Skip to main content
Right of Boom
January 30, 2025

CyberCall – Negotiating Vendor Contracts

In this video, Eric and Andrew engage in an insightful discussion about the importance of vendor and subcontractor agreements, particularly focusing on how these relationships impact data security and risk management for Managed Service Providers (MSPs). They explore the critical need for MSPs to review and negotiate contracts to ensure they are not left vulnerable or "holding the bag" if a vendor or subcontractor fails to meet their obligations. The conversation also delves into the evolving landscape of MSP responsibilities, including the management of third-party risk and the implications of emerging technologies like AI on data handling.<ul><li>The importance of vendor and subcontractor management in MSPs is increasing due to the rise in security threats and regulatory requirements.</li><li>MSPs should ensure legal agreements with both vendors and subcontractors are in place and align with promises made to customers.</li><li>The role of MSPs is evolving to include third-party risk management and digital transformation services, providing new revenue opportunities.</li></ul>

Guests

Andrew Morgan

Video Transcript

Apologize, I think they've all been fixed. Um, before we get started, I would just, um, ask that if we could just all take, um, a moment of silence for, um, today, um, and what it might mean to you. Um, I grew up in New York, um, and, um, there were a number of people that I was fortunate to work at a country club in, in New York growing up, um, where a number of people from Wall Street, um, came out.

In fact, um, Carvan Securities and a lot of those people that were on the top floor were some of those peak. So, um, just, uh, I'm sure we all remember where we were. So just take a moment. Okay. Alright. So, um, back at it here, uh, in setting the stage, um, so before we took the week off, um, we had Mackenzie on, um, which was awesome.

And we were talking about malicious proxy servers, um, how they were using these for residential footprints, um, to obfuscate, you know, IP addresses and make geolocation much more challenging. And, um, one of the areas of risk, um, that we often forget about is what's going on with our vendors and our subcontractors.

And, you know, I was talking to Eric about this and he always has some really, um, cool insight, not only as, um, as he likes to say, a recovering MSP himself, um, which he'll tell you about if you don't know Eric. Um, but, um, the supply chain and the impacts, uh, of our data, our customer's data is only, you know, getting more important.

And, um, and then although, you know, Eric, we talked a little bit about ai, I think at some point that will start to play a role, maybe not this moment, but you know, how bigger vendors are gonna use those types of, you know, large language, um, mo uh, models to, to better their businesses, but at the same time potentially expose, uh, customer data. So with that, welcome back Eric. It's awesome to have you with us.

Um, for those that may not know you, if you could share a little bit about yourself and, uh, and what you're doing. Yeah, thanks Andrew, and thanks everyone for having me back. I'm really looking forward to today. I think it's gonna be a great, uh, talk. But, um, I've been practicing law for about 25 years, uh, for 24 of those. It has been for technology companies. Um, and for 13 of those, it was for my own technology company. Uh, we started at what became an MSP back in the late nineties.

Uh, we're very, very fortunate, um, to have grown the about 250 employees, uh, before we sold it back in July of 2011 to, uh, logic a global msp. Um, I had then spent, uh, about eight years as the, the, uh, general counsel at Logic House, which means I led their legal department. I was their chief risk officer. I was your head of information security and compliance, um, before going on my own and, uh, and starting my own firm.

And today I almost exclusively represent MSPs, um, and some software companies who are in the, the MSV ecosphere, um, and, uh, anywhere from, you know, a, a, a sole practitioner, MSP all the way up to 1500 employee, uh, MSPs and, uh, everything in between. So, so thanks again for having me on. Awesome, Eric. And really cool topic that we're gonna address today.

So with that, um, Wes, I, I have you coming up to the front so you don't have to watch the clock and maybe get all four questions in for once. Hey, sounds good. The amount of times I go off script though, we'll just, we'll see how we, we do this is, oh, man, I saw this come up, Andrew, and I was like, what a great topic you've selected. I just, I really believe this is an area that, um, we, we've gotta talk about a lot.

And maybe just, if I could just super quickly set the stage, I truly believe where MSPs are going in the next two to four years, you're going to expand and find yourself in the middle of working with your clients, helping them in third party risk management. That's just an extension of risk management that you're already doing. And you should be glad for that because I think it's a billable service.

Um, small and mid-size clients are finding themselves that they're expected to do contract management and vendor management for their own clients. They have no idea how to do that when it comes to a cyber perspective. So I get kind of excited about that because I do think it's healthy and I think we should get into it.

So Eric, you know, maybe the way we could start this is let's just kind of jump into, you know, I I, I do think MSPs have done a good job of like getting better saying we need to have a, an attorney that understands cyber review our, our our agreements in place. Uh, I ask that all the time and I lead workshops. I'll ask that question, and more and more hands are going up.

I think it's terrific, but I don't know, Eric, how many of them are actually shifting that into their own agreements with their, with their critical vendors, right? So can you kind of elaborate and unpack that for us a bit? Yeah, absolutely. And it's a great question, Wes, because you know, you, you, you've heard me talk a lot about, you know, you're get getting the MSPs agreements with their customers in line, whether that's the MSA or the statement of work.

And, and, and I've been preaching that for a really, really long time. And, and sometimes those, those other agreements, you know, I, I preach to my, my clients, before you sign anything, before you click through anything, just let me know about it, right? So I, so I can help guide you through that process. And, and vendor contracts is, is probably the, the second most important concept, right? You have your contracts with your, with your customers, that's great.

But then you gotta look at your vendor contracts and not enough, um, MSPs spend, dare I say any, let alone enough time, uh, looking at those vendor agreements. Okay? So I, I totally agree with you. Um, let's talk to me about, let's play a horror story just for a minute. Let's go to the worst of the worst, right? Yeah. Let's say you don't, you never, you just sign and go, you just, you're a YOLO signer, right? What's the worst that could happen for an MSB that's doing that?

