you've had that for a while, and unless you, you yourself implement a good cadence, right?

Or you're partner with someone that is establishing a good cadence that could very easily Right, um, go out. Yeah. In generally, no one wakes up in the morning and says, huh, I should probably review my MSA today. Exactly. Yeah. And a big thing that we, we harp on is, you know, your client's exposure is your exposure, right? So we, we know typically we're, we're encountering MSPs that wanna say, Hey, can you, can you look at my client's cyber insurance policy?

We're like, sure, that's all well and good. We can look that it's a good way to look at it. But we look at the, what the MSPs working with on tech and o they cover cyber, but for errors and emission, the only thing you really need is a perception, right? There needs to be a perception of an error omission of their service to just start, start that snowball. So I think what you said, Eric, is really astute, where it's like the less gray area you have, where it's up to, to interpretation, right?

There's less, uh, ability for someone to simply perceive an error or omission in their service. Yeah. I mean, the, the, the last person you want to try to figure out what your, what your statement of work said is the judge, right? If you get to a point where some 80-year-old person sitting behind the bench who can't even spell IT is trying to figure out whether or not you delivered the service that you've contracted for, then you're gonna, you're in a world of trouble. Mm-hmm. Interesting.

We just quick tid, we're all, there's been a lot of talk over the years, um, about telemetry, right? So you're, you talked about, you know, reeva, you know, your, your cyber insurance policies mm-hmm. For renewal. Where are we these days in, you know, the, you know, being able to literally see into a customer, you know, it, it on, you know, fully Yes. That's here, you know, we are gonna have full telemetry and, you know, almost like the, the driver, right?

You know, young driver and you can see how fast they're going, et cetera, et cetera. What can you kind of bring us up to speed where we are in this? Yeah. Um, and I know we, we've talked about this, uh, a lot before. 'cause I feel like probably like, I don't know, four years ago, we would've assumed, well, we'd, we'd be there in two years. Now, here it is, four years later, it's like, well, why haven't we got there? Right?

It, it makes all the sense in the world, made a lot of sense for the safe drive and save concept. You know, you have the ability to turn it on on your phone. Now, um, with cyber, it's a little, little different. Um, and I can share with what we're seeing in the market that I think are, are movements to get there. And I can speak to kind of why it hasn't clicked as an industry yet. So it's kind of two sides of the fence.

You've got really, uh, capable tech companies that have identified exactly what you just said. Like, why does this not exist, right? Can we not build a platform, a tool away that we can align really, uh, easy way to validate current state, right? And then put that into the hand of an insurance provider to have that tool and, and have that insight. Um, and then you have the other side where you have insurance companies that kind of have seen the same thing.

They don't have necessarily the right tech resources, but they're trying to bring tech in to answer the same question, but everyone's still operating in little silos, right? So you've got insurance carrier, A, B, and C insurance carrier A is really old school, right? And they just haven't gotten there yet, right? So they're still doing things in archaic ways.

Uh, insurance carrier b, they've got it, like, they, they understand what they need to do, but they still are trying, they're in search of, of who to partner with how to do these things. Because it, it really does change the distribution model for them, right? It's not just, Hey, I'm gonna go through a broker. Those are the client back to the broker. It's like, now there's other tools to bring in other constituents into the equation.

But then you have c which we're seeing this more and more where carriers are saying, okay, yeah, we understand it. We're gonna start building our own tech. There's a lot of InsureTech savvy, uh, companies out there, like, uh, at Bay Coalition, we've seen 'em a lot, and they're building out that tool set that capability. However, here's the problem. It it's insurance that's offering that tool. Does that make sense?

And insurance, uh, is still, I mean, me, you know, pot calling the kettle black, it, there's, there's a trust factor there. We're not seeing high adoption. It's like, well, wait a minute. What, what, what are the implications of you being able to see more? And it's still very, it's optional, right? So we're seeing that. Um, and so I think it's, it's slowly evolving, Andrew. Um, I think there's a couple players that are doing it in the right way, which is more of kind of like a neutral setting.

How do we get a good groundswell of like a good platform that can be utilized? And then, uh, we can invite insurance into it. Um, but it's still, it's still operating in those pockets, not a standardized process. Cool. Thank, thanks for, thanks for the update. So Eric, absolutely. Let's move into, I guess, contracts 2 0 1, if you will. Like, when you get into things like limitational liability, you know, kind of walk us through here. What, what things do MSPs need to be aware of?

