Skip to main content
Right of Boom
January 30, 2025

What MSPs need to understand about breach attorney’s.

In this video, Gary and Spencer discuss the importance of breach attorneys and their role in cybersecurity incidents. They explore common missteps MSPs make during incidents and emphasize the significance of having a well-prepared incident response plan. The conversation highlights the critical need for MSPs to engage with specialized cyber insurance brokers to ensure sustained coverage.<ul><li>The importance of having a strong relationship with clients is crucial during and after a cyber incident, as it can significantly impact the response and recovery process.</li><li>MSPs should prepare for cyber incidents by having comprehensive incident response plans, engaging with breach attorneys, and conducting regular tabletop exercises to ensure readiness.</li><li>Vendor due diligence and risk management should be an ongoing process to mitigate vulnerabilities, especially given the increasing scrutiny on MSPs from insurance carriers.</li></ul>

Guests

Andrew Morgan

Video Transcript

Hey everybody. Welcome to episode 72. Um, I dunno whose that is, but maybe I said 72 too loud. Gary, we are, um, five away from 4,000 in the, uh, cyber call community. Can we get a, gonna say, can we get a ha for that there? Yeah, absolutely. Hey, we, we better be At, we better be at 4,000 by the end of this call. I am. I need you guys today. Five, just five people. Go like, invite somebody. Get your mom on. It. Doesn't matter Anybody, kids pull 'em outta school. Yeah.

You know, whatever we need to do. Um, so, uh, man, we, I am really excited about today. Um, we've got two fantastic guests. Ryan Weeks will be joining us in a few minutes as well. Um, so, you know, as I set the stage here, uh, first off, there's some, uh, poll questions. If you guys could answer those, um, and that would be greatly appreciated. Gary, I have really no announcements today. Uh, awesome. So this will only be a 30 minute call to give everybody a half hour of their life back.

Exactly. But today we do. Um, but this today is the first day of, uh, John Stan's training. Thank you Wes and Gary for sponsoring As yeah. Bunch, bunch of our customers we gave out, you know, we sponsored some people. And then beyond that, a bunch of, uh, my members and my peer members are participating. Well, I, I'm gonna give a special shout out right now. Hunter sponsored over 120 this session alone, which was incredible.

Um, I anticipate this session, which is the intro to security and, and Mitre attack, probably somewhere around 400 MSPs will participate in this, which is just awesome that we're doing that Good stuff, man. Yeah. Okay. So, um, let me start right, right into the intros. And as I do that, Gary, um, and Wes, you know, we have talked a lot week after week after week about the widening gap.

Gary, you talk about this all the time, uh, between the MSPs who, uh, started down the security journey first, what we're charging, et cetera, et cetera. What's gonna come out today? I'm not sure. Yeah. 'cause like Spencer's getting a little feedback there. Um, what we're gonna find out today in, we're hearing this left and right and center insurance carriers letting their MSPs on notice. We're no longer gonna write your, your insurance.

And the reason I wanna just kind of put that out as a note here, one of the things that Spencer, a leading breach attorney that we're gonna hear a lot from today is gonna point out is that just because you're getting that notice doesn't mean you won't be able to get coverage. And what we're gonna really focus in on is what are the differences in the MSPs who will get coverage versus those who won't? And it a little hint. We've talked about it a lot on the cyber call so far.

So in setting the stage, that's where we're going. Um, Spencer, let me start with you. If you could give an intro, uh, and a little background, uh, on yourself. Yeah. Well, we'll start while you figure out what's going on there, Robert, He sounds like maybe he has two speakers or something on. It's, it's Looping. Something going on there. Yeah. Yeah. Yeah. So, um, Robert, Robert Chaffey, thank you so much. Progressive Computing. Did I get it right? Yep. Okay. Totally. Awesome. Out New York.

Robert, thanks so much for joining us. Tell us a little about yourself, your company, and I'll let you tell, you know, I think a, a good reason in your words why you're here with Us. Uh, well, that will take a, probably at least an hour to explain the reason, but, uh, I'll try to, uh, make it short. I'm Robert cfi. I'm one of the two co-founders of Progressive Computing and MSP based outta Yonkers, New York, just in the shadow of Manhattan. And, uh, we've been an MSP for about 28 years.