Uh, not to, not to be all zoom and gloom, but you can lose your business, right? I mean, if, if you're signing bad agreements with your customers and, and, and we've heard people like, like Eric Woodard be on this, on the cyber call before, right? And, and talk about what happened to him when he signed a really, really bad agreement and then had a security incident on top of it. Um, and, and it was, it was touch and go for him for, for, for a long time.

Um, so, so yeah, the, the, the, the, the, the long and short of it is that you are betting your business on that vendor, right? Plain and simple. If something goes wrong and you don't have a good contract to rely on with that vendor, I'm sure you've made promises to your customers, right?

I know that you've got language in your, in your MSA and in your statement of work about what you're gonna deliver and how you're gonna deliver to your customer, but you're not the only one responsible for that delivery, right? It is also on your vendors. So I think Andrew, put in the, the, the working title for this, make sure you're not left holding the back, right? Make sure you're not promising anything more to your customers than your vendor is promising to you.

And when you're not looking at that vendor contract, well, you just know, and, and I can just trust me when I tell you that vendors do not have MSP's best interests in mind when they're creating their contracts for their MSPs to sign, Right? Because I've dealt with a lot of lawyers, right? And, and I, I, the reason I know you're right on that is you may be talking to an account rep that does have your best interest in mind, a company A CEO that does have your best interest in mind.

But at the end of the day, the lawyer's job is to protect their own company, just like your job is to protect your client. So, you're right, we can't expect the agreements to just be this neutral, uh, approach that's best for everyone. You have to assume that it's a bad contract from the beginning. So I guess, I don't know, I, I think bad's a tough word. Like you could say same thing about as an MSP, the contracts we write to our customer.

We're trying to protect ourselves basically from all risks. So like, I don't know if it's like necessarily good or bad or bad intentions, but if as a company, right, I'm an MSP, I'm gonna try to absolve myself, right, Eric, as as much risk as I can before the customer pushes back. Yeah. I mean, I, I'd challenge you, I I'd challenge you on that a little bit, right? I mean, I, I think it is, I always advise my clients to come up with reasonable agreements, right?

Yes, you're gonna protect yourself from as much risk as makes sense, but if you try to protect yourself from all risks, you're not gonna do any business, right? No one's gonna sign that contract with you. So, you know, if you've got a a, a scale of one to 10, you know, with 10 being very favorable to you and one being very favorable to your, your client, maybe it's a six, maybe it's a seven, right? It certainly isn't the 10.

So yeah, I, I agree that maybe bad contracts is not the, the, the, the best term, but maybe unfavorable contracts. Now, mind you, I've seen bad vendor, I was about to say, yeah. The reality is the bad ones exist everywhere. And I've seen Exactly, and I've also seen vendors who, who tell the MSCs, oh, you don't have to sign anything, right? It's, we just don't have anything to sign. It just happened a couple weeks ago with a vendor who I guarantee everyone on this call has heard of.

And when my client asked them for their terms of service or their terms of use or their eula, they said, we don't have one right now, it turns out when we dug a, when we peeled back the onion and dug deeper, they, they did have one. But to your point, Wes, the salesperson who they were talking to either wasn't trained well or was new or what have you, and said, oh, just we'll start billing you and just pay us and we'll deliver our service. So, okay, that brings up the question, then.

I think it's fair for a lot of MSPs to say, okay, I hear you Eric, but there's no way this x, y, Z vendor is going to let me negotiate. Um, what do you say back to that? I say I negotiate with the big guys all the time, right? There you go. I negotiate with ConnectWise, I negotiate with Microsoft, I negotiate with Cisco, and I have my entire career.

Um, the salespeople might say that, oh, we don't negotiate our contracts, or you can pick three things to negotiate in our contract, or, you know, you have to spend X dollars to negotiate our contract. Well, guess what? It's to your benefit that you're dealing with the sales person, right? Because now it's in the sales person's best interest to get a deal done with you. And if that means tweaking a few things in their terms of use or terms of service, then, then they will help facilitate that.

I do it all the time. Okay? So, and so there you have it, everyone listening today, if you think Microsoft or anyone smaller is not going to negotiate because they're big, massive Microsoft, there's your answer. You just heard Eric say, I negotiate with him all the time. And I think you're right. A lot of times the salespeople just wanna push a deal through. So they might just come on again, they, in their mind, they have your best interest what could possibly happen, right?

They're not coming at it from your angle of like, well, here and here and here and here and here. So I guess that brings up the next big question that comes to my mind is can you pick out some things that are egregiously bad that every MSP should just immediately have a hand signal be like, whoa, I need to go look for those things. Like what are some of like the hallmark bad things? Yeah, I've got a couple of favorites and, and probably my, my top favorite is about warranties, right?

And a warranty is the standard of care that the vendor has to deliver your services under, right? So how do they have to behave? What exactly do they have to provide to you and how do they have to provide it? And I see a, not a lot, but a, a fair number of vendors who say we don't offer a warranty on our services, period. They actually proactively, it's not that they're silent on it, right? They say, proactively, we do not offer a warranty.

And then you push back on that and you say, well, the only warranty that I'm really looking for is that your services will conform to the documentation that you have either on your website or in your marketing material. So if you tell me that your service does X, Y, and Z, just represent and warrant that your service actually does do X, y, and Z.

And I'll be happy about it, but I've come across a lot of vendors who will say that their service does X, Y, and Z, but they won't provide a warranty for it. And, and to me, that is a huge, huge red flag. And then a lot of times you do see a warranty that's pretty standard just around like, well, we'll just, you know, our warranty is limited to like 12 months of service and that cost, right? What about those kinds of things? Yeah.