And then again, maybe, you know, re can talk to his side of this. Yeah. So I, um, you know, I, I kind of pick on Limitational liability because it's the first thing that I flip to when I, uh, when a, a, a new client gives me their MSA, and, and it's the first thing I flip to because, um, it's probably the most important clause in your contract, number one. And number two, most such clauses are not written very well, right?

So, you know, one of the big things, and it sounds really, really silly, is that your limitation of liability clauses have to be conspicuous. The courts require them to be conspicuous, meaning you can't bury them in the fine print of a contract. You know, they, they've gotta be the, the words have to be in all caps, or all bold, or all bold and underlined, or something that stands out from the rest of the agreement. If you're asking your customers to limit your liability, right?

If you're asking your customer to say, Hey, look, you know, me as the MSP, we can inflict $10 million in damages, but we're only on the hook for 250,000, right? Conceptually, that's okay. But we have to make sure the customer has, has knowingly consented to that by, by making it a conspicuous provision in your contract. Um, the second thing, and, and, and this is also something that I see a lot, is there's two ways that we limit our liability, right?

We limit our liability by limiting the types of damages recoverable, and we also limit the amount of damages recoverable, limiting the types of damages. Recoverable simply means that you only wanna be on the hook for direct damages, right? Damages that were reasonably foreseeable damages that were approximately caused by you. You don't wanna be on the hook for indirect damages, special damages, consequential damages, punitive damages, lost profits, lost revenue loss, none of that stuff, right?

Only for direct damages, right? And then the, and then the amount. So if you are on the hook for some sort of direct damage, you wanna limit the amount of that direct damage, right? And in this industry, it's usually it backward looking period. That's based on the amount of revenue you've received from that client for the service that gives rise to the liability, which is missing from most clauses that I see, right?

It's not just how much the customer spent with you in the last year, it's how much the customer spent with you in the last year taking on a year.

But for the services that gave rise to the liability and under the applicable statement of work, so that if you have a $5,000 a month managed services customer and a 12 month limitation of liability, and something's gone horribly wrong with your managed services, and now you're on the hook for up to $60,000, you wanna make sure that if that same customer also did some sort of a hardware refresh with you and spent another $70,000 with you in the past year, you wanna make sure that those numbers aren't gonna get added together for your limitation of, of liability clause.

Um, and the big one is, is carve outs. Carve outs are, are exceptions, right? So here's the limitation of liability, but it doesn't apply to X, Y, and Z, right? And this is where all the different clauses of your MSA work together. And I'll give you a a a an example, right? Let's say that there's a carve out for indemnification obligations, which is a pretty common ask, right?

So limitation of liability doesn't apply to indemnification obligations, which is fine if your indemnification obligations are narrowly tailored, right? But if your indemnification obligations say that you've gotta indemnify for breach of contract, or maybe what's worse, you have to indemnify for breach of contract and not just third party breach of contract, but first party breach of contract. Well, what does that mean?

That means that if you breach the contract, you have to indemnify your customer, right? And breach of contract happens all the time as re can attest to, right? You have to indemnify your customer, meaning you need to step into their shoes, you have to defend them, you have to pay their lawyers, which is the expensive part. 'cause lawyers aren't cheap. But what's worse is that you've carved out indemnification obligations from your limitation of liability.

So you breach your contract, you indemnify your customer, and now you have no liability cap. So for a simple breach of contract, you have no liability cap. I see contracts written like that all the time, and it's terrible because that means that every time the MSP breaches their contract, they're betting their business on that deal. Mm-hmm. Eric, is this where you re read? Just a quick question before you go. Yeah.

Eric, is this where you've, at different times, you've been on talking about things like helping customers with their cyber insurance policies, um, and, and it's outside of, you know, their MSA and things don't apply in terms of their limitation of liability, or a customer says, Hey, can you just verify we didn't have an incident? And that's, is this where that why this is so important about doing things outside of what you've signed up to do for your customer? Correct.

And, and, and it's a great point because if you start doing work for customers that you are not contractually obligated to do, then the argument goes that you're, that you're acting outside of your contract. And if you're acting outside of your contract, then your MSA doesn't apply. And if your MSA doesn't apply, then you don't have all the protections of your MSA, right? And, uh, and, and it's, it's just not something that you wanna get involved in.