Uh, not all 28 years, but in the IT business for 28 years. Uh, and Evolve member for a long time. Um, an evolved facilitator. Um, and the reason I'm here, or I think I was invited, was because we were one of the 50 some odd, um, MSPs affected by the Kaseya, what we call the, uh, July 2K. Uh, 'cause it was on July 2nd, and K meaning Kaseya, July 2K, uh, attack that took place. We had 2,500 endpoints, ransomware. That's 100% penetration. Wow. Wow.

So I'm here, uh, to, uh, beg for mercy and alms and I'm gonna send you my email address so you can all send me money. No, I'm here to share our story as best as I can, um, with the hopes and expectations that others can learn what we went through and, you know, maybe adjust their plans. Or at worst, I make a couple new friends today. Well, I think you make more than a couple new friends.

Um, you know, anybody that can come out the other side of this and still, you know, be going it, it's just that our, our man, uh, hats off to you, man. 'cause that, that, that takes some intestinal fortitude of some kind. Gary, did you wanna say something? Yeah. Uh, and unfortunately, uh, Robert, I've had this conversation not just with, from the Casee breach, which one of our peer members was also, uh, in that club, uh, with you.

Um, I think they had the most endpoints, um, uh, that were compromised. So I can speak to that a little bit. At least the part I'm at liberty to. Um, but also through the years I've had this conversation, probably with more than a half a dozen other MSPs through different, you know, different iterations of it. So some, I think the topic we're gonna talk about today is super important, Andrew.

And I'll share what the role of a breach attorney had in the feedback I got from our, when I debriefed, uh, you know, our, our our peer member that was involved. Got it. So, um, it's always great to have two of you, Spencer, but do we have one of you from a voice perspective? There We go. I think, I think I figured it out. And the second I figured it out, my computer shut off. But I think I have a lot of qualified people on this call who can maybe help afterwards.

So, Spencer, why don't you, uh, thanks for joining us to share a little bit about yourself, your background, and we'll get right on into it here. Yeah. And thanks for having me. Uh, so my name is Spencer P*****k. I'm a partner at a law firm in Baltimore called Whiteford Taylor and Preston, uh, I'm in the cybersecurity IP tech group. I lead the breach response side and, uh, also do a lot of the pre breach work.

Um, I've been on the news a bunch speaking about this 'cause I know everyone on this call can commiserate. It's a, what's a, an endemic probably 'cause I don't think it's gonna end, unfortunately. Um, I have a podcast. I'm happy that Andrew will be joining the podcast later this week called The Cyber Law Revolution. Please don't give me bad ratings, uh, trying to get to that second career of podcasting, so I don't have to work anymore. But we'll see when that happens.

So You, you might want to have Ryan on then instead of me. I'll take whoever wants to come on. Looking forward to it. All right, Gary. Uh, let, let's, uh, kick it off here, my Friend. Yeah, Spencer. Uh, thank you for, for being here. Can you just, let's start with the basics for, uh, assume we make no assumptions about what our audience, you know, may, may know. So we want to level set. Can you just tell us about what a breach attorney does? Give us the basic definition.

Yeah, that, that's a really good question. Uh, 'cause not many people really understand or know about the breach Counsel and their role want a breach occurs. I would say primarily, you know, to start, we're almost the quarterback. Um, we wanna make sure all the proper parties are involved. We wanna make sure everybody's kind of paddling in the same direction. We want everything cloaked under attorney work product. So, just a nerdy quick primer about that.

Obviously all conversations with an attorney and a client are gonna be privileged. But when an attorney hires someone on that client's behalf, so like an expert, um, after a breach, it would be, you know, maybe pr, the MSSP, the IR firm that comes in, they basically become their agent. And if it's done in the anticipation of litigation and at their behest, it's all gonna be protected. Um, there are caveats obviously out there 'cause there's always caveats.