So, so that, that, that's more of a limitation of liability than it is a warranty. And frankly, that's reasonable, right? Vendors should be able to limit their liability to their customers, just like MSPs limit their liability to their customers. But here's that example of where the MS P gets left holding the bag, right? We as MSPs have 20 or 30 or 50 different vendors, right? And we use a little piece of each one of those vendors to deliver our, our, our managed services to our customers.

So if, if some particular vendor is delivering a hundred dollars worth of services to me in any given month, and if their limitation of liability is the last 12 months of service, well, it's a 1200 limitation of liability. But the risk to me as the MSP is that if that vendor who's just delivering a hundred dollars worth of services to me every month, screw something up, make the mistake, causes harm to my customer, well, now you look downstream.

So now maybe I promised my customer that I, that my liability is capped at 12 months as well, right? But maybe my liability, or maybe my, my contract is $3,000 a month, not a hundred dollars a month. So now I'm on the hook for $36,000 for what a vendor who's charging me a hundred bucks a month and who's have their liability at 12. And, and that's, that's what I mean by by do your best to not get left holding the back and some of that, some of that stuff you can't contract around, right?

Without being unreasonable. So, so for some of it, and I hate to say it, there's a, there's an element of holding your nose and jumping. Um, but we do like to, to contract around that as best we possibly can. Okay? So that, that's my last question for you. And I I hope you expand on this.

When, when, and Gary and Phyllis chat as well around like, how does an MSP protect themselves in the event of, you know, that vendor has left them holding the mag of, you know, ransomware everywhere, those kinds of things, right?

I'd love to have you expound on that more, but I'm just gonna say, even just ask my last question, which is, what about when the, the, the legal team comes back from the, from the third party vendor and they just say, no, we're not gonna budge, we're no, what, what do you do in a situation like that? So if, if that's their final answer, right?

If you've gone back with them several times, and if, if you think, if I think I'm being reasonable in my negotiation with that vendor, um, then the MS P has two choices, right? They say, thank you very much, and they, they move on. They find another vendor who provides a similar service.

Um, or again, it's one of those holding their nose and jumping situations where you know the risk that you're assuming by dealing with that vendor, um, and you, you choose to accept it or you don't choose to accept it. Fortunately, it doesn't happen a lot, frankly. It really, really rarely happens, Wes, that, that a, a vendor will say no, or they'll push back on a really critical piece, um, of, of responsibility that they should be taking, and they haven't yet.

Um, it just doesn't happen a lot, right? As long as you get reasonable people on the phone, um, you can usually work something out. That's great. Um, Gary, I'm gonna flip over to you. To me, the big takeaway here that I've learned so far is make sure that you have qualified legal counsel answering these questions. And don't assume that they're not gonna answer back. Don't assume that they're not gonna be willing to negotiate what a great position to start with.

Yeah, I mean, I'm trying to think if I would have one customer that has this for all 40 of their vendors. I, I don't think I know one MSP Eric. I, I don't, I really don't. I dunno, one msp like they're signing like these, I don't know, I I look at a SaaS vendor, that's one thing, but I'm looking at these, I'm thinking about so many people now have offshore relationships outsource no services.

Like they have, uh, they're working with other, you know, outsource security to contact their customers. I would think that in those situations, this is like paramount, that's a 10 compared to maybe a SaaS vendor that's a seven. Or se is that, is that true? Yeah, no, no doubt. Anytime you're, especially, you're dealing with any kind of regulatory situation, uh, you know, where you're selling to the government, and I know Phyllis can talk about that till she's blue in the face.

But, um, you know, even in, in, you have to know what you've promised your customer, right? I'll give you an example. So healthcare, hipaa, business associate agreements, right? I see in business associate agreements all the time that you can't offshore my data, right? Well, that's, that's made up, right? HIPAA and high tech don't require all of your data to remain in the United States. They just don't. Right? Now, is it a risk that they're trying to protect against?

Maybe, but you have to know what you've promised to your customer. So if you've promised to your customer that, Hey, Mr. Customer, I'm not gonna offshore your data, then you damn well better get that, those same promises from your vendors. Yeah. I'm thinking just how, again, I'm trying to think through, like, we used to have, I don't know, maybe up until 2015 we had less than 10 like partners, software and partners.

Now we probably have 30 to 50 of them, and I'm still a, and I could maybe be the same size relatively, you know, SP So I'm trying to think about like, if you get a new client, where do you start with all that? Because I know they're not thinking about it. In fact, I know, listen, uh, you know, I'm involved with some and, and help some software startups, and I always ask 'em, Hey, how many of, how many times in the sales process are people pushing back on the agreement?

How many times in the sales process are they asking you security questions? Yeah. Very little, right? Yeah. That's the starting point. So if I came to you and I'm an MSP, where would I start? Like, it sounds overwhelming. It, it can be overwhelming, especially when, when you do have those 30, 40, 50, 60 different vendors. But, but you know, how do you eat an elephant? It's, it's one bite at a time, right? It's talk to your lawyer about reviewing these agreements.

And at the end of the day, regardless of the vendor and the specific product that the vendor is selling to you, the legal terms and conditions should be largely the same. Similar, at least maybe not the same. So, you know, if you're agreeing, if, if you're really having someone review all of your vendor contracts, and I do highly recommend that you do, um, if there's something out of the ordinary, right?

If you do have, like Wes said, that pesky vendor who just won't agree to something that's standard, you need to know about it, right? And otherwise, just know that you have negotiated relatively standard terms and conditions with all of your vendors. Therefore, when one of your customers has a peculiar requirement, um, ask the same lawyer, Hey, can we comply with this? Can my vendors comply with this? Um, and the answer should be yes. Yeah.