And, and the, the cyber insurance apps is a perfect example, right? Ms. U MSPs are constantly asked to help their clients with their cyber insurance applications, which is fine. They should, to a certain extent, help their clients because the clients don't know the answer to a lot of these questions. They're gonna reach out to the MSP, but the MSPs gotta make sure that they're on the hook contractually to help their clients.

That way, again, if something goes horribly wrong, they're at least protected by their MSA, right? We, we, we've all heard the travelers case, right? Where the MS or the MSS p check the yes box when it should have been the no box or vice versa, then the M MSS P gets in trouble. You wanna at least make sure, at least between you and your customer that your, your limitation of liability clauses apply.

And, and maybe one other, Eric, if I may, because, you know, it's been a, a boon, if you will, for, you know, a lot of MSPs have done very well over these last several years, so your backlog of onboarding, right? Yeah. So can you maybe just nuance that in here too? Is that another area where you might have signed an agreement? Yeah, but we're not starting and, you know, yeah. Or we start something, but we can't, we're trying to get the old MSP out and their tool.

Can you kind of nuance why that's important too Here? Yeah. So, so almost every statement of work that I see from a new client says one of two things as it relates to onboarding. It's either silent, right? It just says, well, we're signing the contract today, October 22nd, and here's all the stuff we're gonna do for you. Or it says, we're signing the contract today, October 22nd, and on November 15th, we're gonna start delivering our services.

The problem there is that when you sign a contract today on October 22nd, you don't know. You don't know when you're gonna be able to deliver those services, because a lot of things have to happen. If it were a hundred percent up to the MSP, then they could do it, right? They could probably onboard in three weeks and get someone up and going. But we all know that customers aren't always cooperate cooperative.

We also know that their prior MSP, who's on their way out, is really not gonna be cooperative. So there might be a chance that you can't deliver all of your services on November 15th, or worst case yet, you haven't said anything at all about it. So what happens there? Murphy's Law will tell you that between today, NOV, October 22nd, when you sign the contract and whenever it is, you're gonna get the cu the customer up and going, something bad's gonna happen, right?

And maybe, you know, two weeks in the ransomware, and they've gotta restore from backup, and they call you up as their MSP and they, their, their new MSP and said, Hey guys, we've been ransomware. We need to restore from backup, right? And you as the M Ms P say, Hmm, sorry, we haven't implemented managed backup yet. And the customer will say, well, wait a minute. I got a contract right here that says you're gonna do it. It says you are doing it today.

And what's what's worse is a lot of MSPs start billing right away too. So not only do you have a contract that says you're gonna do it, the customers paid you to do it, but you haven't done it. Right? And, and, and that's that, that that whole onboarding process and how it works is where a ton of MSPs get in a lot of trouble and they better have good techie and no insurance. Yeah. So we, you've heard a lot here on yeah, on contracts 2 0 1. What do you have to say?

I mean, it's, it's all spot on. And I think, you know, if we look at it from the insurance perspective, a big thing from, uh, I'll go even to an underwriter's perspective, right? Is, um, trying to get a handle on a risk requires, first you kind of compartmentalize it, right? So, going to Eric's, uh, analogy with, you know, you were trying to, we're trying to slowly get this down. We have risk, there's a lot of different things that create risk, right? We have a lot of moving parts.

We can start consolidating these, now we can start defining them. And then what we ended up with by the end is you can't completely remove risk, right? There's, it's always going to be, there's always going to be an opening at the bottom. But the idea here is that instead of maybe 10, 15, 20, 30, however many different conduits that could form here for different types of events, different types of expectations, whatever it may be, we boil those down to a couple.

And then what we know now to be true around the reality of the risk posture, which is, you know, yes, an error could occur, but we've, we've, we've been able to narrow it down to what the responsibility of the MSP will be, right? Financially. So to, to Eric's example of like, we're, we're linking this to services that can give rise to, to liability. We can then transfer that liability, right?

So we can look at that the, and go, okay, well what, hypothetically, what would that equation look like? Right? So if I got a client and this starts to unpack, I could still be, you know, a couple hundred thousand dollars, great. Now we can start to look at then how you transferring that risk over to insurance. So, you know, it, it, in my brain, it starts to become formulaic, right?

And you should be able, as a business owners start to see the formula of, of what the risk is and say, okay, have someone that can articulate it, like Eric, to start to boil this down and say, look, these are the compartments we're gonna put it in, right? These are, these are the provisions, these is how we're gonna limit types and amounts. And then the next step is then, okay, then what? So we still have an outcome.

That outcome should be for the majority, still be able to transfer it over to a tech e and o insurance policy. Got it. Alright. So let's move on a little bit deeper, Eric, into the 2 0 1 section. Um, what, what should we know here? Yeah, so, you know, I pick on limitation liability just 'cause it's really, really easy. But th this list here is, is a lot of things that, that are often overlooked in MSPs. And I know we're gonna spend a lot of time talking on that third bullet point.

But, um, you know, ownership language, who owns what, who owns your services and the product of your services? Um, I like to see the MSP own it, right? That way, if they're doing work for a customer, they figure out some way to, to do things better, faster, cheaper, what have you, they can then promulgate that across their entire customer base. 'cause they own that know-how, right?

They own the results of their services without having to pay that particular customer a license fee or royalty, right? So, so you wanna have ownership language, who owns what? You wanna have favorable assignment terms, right? Almost every MSP out there wants to sell their business one day, right? And if you don't have favorable assignment terms, you could have a customer holding up the sale of your business, which would be tragic, right?

I mean, you wanna make sure that, that your business is as transferable as it can be, right? And, and you look at what's the value in your business? The value in your business is your customer contract. It's not your employees. I got news for you. I don't care if you've had, you know, a 30 year employee, there's no such thing as indentured servitude. They could leave tomorrow, right? So, so it's really your customer contract.

So make sure that you can freely assign those, those customer contracts and then insurance requirements. Um, Reid and I have talked about this before, probably more than five times. And, you know, I like writing into MSAs that the customer has, has insurance requirements. UMSP have insurance requirements too, right? But leave it at that. Make sure the customer's required to carry requisite insurance, including cyber liability insurance, right?

I don't want the MSPs dictating types and amounts and things like that. Leave that to, to the insurance professionals, right? But they want, you wanna make sure your customer is required to have cyber. And I'll tell you why. And maybe my, maybe my why is, is, is is a little bit different than Reed's why? But the reason for me, from, from a legal perspective is that I want this to be a conversation starter would between the MSP and their customer.

I want the customer to read this and say, oh, this requires me to have cyber liability insurance. I don't, right? So I call up the MSP and I say, Hey, I'm reading through the MSA and it says that it, I'm required to have cyber and I don't have si I don't have cyber, what do I do? Right? The question the MSP needs to ask from my perspective is why, why don't you have cyber?

And in my experience, it's one of two different answers, either one, I don't have cyber because I can't get cyber, I need to get up to some minimum level of insurability. So that, and that's why I'm coming to you, right? As my MSP get me to where I need to be. Get me, you know, MFA and manage my backups and do all that stuff, then I'm gonna go get cyber, right? Those customers I'm not worried about, because we can write in there that, that you'll get cyber in 90 days, 120 days, whatever.

It's right. The customers that worry me are LandTech customers, right? The customers that say, well, I don't have cyber, I don't want cyber, it's too expensive. What do I need cyber for? I've got you Right? Tho those are the customers that really worry me and those are the customers that, that either A, I wanna make sure I'm properly insured for as the MSP, um, or B, maybe I don't take that customer, right?

It took me a really, really long time to, to realize in my career that there's good business and there's bad business, right? Not all businesses, good business. And when you've got a customer that doesn't take their cybersecurity posture seriously, so seriously that they, they're, they're refusing to, to get what's becoming table stakes in that they need to get cyber and they won't do it, and they wanna rely on you. Maybe that's bad business, right? Maybe I don't want them as a customer.

So let's pause there and I'd love to get, uh, Reid's take on that. Well, and Andrew, it sounds like, looks like you, you have something you wanna say as Well? Can I just ask you a quick question, Reid, on this? Yeah. Yeah. So, Eric, I, I, maybe two part one, I'm an MSP, I've been, you know, doing this for years. Agree with you. You know, I, I came to you, I really like the way you're coaching me, redoing, structuring my MSAs, et cetera, and go, man, makes a lot of sense.

All our clients should have cyber. Yeah. But, but when I look, and we know this from the cyber call, the vast majority of MSPs can't, you know, that have a, you know, decent number of customers still don't know whether their customers do or don't have it, first off. But let's assume they do know and there's 35, 40 5% that don't. But they've changed their, their contracts now to say they do need to have it. What, what are your thoughts there?