And, and that's, and that's where I think, so having someone who's looked over agreements in our space is really important. It's like I do some m and a stuff, and if I find out that the, uh, the party, you know, the selling party, first question we ask 'em is, are you using a lawyer that has done at least 15 m and a Yeah. Transactions in the past? And if they say no, say get a new lawyer. Yeah. Because I know they're just gonna mark up the whole agreement with a bunch of dumb stuff. Yeah.

It's a standard agreement, just like the software agreement should be standards, and you're just probably looking for the same four to five things, right? Every time. Exactly. It's, it's, it, it generally is not recreating the wheel. And if you're dealing with a vendor that has, you know, a, a a little bit of common sense in their contract drafting, it should be a pretty quick process.

And, you know, from a a dollars and cents standpoint, um, you know, if you're onboarding a new vendor and your legal due diligence on this new vendor costs 500 bucks, I think it's well worth it. I know that can be a little bit seen as self-serving, uh, but, but, but don't forego that just because you don't wanna spend the money, have someone, having someone look at your agreements. It's not, it's not 10 hours worth of work, it's an hour of work.

Um, and, you know, two hours on the outside if there's extensive negotiations are a really, really bad document. Um, but it's just not a ton of legal due diligence to onboard that vendor. So I'm thinking as an MSPI look at my vendor relationship, right? And I have, like, now I have contractual, I have risk, and part of it is contractual. We're talking about that. The other part of it is security. So, you know, and they're pretty close together, right?

'cause we also need to, that's part of the due diligence finding about like their security controls as well, correct? Yeah, absolutely. And then whenever I have a client give me a, a vendor contract to review, and, and again, it's not often enough that they do that, but whenever they do, the first question I always ask my clients is, is the vendor going to have access to your data or are they, and or are they gonna have access to your customer's data?

Um, because if they are, I have yet to find a vendor that has appropriate language in their contract that addresses data security, that addresses audit rights, that addresses what happens if there is some exfiltration of data or some security incident. Um, so, so that is probably the biggest risk point, um, when onboarding a new vendor, is if they have access to your data or your customers. Yeah, that's the second piece.

Maybe you can just focus on that your data or your, in some cases, your customer's data, Right? Yeah. It frankly, more often than not, it's your customer's data than than your data, right? So, so what do you wanna see in that contract? First things first is you wanna make sure that they've got appropriate technical, administrative and operational controls to protect the, the integrity and the security of that data. And you want them to contract for that.

You don't want 'em to say just, yeah, we're secure, we'll take care of it. That's not enough, right? You have to contract for that because I can promise you, if you have a well drafted MSA and statement of work to your customer, it's also gonna say that you as the MP are going have those same reasonable technological or technology organizational administrative to protect your customer's data. So again, you don't wanna get left holding the bag, so you pass that requirement onto your vendor.

You also want, again, it's, it's your choice as an MSPI recommend that the vendor provides you audit rights. And that doesn't mean you have to show up to the vendor's site with the, you know, three guys and briefcases and, and all that. But maybe as part of your vendor management program, you're gonna send them a questionnaire once a once a year, right? To have them fill out.

Maybe you're gonna have them send you their, their SOC two, type two, um, maybe who knows, you'll take a phone call from your, your ciso, you want some sort of audit rights to make sure that the vendor is actually doing that. And then the third piece of that is, in the event of a security incident, what happens, right? So as an MSP, oftentimes we're promising to our customers that once we know about a security incident, we'll notify them within a certain period of time.

Well, oftentimes the security incident is going to emanate not with you as the Ms P, but with one of your vendors. So you've gotta make sure that the vendor is promising to the M ms p that they are gonna notify you in the event of a security incident that may affect your or your customer's data. So those are the three big points to, uh, to, to pay attention to when you're talking about vendors who have access to data.

If you have a vendor that doesn't have access to your data, it makes the contract a lot simpler. Um, because then you're just worried about the, the, the service and term and termination or warranties and things like that. Yeah. Um, the data does add that, uh, that piece of complexity. Yeah. You know, I would, I wanted to mention something, uh, it's way up in the comments now, but I, I, I called it from, uh, Eric, uh, Woodard, and he was saying he probably has 60 vendors.

Like if you think about, you know, just the SaaS vendors that you have, some services, business services. I mean, if you really start thinking about the number of vendor relationships, I, I like, it becomes to the point where what we're talking about sounds like what I would call a great idea. We'll never do you, you know what I mean?

And it's almost like I think we're reaching the point, and I've been thinking about this, you know, I always try to get everybody to put all the things that they have to do to run the business in, into functions so that we can relate it to metrics and cost per seat. You know, security has changed the way we look at that. We've had to to, to model it.

But I'm wondering if we have to add in vendor management as a role, because, you know, if you're dealing with, um, if we have a thousand endpoints under management, if you go to a company that has a thousand employees, they've one or two people in vendor management. Yeah. Like full time. Yeah. We have 0.0, Mr. Ky. Yeah. And, and, and look, there's, there's various forms and formats of vendor management, right?

When, when I was general counsel at logus, and you know, at the time logus was, you know, a thousand employees and a billion dollars in the US we had a vendor management committee. And our vendor, our vendor management committee, I think consisted of seven or eight people, right? And we would get together monthly and we would review new vendors. We'd, we'd review vendors annually.

And, and we had this very in-depth process that, that we went through, um, to, to make sure that our vendors were going to adequately supply services to us. You don't have to do that though, right? You know, we did it because we could do it because we had built out the, all these functions across our organization, and we had the, the people, the expertise and frankly, the time to do it. You know, if you're a a 20 or 30 person MSP, you can still have a vendor management program.