I know they're still under a current contract, which says they don't, it have, have you kind of advised on how to go back and nuance this because of the change in the threat landscape? It's, it's education. Like, like re always comes back to its education and, and, and throw it over the fence, right? Have the fifth wall guys educate your customers right on, on the importance of carrying cyber, right?

And, and I don't wanna put words in their mouth, but I'm sure they're gonna be happy to do it, right, to, to make sure that the, the MSPs are covered, but also their customers have the, uh, the requisite amounts. Got it. So Reed, when you guys work together, have you had those instances where you, you know, you haven't a three year agreement, but you now put an addendum in there that they are carrying it, and like, can you kind of walk us?

Yeah, there's, to Eric's point, there's, there's a journey. It's a, what's interesting about what we do is, you know, we're not, you know, a widget. We're a service. So the service of, of what we're doing with MSPs is, is implementing process and the process. That's the sales enablement. That's where the education is. That's where it's, it's it's how do we approach this then where it's part of the DNA of our, you know, our business.

Like we're now the way we kind of describe it too, and, and Eric actually, I think we, we agree a hundred percent of what you said, just, just for the record, but also whenever, 'cause it is a conversation starter. So it's like, how do we start the conversation and if I, I have 30 clients, if I have 60 clients, if I have ever many, then I'm gonna, I'm gonna have this requirement, right? So I'm gonna change it. Um, there has to be a timeframe, right? Within a certain period of time.

And then it's all about communication, right? So here's a change. So hopefully during the QBR we're gonna discuss this change. Now that conversation is really, really important. 'cause to Eric's point, it sh it, it allows you to showcase something, but it also allows them to showcase something to you. Eric already hit on the point where it allows them to showcase something to you, which is what is their understanding? And do they take this seriously?

Are they a client that views you as the solution and catch all and therefore that should be a huge red flag. Or are they, have they developed a level of maturity to understand the need? If they haven't, well great. Then we can, we can work on that. The other side though, that you can showcase to them, is that right? We're talking about right of boom and we're talking about response and recovery, right? Insurance has a piece of that, right?

And, and this is the piece that we work with MSPs a lot on the part of that narrative needs to be that it is. Now, whether we like it or not, it's become this, this really require, it's a requirement almost. It's an important element of recovery. And it's not that it has to be in place, but understanding that it exists or doesn't exist has a direct implication on all the moving parts then thereafter, right? As far as who's paying for the services, who's doing what.

And so the ask doesn't necessarily have to be, because I'm requiring it, Andrew, it's important and I think required is a good way to start the conversation. But the ask then starts at least a good dialogue around understanding, hey, this is, this is what it's gonna look like. And if you're doing a QBR and maybe, hopefully you're doing tabletops, if you have that opportunity, it's a really good exercise to start walking through.

So, you know, we, we, we know we don't want to be like a gr uh, adversarial with customers read from the standpoint of you didn't take, you know, you're not taking my advice, you're not getting, you know, cyber. So, you know, sign here, we recommended it. You didn't get, you know, those things as we know, don't really go over so well. Yeah.

Um, so first do you read, then you are, how do you nuance that where, you know, you still want to, you know, dot your, i's as best you can in the event the land tech situation comes up. You know, you're in the middle of a contract, you're like, I, I've, you know, gotten religion from Reed and, and Eric that something all customers should have. I got this customer over here in the middle of a contract, they're not gonna do it. Anything I can do there to better my odds, if you will. Yeah.

And, and I think this is where there's, there's that delineation, right? It's like, we're, we're gonna stick onto our insurance liability piece. Eric's gonna stick onto the contractual piece. So like, we're not living in a world, we're saying, you ha you must require it. Right? There's different reasons to do that. What we're asking is, you know, are you encouraging it? Are you requiring it? Like, what is the stance here?

So for us, really it starts with like, how are, how are we in partnership looking at this? Are we, look, are we aligned? Right? And alignment really can just start with are you encouraging it? Because the, the encouraging it part from our perspective is it then starts that dialogue. The requirement piece though, like if you're taking this seriously, at the end of the day, it's dealer's choice. And Eric, I think you're spot on. It took me a long time to realize this too. There are bad clients.

There are those where it's just not worth it. 'cause you kind of better understand the seeds that can be planted that create a far more ne, uh, a more nefarious picture than you realize today, right? Of if, if you're not requiring it, then you're also acknowledging though that you are exposing yourself further right? To more risk. And you're not saying you have to carry a million, you're not saying specifics, but you're at least acknowledging that it, it kind of goes back to the formula, right?