You're probably gonna have one person who's in charge of it, right? And it doesn't have to be in depth and spreadsheets and, and all sorts of flow charts and things like that. But you can still have a vendor management committee and maybe Simple runbook that you have. This is what we do quarterly, monthly, annually, every time there's a change in Status. Yeah, absolutely. And, and maybe, maybe your whole vendor management onboarding is having your lawyer look at the contract. Maybe that's it.

And then an issue spot and, and, and see what's going on. And then maybe have the technical person on the other end vet it from a technical perspective. Um, it doesn't have to be complex. Uh, but yes, I totally agree with you that it's becoming more important. Um, and, and vendor management groups are, or, or functions, um, are extremely important.

You know, there's another aspect that's not exactly related to this, um, that I was thinking about too, which is, you know, I know how little like this, it comes out in other ways. Like, I know how a how little of software most people use of each software for the same reason. They don't have anybody. They don't have anyone dedicated to their stack, you know, and you think about almost every vendor comes out with some minor update every month.

Like it's like that part is even like un unmanageable. And even like Wes, we talk about reviewing within that the, the proper setup for each customer, the security settings that drift over time. If like, there's more and more, like, this is a deep, this is a pretty deep topic, but I definitely think it's one that's going to continue to move in this direction.

And we're gonna have to some point attach a cost, you know, the overlaying this, not to mention the cost that I see where people put in a tool and they're not thinking about the labor that's associated with whatever is created from what they have to do for that tool. Exactly. So this is a big topic, Andrew. Yeah. Gary, would you use it in, in a sales, we as a sales wedge too, though, if you started to get your arms around it, right?

And you had a process for this, start to understand it, true or false part of the sales conversation and how they make money. Like who your biggest suppliers, you know, talk to, talk to me about how you look at them, how you evaluate them, what kind of contingency plans. And then you could use like Covid as a story. Like let's say you were an automaker. What would you do if chips didn't show up for the next two years? What would that do to your business?

So again, I don't know if a lot of MSPs are having that conversation, but would you, if you started to get your hands wrapped around this to a degree? Yeah. I mean, I would look at this as it evolves the same way I built my entire career on developing a proactive role that no one else has as the reason why they would invest more. I would put this in the same category. Let me ask you. Yeah. We're $5,000 a month and they're 3,800. Can I tell you why? Here's another role that we've added.

Like we have someone who just has to manage all these things that we need to do in this complex world for you. Here's all the things they need to do to make sure that we're maximizing it, keeping you secure. Anytime you can do that, and you can put a function into a role, it's really easy at a high level, Andrew, with a prospect to show them why, um, you know, to weaponize, you know, your competitors' low price, Right?

And this is a great, and this is a great example, and one that we're talking so much about tools and stacks and vendors and outsourcing and offshoring compared to even a year ago, like in our peer groups, that when, when we start to have that type of ongoing constant conversations, we need to address something. That's how it was with security three or four years ago. Well, if you think about it in, in a different way over just Phil, touch on Phyllis.

'cause she really, when we had Phil from Verizon on, she, she literally, you know, hit the hammer like now on the head at the end when she said for the same reason that the first year ever Verizon has no data that says enterprise versus small business, right? Phyllis, that since Covid, everything has so shifted to how we do business, right? And we've gotta also look at then what are those vendors?

'cause if, you know, we, we've completely, you know, say completely, but so much of how we've done business has changed. Fair. Yeah. I mean, you know, the data's all there that, uh, large enterprise and small mediums are facing the same threats. And, um, so, so what are we gonna do about it? Right? And, and this is one of them.

And not to plug controls, but that's why we added service provider management as a control because it's, it's all these third party service providers, whether you call them vendors or subcontractors, which we'll get into. Um, we need to be managing them, you know, it's Yeah. Just Like outsourcing our, it we're outsourcing our pay, our pay cards, and, you know, all that kind of stuff. Go ahead. Sorry, Gary. Yeah, No, go ahead, Phil.

I, I wanna pass it over to you, but I wanna make one last point. In the past, I feel like the kind of customers that we mainly dealt with, they didn't ask us as many questions. Well, we're moving upstream now. I'm at DA Ocon, I'm doing a whole thing on co-managed it. I, we track it separately in our peer groups. I see it, you know, what's happening with it? Like SMBs now, they can't hire four or five extra people with expertise.

So almost every one of them is looking to us and they have vendor management. So they're going to be asking us. And, and we, so it's almost like we're almost required not just for our own business, but to do business with these new evolving more sophisticated customers they're gonna require from us. And I'm sure you see that Eric. Yeah. All, all, all the time. And, and it's only gonna get worse. It just is. I mean, I, I Go on Andrew. No, I better Or better, Better.

I mean It, You know, it, it, it, because of the, We stay the same, there's only three choices, Maybe all three Because of the macro economy, right? You know, the, the mid-market is being forced to get rid of more and more people. And you know, Eric, you're probably seeing it firsthand with some of your larger, or I shouldn't say your MSPs across the board, the kind of deals they're winning, right? They're bigger and bigger and bigger. No. And, and, and more sophisticated.

And more sophisticated, right? And, and, you know, regulation it that the, the world is not becoming less regulated. It's becoming more regulated. So, so the, the regulation is starting to, to move down to almost everybody. Um, I, I don't care what it is. You're, you're selling what, what services, what products, whatever you're, it's, it's going to be regulated.

And, uh, you know, I had this conversation with a client of mine this morning, you know, where they were genuinely concerned because one of their smaller clients, um, is in a regulated industry and they aren't compliant with those regulations. And they called me this morning and said, what do we do? Right? And how do we handle it when, you know, we've got this client who's just saying no to things that they should not be saying no to. Right?