Then we gotta go back to the MSA and we're going, well, how are we positioning that? And that's Eric's land, right? And it, it's a, it's a, it's a company decision. It's a business owner's decision on how you want to approach that. And I do understand that you don't want to be adversarial, you don't wanna create something that's going to potentially force you to lose a client.

But you kind of also wanna, I, I know a lot of MSPs are going down this road of, well, they're also saying, well, either they're gonna adopt a full stack or not, right? They're either going to go this direction or not. And, and what kind of client, what kind of portfolio am I looking to build here? Yeah, sorry. So read read. Oh, I'm sorry, Andrew. Yeah, no, your thoughts there. So, you know, I, I wanna kind of fast forward a little bit. Yeah.

So, so, so let's say that, that you do an MSP has a client who has a robust cyber policy, right? And, and this just happened last week to one of my clients. I, I got a call from a client and they said it, it's, they're telling me this story about their customer who's a hospital, uh, on the East coast then.

And Andrew, I think you heard this story before, but this, this customer got a call from the BI and the FBI Cyber Crimes Task Force tells this MSP's customer this hospital, we have reason to believe that there's a threat actor in your network right now. Hmm. Um, and so what does the hospital do? They call up their MSP and they say, and the MSP says, well, look, we don't see anything. Right? But we don't have the tools in the technology to tell you for sure, right? We need to bring in forensics.

We need to maybe bring in, you know, breach council and, and, and things like that. And it took five days, five very, very long days before we collectively were able to convince the hospital to put their carrier on notice to say, Hey, we might have a problem here. Maybe we should bring in forensics. Right?

Can you provide some advice to MSPs out there, how to navigate that situation where you have a customer that is insured, they're doing all the right things, but when the time comes and I cannot think of a better time to make a claim on your cyber policy mm-hmm. Then when call from the FBI, but they didn't wanna do it. So how would you counsel the, the MSP to navigate those waters to get the customer to do the right thing?

And Reid, as you get your answer ready, the FBI does those things just for fun, right? When they, of course a threat actor in there. Um, there, there may or may not be. Um, yeah, Andrew, if I worked with the FBI, man, I, I'm sure I'd be really bored 'cause there's not really going on, nothing going on with, you know, criminal activity or anything like that. I, I would, you know, create a little excitement with my day.

Um, alright, so the first thing, the headline on this, it's any MSP that's listening, the big thing you gotta know and your clients need to know, and if you're the messenger or however they get information, there is never a negative. Right? Now, there is no con if you put a pros and cons list, there is no con to putting a carrier on notice for cyber. Okay?

And I still encounter this so much because, you know, there's the stigma of like, well, if I put my my car insurance, my auto insurance on notice about something, then well magically my, my premium goes up, right? Or my homeowner's insurance. It's not the way it works. And in fact, there's the exact opposite. Many carriers are incentivizing early notification because of them time is money that five days ultimately probably cost them a lot more money.

Now, the recommendation to that client for the MSP, alright, if you've got a client that's just a stick in the mud, they won't move start to inform with the them on things that they may not be informed, right? So that's one is, is try to maybe look at the, the, the reality of why are they choosing to not inform their carrier? And then also there's multiple advisors in the situation, right?

So at the end of the day, can you really, uh, you know, if a king's not listening to their advisors, right? And the king's just gonna do what they do, but the advisors are talking and talking, ultimately there's, there's very little you can do, but you wanna make sure that the advisors are all aligned. So if there is another insurance agent, hopefully in the equation, the MSP, you can start asking those questions. Have you talked to your agent about it?

You haven't, you should definitely talk to your agent. There's no consequence of that. Maybe you don't believe me about the whole putting carrier on notice, but any con you came to me, I'm an advisor, I'm a risk advisor, I bring the other risk advisor, they'll, they'll resonate the same thing, right? Um, Reid, the, or Eric, you know, healthcare, you know, five days, um, what potential risk there?

I know this is all hypothetical though, Eric, with reach notification and hip, like let's just say the threat actor is indeed in there. They are exfiltrating hospital healthcare providers sitting on it five days. Oh, fifth day we find out they were notified five days ago, but not, not good. No bueno, right? Yeah. It, it, it's not good. And, and, you know, and the, the, the fact pattern here was that there was no exfiltration at least that, that anyone knew about at that time.