And last thing I'll say, Eric, you know, someone, you know few people that are making comments in, in chat. Like, I know for certain gar, you know, 10, even five years ago, if I said, Hey, Gar, you know, you know of any MSPs closing, you know, 30, $40,000 a month deals you, and I'd be like, yeah, sure. No, not unless you're horrible deals to put 'em out of business later. It it, fair, fair, right? But those are starting to become regular, regular.

And with that 20 to 50 to $60,000 a month deals, uh, in co-managed it are co are way more common, Right? And so to your point, Eric, with that, now all of a sudden comes this new complexity of, hey, it's just, it's not just, hey, this is the IT function you're gonna play with us. Correct? Correct. And the liability gets greater, right?

Even if you've got solid limitations of liability provisions in your contracts, um, the liability just gets bigger because great sense, six times $10,000 a month is a lot smaller than six times 30,000 a month. So y you know, and, and it all ties into insurance and, and contracting and everything else. Got it. Alright, Ms. Phyllis, you're on the clock. Yeah, no, I'm just listening. It's so informative. It's great. And like all these things are going through my mind, but I'm gonna stay on script.

So, you know, in the beginning we talked about, and we just talked about, you know, supply chain, a lot of this will, you know, we can lump into supply chain. So the other part of the mat of, you know, not just vendors, but subcontractors. And so, um, how important are subcontractor agreements and why? Uh, so super important, right? And, you know, a a a vendor and a subcontractor are extraordinarily similar, at least from a legal perspective, right?

One's providing a product to you, maybe another one's providing a service to you. Um, but the thing that most MSPs, most, most companies in the world don't realize is that when you bring on a subcontractor, or as some people mistakenly call it a ten ninety nine employee, um, they're, they're a subcontractor. They're not an employee, but the law treats them the same as your employee, right?

As an MSP, if you bring in a subcontractor, you are responsible for the acts and omissions of that subcontractor to the same extent as if they were the acts or omissions of your employees. There is zero legal distinction between, of, between liability of a subcontractor versus your own employee. So what does that mean?

Well, that means that if you're hiring subcontractors to perform functions that employees might otherwise perform, then you need a solid contract in place for a whole host of reasons, whether it's liability or data security or, you know, having A-A-B-A-A flow down or, or intellectual property issues. You have to make sure that, again, you are not left holding the bag as the p because your subcontractor has promised you something less than what you've promised to your customer.

If you're not doing that, if you're not going through that process with your subcontractors, just like you are with your vendors, then you're crazy. So when it comes to hiring subcontractors, um, what do you see in your experience, what have you seen gone wrong and can you share with us a couple stories? Yeah, I mean, you always see things go wrong with subcontractors. You know, you think back to the very early days of data breaches, right?

The, the high profile Home Depots and anthems and, and those types of breaches, you know, they're all caused by subcontractors and, and, you know, and it flows down even to today. Um, you know, last week I had a, a client call me in, they said one of their customers had a business email compromise. And as it turns out, that business email compromise was caused by a subcontractor who happened to have an email address of the company of their, their, their contract.

And, and they were phished and they gave up the credentials and really, really bad things happened. But, but then it gets you thinking about liability, right? And the, as I said, you're just as liable for your subcontractors as you are your own employees. So my MSP, my client's customer is liable for the acts of that subcontractor just as if it was the acts of their own employee.

But then you, you take it a level deeper and you say, all right, well, does the MSP have liability here in a business email compromise? Because maybe the, the MSP has promised contractually that they're going to provide security awareness training, right? Well, does the security awareness training flow down to the subcontractors of their customer? Anyone who has an email address of their customer or not? Right?

And if it does, how do you as an MSP, make sure that you're gathering all the subcontractors together for this security awareness training and not just the employees. So subcontractors can cause a lot of harm. Um, and, and, and by the way, in that example, there was some question about insurance, right? And does the cyber insurance cover the acts of the subcontractor to the same extent that they cover the acts of the employee? Right.

And Wesley West shaking his head, I can't tell if it's up and down or left and right. Um, but, but there's a lot of issues that mostly, no. Yeah. I mean, listen, I'm a former government, right? I mean, you know, the Chinese didn't get, I always point to this example, the plans of the joint strike fighter, they didn't get them from Boeing. Exactly.

And it's always like that small mom, we always point to the, we always pick on the poor, small and mom pop shop that needed all the plans so they could make the widget. Right, exactly. And so, you know, it's, it's also what security controls does your contractor have in place, even if they all Absolutely. Even if they all, even if they are small. Yeah. And additionally, it's also, I I, you know, that misplaced trust, right? Yeah. So what access do they have back to your network and how is Yeah.

And then, and then you, you think about issues like insurance, right? And, and I, and I hear my clients say this all the time, it drives me crazy. Oh, they're just a one man shop and they don't have liability insurance and cyber liability insurance and everything else. And I say to them, okay, but you need to make sure that your insurance will cover their acts and omissions, right? And if it doesn't, then you're, you're taking on all of that risk. Yeah. Andrew, did you wanna say something?

Yeah, I was just gonna say, Eric, you from a, I don't mean to take this into like specifically a technical answer, but just want to ask this question. If you're an MSP today, Eric, you got your MSP and you're gonna go to the subcontractor, this case for probably, and this is the only way you can do it. You need subcontractors to do X, Y, and Z.

Is this a place where you're gonna have a very high level access control, um, platform where you, you know, it's locked down to the MAC address and, you know, there's so many checks and balances that, you know, it's that person's computer that no one else is, you know, they could be part of something, you know, I mean, to me that we've gotten to the point in time where I'm issuing you this laptop, I know the Mac address, I know the, you know, all the different security controls identity on that, and that's the only thing that's coming in and only getting access to this particular data and system, and that's the end of it.

So Yeah. Thought on That. Yeah, I totally agree. But, but then one misstep can derail that entire process, right? And, and in the example that I just gave of what if you give that contractor your email address or email address from your company, right? You can lock it down as much as you want, but phishing still happens. Mistakes still happen, right? And, and then you're left holding the bag. Yeah. Totally get it.

And, and maybe, you know, as an example, again, you're going to have a different way in email as Don and I'll put them on. You're don't, but I'm just saying you Yeah. And Tim, yes, that is exactly what I'm describing. But I, I think we, if you are going to subcontract, you've gotta be thinking to that level of control. Um, yeah. Who's coming into your and, and accessing your stuff No different than when you're hiring a vendor and you might be sending data to that vendor, right?

Making sure that the appropriate controls are in place to safeguard that data. Absolutely. Yeah. I mean, these are all good points. Think about Colonial Pipeline. Didn't that start just, you know, third party contractor coming in for something unrelated? Yep. Right? Yeah. Every single time. It's, it always happens like That. I think it was a misconfigured v pn, right? Wes? Yeah. That that's, yeah. Colonial, was That? Yes. Okay.

Um, tar Target was, um, it was that though Phyllis Target was a, a contractor, um, for billing. Yeah. And I, I thought, I thought that one was, uh, heater and AC Target. Yes. hc. Oh, yeah, that's what I was thinking about. The Okay. That Target Though, who is Wendy's? What, who's Wendy's? Yeah. Right, exactly. So Eric, similar to, we just talked about vendors.

What's your recommendation if something goes wrong, um, you know, with a subcontractor agreement, are there some best practices that, um, you would recommend? Yeah. Well, first of all, make sure you have an agreement that's, that's first and foremost, right? Right. Not just the contract for services from them. Exactly. And, and, and again, it goes back to making sure that you're not promising your customers more than your subcontractor is promising to you.

Um, making sure that you have appropriate warranties in place, right? Every MSP that I know who has an MSA with their customers has a warranty in place between them and their customer. Well, if you're gonna have a subcontractor perform services for you on, for your customer on your behalf, then you've gotta make sure you have the same or a stronger warranty provision. The, one of the big things is making sure that you as the MSP, own all of the product of your subcontractor's work, right?

If the, the default amongst many subcontractor agreements that I see is the opposite, is that the subcontractor continues to own the product of all the work that they're performing for you or for your customer. Well, again, that's contrary to most M ms P agreements. So you've gotta make sure that, that, that, that the flow of everything works.

Um, making sure in a healthcare setting, right, if you have a BAA in place with your customer, make sure that if you hire a subcontractor to perform work for that entity, you have something similar to a BAA in place with that subcontractor to make sure they adequately perform their obligations as it relates to PHI. Because I guarantee you that the, the, the, the BAA you signed with your customer says that if you hire subcontractors, make sure that they've signed something similar.

So there's, there, there's a dozen different points that you want in those subcontractor agreements, but it, but it's all to the same point, right? And the point is, make sure that you're getting from them everything that you're promising to your customer. Yeah, that's really good advice.

Um, and the more you talk the murier it gets, but the more important you realize how, you know, how important it is to get these, um, It is, and just, just a data point is, as much as I harp on the fact that, that a lot of MSPs don't have anyone review their contracts with their vendors, I'll go out on a limb here, but I'd say most MSPs that, that I've come across don't have any agreements in place with their subcontractors. Right.

Um, and that's, as we discussed a little bit, uh, a little bit dangerous. Yeah. I mean, it's a big deal. The US government's gone out of its way to talk about supply chain, and really a lot of it is involving, I mean, subs, right? Because that's where so many compromises have happened. Yep. Um, throughout the years, um, with, with the US government. So, um, you know, close us out, Eric, we talked about, um, AI in the beginning. Um, you know, Andrew mentioned it.

So what do you see as far as, um, large language models and AI and, um, how is that gonna affect MSPs when it comes to data handling with vendors, um, and with subcontractors? It's not just hype, Gary, I swear. So the, here's the issue, right? Data is king, right? And your vendors wanna get ahold of your data, and they wanna use that data in ways that benefits them. They just do. That's the nature of it.

But that's why it's important in your agreements with your vendor, that you're very specific about what they can and what they cannot do with your data, right? You wanna make sure that you, that you say in there that, that they can only use your data for purposes of delivering services to you. Right? Now, the other side of the coin is the vendors are gonna wanna, wanna be able to aggregate data, right?

Take, take data from all of their customers, put it in one big pot so they can analyze it, right? Mm-Hmm. And when they do that, you've gotta make sure that it's de-identified that it's anonymized and that no one can tell if they do lump your data in with everyone else's, that it's your data.

And if that's the case, provided that it doesn't contain any of your own confidential information, then, and only then would I be okay with a vendor using what used to be your data only if it's aggregated, de-identified and anonymized. Um, is is when in my mind that would be, okay, What, what is an MSP's obligation then to inform, let's say, a client, right? So when I go to a service provider, my expectation is I'll be like, no, you can't share my data. No, you can't do this.

No, you can't do this. Right? Right. I I don't care if it's anonymized or not. Right? And, and, and so, you know, you're talking from the MSP to the vendor, but then you know, you are responsible for all these clients. Yeah. And, and it's important. So in, in, in almost every vendor agreement, there's a requirement for the MSP to pass through or to pass down to their customer and end user license agreement, right? Mm-Hmm. Usually it's something that's online.

Usually it's just a hyperlink to, to some canned agreement. But that's really, really important. And not enough MSPs actually do that. They're all legally required to do it, but very, very few of them do. And I know that they don't do it because whenever I'm rewriting someone's statement of work, someone's managed services statement of work, I ask them and I say, all right, who are your vendors and where are the EULAs that you're required to pass down?