But, but I think Reed, you brought up a great point about getting the advisors involved because there were two things that, that kind of got us over the hump and got them to finally do it. One was a call that we had with everyone's lawyer, right? And so it was the hospital's lawyer and it was the MSP's lawyer, it was me. It was, you know, the hospital is owned by by joint venture. It was all their lawyers and all that.

And, and you in fact, the hospital's lawyer, it was the first number one, it's the first they heard of it, right? Which is scary in and of itself. Um, but as soon as he did hear of it, he said, we made an insurance claim. Right? And, but, but the second thing was the hospital was demanding of my client. Hey, I need you to send us an email saying there's nothing wrong. Right? And, and, and my client on my advice said, absolutely not. We are absolutely not going to do that.

You need to have a forensics firm come in and oh, if you can pay the forensics firm out of pocket if you want, but that's why you have insurance, right? So I think it was a combination of those two things that, that, that, that finally got us over hump. But answer to your point, you know, there's, whether it's healthcare or not, um, you know, like Reid said, the longer you wait, the worse it gets.

And One last thing too that Eric, the irony of that is everything we mentioned, Andrew, all that is covered by insurance. Yeah. Right? And so if you could just do a quick analysis, what's my deductible? And as soon as you start to exceed that based off of consulting with, like, Eric, you mentioned so many expensive things to get to that, that conclusion, right? Yeah. Where all those would've been covered. Absolutely. Yeah. So crazy.

But sorry to sidetrack everything, but, uh, oh, no, I did wanna, uh, get, get that in because it's important. And frankly, I wanna know, I, I wanna know how to advise my clients, uh, when that comes up because it comes up pretty often, B both on the MSP side and on their customer side, right? Sometimes the MSP doesn't wanna make a claim either, you know, whether it's on their, their, their e and o or anything else. Yeah. So, Yeah, no doubt.

So Steven's a work, Eric, this is another big one for you, you know? Yeah. And, and, and you, you know, the, the, the bullet points, you know, and, and I see this in every single statement work, we talked about this earlier, right? Mm-hmm. Don't tell your customers what you're going to do for them in a series of bullet points. It's just not enough, right? You, you, you can't just say, we're gonna patch your systems, right? And, and I always give this example, right?

Microsoft comes out with a patch today and you apply it on Monday because you've tested it and you've gone through all your internal processes and you determine that it's safe and, and all that. But, but again, you know, Murphy's Law is gonna tell you that something bad's gonna happen over the weekend. And maybe that's something bad that happens, could have been mitigated by the patch, and the customer comes to you and says, well, why didn't you patch? It says right here, you patch, right?

And, and you explain to the customer, well, I didn't patch because we've got these processes that, that we have to go through. We wanna make sure it's not gonna apply. The patch isn't gonna further break anything else and all that. You gotta tell your customers that contractually, right? You have to tell your customer the process you're going to go through to apply patches.

Because if a patch is released by Microsoft today and you don't apply it until Monday, you better have a damn good reason why. And that damn good reason why is gonna be your contract. Right? Not only that, Eric, isn't this also where we're going back to Eric Woodard. This is where, you know, we, we patch systems. Yeah. What systems? Yeah. Right? We patch all systems. Yeah. And when do you do it and what are the requirements?

And does the device have to be plugged in and connected to the network and rebooted afterward? You know, all of that stuff needs to be spelled out in your, your service descriptions. Yeah. And you know, another, another spot where, where MSPs get in trouble and, and this is the LandTech case, right? Land Tech's customer thought that they were receiving services that the MSP didn't realize they were supposed to be providing. Maybe they weren't supposed to be providing them, right?

So there's some disconnect between the customer's expectations versus the actual service that the MSP is delivering to that customer. So, so you wanna make sure that your statement of work is crystal clear that, look, here's what we're providing. It's in this neat little box here. That's the belt, right? The suspenders is we're not providing anything else, period. Full stop. Right? If it's not in that box, you're not getting it.

And then the other set of suspenders is, here's a list of commonly thought things that you might think you're getting, but you're not getting them. Right? And that's kind of the belt on the suspenders and another set of suspenders approach. And that, that the, the last thing on that list of exclusions is you're not providing incident response, you're not providing forensics, you're not providing data restoration necessarily, right?

So make sure that, that your customers know explicitly what you're providing and what you're not. Um, and then that second to last bullet point there is, is important, right? You've, we're not in this alone as MSPs. We, we've got a host of, we've got a tech stack, it could be a mile long, right? You, you ask Eric Woodard, I forget what he's up to, but it's in like the sixties or seventies in terms of how many third party service providers he's using.

And with every single one of those third party service providers that he's using, he has a contract with them, right? And he has contracts with his customers. You gotta make sure that when something goes wrong on the service provider side, which is what happened in, in the case, that he's spoken so much about, that the, the liability and the risk flows appropriately from him to his customers. Right? And it's not that you, like, like Reid said earlier, you can't exclude all risk. You just can't.

You can, but you're not gonna do any business, right? You can't exclude all risk. So, you know, our jobs between me and, and Reed is when you get left holding the bag, make sure that that bag is as small as possible, right? So make sure that your third party providers, um, all of their terms and conditions are, are flowing through appropriately. And finally, on the disclaimer side, right?

Make sure that your customer knows that, that we as MSPs could be doing everything we should be doing and bad things can still happen, right? And just because bad things happen doesn't mean me as the MS P is responsible for that on the security side, on the AV side, EDR side, all of that stuff. We as MSPs could be doing everything, but the customer could still get popped. Mm-hmm. And we don't wanna get a lawsuit because of it. Yeah.

Or in the instance of CrowdStrike completely out of our hands, right? Yeah, Absolutely. Yeah, absolutely. Okay, so I know we're coming up here on any, any questions, please send them in here in the last few minutes. Eric, uh, BAAs, um, big, big one that you talk about, right? Yeah. So, so these are, I I call 'em contract end rounds, right?

So, you know, someone comes to me and I get 'em a great MSA, I get 'em a great set of statements of work and, and they put 'em in front of the customer and the customer signs 'em and they say, oh, wait a minute, we have to have you sign this BAA as well, right? And, or we have to have you sign this, this DPA, this data processing a denim as well. Because, you know, we might be handling as anm SP the, the personal information of European Union citizens, right?

In either one of those cases, you've gotta make sure that these call 'em extracurricular documents, don't negate or don't neuter your other documents. And I see it happen every single day. And, and I always pick on BAAs 'cause it's easy, you know, you, you go back 25 or 28 years whenever HIPAA came around, right? And, and you'd have BAAs in place business associate agreements in place between the, the healthcare institutions and the MSPs and the MS P would just sign anything, right?

They'd sign anything the hospital put in front of, right? Because in the beginning they were just putting things that were required by HIPAA and required by high tech. But then the hospitals started getting smart and they said, huh, if everyone's just signing these things willy-nilly, I'm gonna start putting a lot more stuff in there that's beneficial to me as the covered entity. That might not be beneficial to you.

Um, as a business associate, things like indemnification, things like lifting liability caps, right? You can have the best limitation of liability in your MSA, but if you sign a BAA that has language in it that negates the liability caps, guess what? You have no liability caps. So make sure that there's an entire package of documents that you're signing. Make sure someone who knows what they're doing is taking a look at them.

Make sure you're not signing your names to things that, uh, that you shouldn't be signing your names to. Really good stuff, Eric. Mm-hmm. Um, Reed, anything you wanna close us out with here? Well, not, I mean, I'll close this out, but you just, you just gave me a little bit of, uh, deja vu. Eric, one of my first professional jobs I had was, was working with a, a medical company right when High Tech was coming out. And I was, I was getting updated BAAs done by the, by the hundreds.

So it was a little bit of a, uh, yeah, he brought back a little bit of ptsd ts, right? Yeah. Yeah. But, uh, I questioned the timeframe too. I was like, that wasn't that long ago, and then I had to date myself. So thank you for that.

Um, no, I, I think just final remarks, Andrew, is, is that I think Eric and I, hopefully, hopefully what we shared was helpful, but I also understand that there's total different ends of the spectrum when it comes to like understanding this and seeing it from like a couple tweaks that need to be made. Or it could feel like this is a mountain, right?

Like, so much was covered and, and, um, that is, this is not something that you need to go out and teach yourself and, and go and take care of yourself. I really, I think the encouragement here is seek advisement, go to those that already know how the sculpture needs to be built, right? Um, and you know, obviously present, present, uh, company included. But, uh, I think that's a big thing is hopefully we've sparked at least some questions you need to be asking.

And then do you have the right people around you to answer those questions? Yeah. Really good stuff. And, and I, I thought you guys did a, a fantastic job and appreciate you all joining us for, uh, for this event. Um, wishing you guys a fantastic day, Eric Reed. Really appreciate.

Related Videos