And I, 99 times outta a hundred, I get met with a blank stare. Uh, because they, number one, never read the agreement if they even sign the agreement or click through it, but they just don't even know where to start. And it's a daunting task, especially when you've got 30, 40, 50, 60 different vendors, right? So make sure again, that you're passing that down, um, to your customers because you're legally required to do it. Interesting.

Eric, you mentioned, you know, Microsoft earlier, and I'm just curious where Microsoft, you know, the contract, you know, I, I believe, and don't hold me to this, maybe just keep me honest here. They have the agreement with 6,000 interruption, the agreement, the agreement, 6,000 members. Oh, nice. They have the agreement with the, um, you know, end customer. He doesn't see, he less, and, and so, but the MSP's ma quote unquote managing it, is that murky sometimes because It's a great question.

'cause it's from, I use Connect Wise's automate to deliver my service and that correct agreements with me. And so can you help With that? Yeah. And that, that's a great distinction to draw, right? Because if you're using a vendor and they are delivering services to you for you to bundle into your managed services to deliver to your customers, that's one thing.

If instead you are reselling, for example, 365 to your customers, then that's another thing in a resale situation where it's not a, you're not being a service provider, you're just reselling it, then the deal between the customer and the OEM and you're out of it. At least that's what your contract with your customer should say, right?

Anytime you're in a resale situation, you, you're just passing through, um, any warranty, any, any terms and conditions, any, anything, then you should never have liability there. Now, if instead you're taking those services, you're bundling them with other services and delivering everything as a service, that's where you have liability, and that's where it's important that you pass down the EULA to the end customer. Hmm. Okay. Very good. Um, there was one, one question.

Um, and, and I'm not sure exactly what Todd's asking you here, but he says, if marketing says they do X, Y, and Z, is that an, an implied warranty for those things? Regardless of the contract? Depends what the contract says, right? If the contract says that they will, that the services will conform with the documentation, then you have to make sure that the documentation is well-defined to include those marketing messages that they might have.

Um, and if the, the contract says that there are no warranties, um, then odds are there's not gonna be a warranty typically. And, and again, it's kind of a possible 1 0 1 lesson we hear about implied warranties of fitness, particular purpose, merchantability, non-infringement, things like that. Typically that's only for products. It's not for services. Uh, the UCC governs the sale of products, it doesn't govern the sale of services.

So there wouldn't necessarily be an implied warranty there, but it's really important to make sure that there is a warranty that is going to comply with the documentation and that the definition of the documentation is broad enough to include those market messages. Question correctly. Yeah. Awesome. Gary, few minutes left here. Um, any closing comments, thoughts? How's your fantasy league going week one? Good. I'm, uh, winning two games and I have one player left on Monday night in my 13.

Oh, okay. Uh, so, so far so good. But I, I'm really good, Eric. Thank you. And I'm really glad this topic and it, we kind of expanded it a little bit, right? At the core of it, we're here because of security, right? Like that's the main driver, why we look differently at this. 'cause that's so much, you know, of our risk. But, um, I, I feel like every week something comes up and I think that same thought, well, that sounds expensive, right?

And, you know, we, we, we really have to have command right now and this opportunity for these, you know, all this co-managed stuff. Not only do you need security maturity today, we learned you have to have business maturity to get there or don't take those deals. Don't go up market until you have both the business as well as, you know, service delivery and, and security. Um, maturity. It won't end well otherwise, What's That? It will not end well otherwise it Will not, it will not end well.

And I see it. I see when it doesn't end well. Yeah, Me too. Alright, Wes closing thoughts from you my friend? Yeah, I just wanna come back to the beginning of this. You know, I've been saying this and many others have been saying this, where MSPs are gonna be in five years is radically different than where they were, um, five years before this. And so, you know, we're already seeing MSPs get into things like digital transformation through like APIs, through RPA, things like that.

It, we're going to see them get into handling third party risk management for their own clients who are required to do it and don't know how, like the, the age of MSP is really changing. And this is a great example of like, I really think we're going to see more and more of this and we are going to see MSPs finding really some new revenue streams in working through this. But again, you gotta start, what do we always say? Eat your own tacos.

So if you don't have a good handle on this yourself, you're never gonna be able to handle this well with your own clients, right? So, so get started on this now for your own benefit. Um, and uh, you will see I think revenue benefit out of this in the future too. Yeah. Phyllis, we're gonna see you. Um, by the way, this is, uh, a shameless plug. I'm gonna do it anyway, but I can't wait to see you.

If you guys wanna understand a little bit about the CIS benchmarks, Phyllis is gonna show up on SaaS alerts community call Thursday at one 30. So, um, you can I guess DM somebody over at SaaS alerts on how to get that. Um, uh, but, uh, Phyllis closing thoughts from you. This is great to have you, uh, your perspective on this as always.

No, I mean, this is a great topic and you know, um, and I, and as I said earlier, you know, the US government is following this closely and putting out regulations around supply chain, supply chain security, all of this.

And I always think like once the US government gets involved, then, you know, it's, we, we've all got to step up our game because it's not like the government's always on the forefront of, um, you know, issues or like, you know, when, when these attacks are occurring, we've reached that tipping point where we all need to pay attention. Oh, awesome. Andrew, This Thursday I'll be on the SaaS alerts community call. You are awesome, you and Phyllis. Fantastic. Wes, Eric, why don't you come as well.

I know, I'm like, we're just missing a couple. I mean, with the Nick, We'll just go rate it with cyber call. I love It. Cyber call part two. Awesome, everybody have a fantastic week. We'll look forward to seeing you next Monday. Thanks Everyone.

Related Videos

CyberCall – Negotiating Vendor Contracts | Right of Boom