But we make sure that, you know, those things are moving forward. Um, different breach coaches have different styles. I stay out of the tech and security lane as much as I can because I'm not tech or security. I'm just the legal compliance kind of crisis comms. Um, but then when we get the forensics back, we help people stay in compliance. You know, there are no, there's not one federal law.

Obviously if you're in medical or if you're in finance, you're gonna have, uh, a little bit, you'll have, you know, the GLB or hipaa, but if not, you're gonna be dictated by state law. So we help you kind of navigate these complex web of, uh, laws that apply. So why should an MSP care about what a breach attorney does? Another great question. Um, I've got a lot of experience working with various MSPs, both as a client and on the other side.

And I say on the other side, 'cause it's kind of unfortunate, you know, there's some really good MSPs that my clients have had that have been very much team members of the client and me when I come in. Um, but MSPs should really care because when a breach happens, you really want this to be team centric. You really want to be working closely with a breach attorney because one, you don't want to have the liability that comes with a breach.

Two, the client's gonna be a lot happier when everybody's working together. Um, three, the MSPs that get in the most trouble are the ones that get into fights with their client during a breach. Because, I mean, everyone on here knows when a breach happens, a cyber incident, everybody's running around. Um, and I've found that MSPs that are able to kind of look at a breach attorney, look, there's some attorneys out there that are jerks.

I don't deny know, but I can guarantee if you get a call from me, I'm, well, I'm not a jerk. So hopefully people don't think I'm too much of a jerk. But understanding that, you know, nobody's trying to get you in trouble to start. Right. They're not, the ones that get in trouble are the ones that are just obstructionists. Right. I've had cases where an MSP, they wouldn't give my client admin credentials 'cause they're like, we know they're gonna terminate the contract.

And I was like, well, you still have to give admin credentials and literally went on for three weeks. And so working in tandem, um, understanding an IR firm is not coming in to replace you. They're not, um, just like when I talked to General Counsel, we're not coming in to replace anybody. We need it to be a big team effort because, you know, we don't have weeks to prepare anymore. It's like now the war is at our doorstep. Yeah.

Gary, I like to say, Hey, I'm not a jerk, but I can be a little jerky. That's Right. Exactly. Gary, Jennifer Asked a great question. I wonder if I could just pose this real quick to Spencer. Yeah. She said, um, do, who do you call first your insurance, you know, carrier broker that, hey, the, you know, we had an incident or do we call, should they reach out to you, Spencer, what, what are your thoughts? Because I know we're gonna get into pre-boom as we call it.

Like, should we be working with a breach attorney? What are your thoughts? Let's just say they haven't Mm-Hmm. Worked with you and, and kind of gotten their house in order. So beyond the self-serving aspect, you want to call me or MSSP and then the MSSP needs to get me involved immediately. Doesn't have to be me. Right? But you want somebody, you need a cyber council involved. Now the argument can be made, well, let's tell our cyber insurance first.

And I agree, you wanna get your cyber insurance involved. The problem is you might make a claim and then it might be four days before it gets back. So I always encourage clients to have someone like me and someone like say a Chris Lair almost on retainer, it doesn't even have to be on retainer, but baked into either their insurance policy and their incident response plan.

Because if you can imagine, once again, it's nice talking to people who understand this, when it happens, you don't have four days, right? You've gotta make decisions very quickly. Um, and if it's not protected by work product, that's a problem. And if you don't have the right security experts in, that's also a problem. So I always say, call me first. Call Chris layer first, or somebody similar on both sides, but then make sure they both then get together.

Um, and then also almost simultaneously put your insurer on notice. 'cause obviously they've got a qualified panel. Um, I'm on a couple of those panels. They, there's a lot of great attorneys out there, but I look at it as speed very quickly on this. Yep. So your point, Gary, just real quick to last thing, sorry to, but Jennifer brought up like, hey, the approved list thing, just like you said, Spencer, like mm-Hmm.

Are you sitting there and saying, Hey look as an MSP, even if hypothetically I had to eat a few grand to get this thing going versus waiting four days, you're up to, you know, I know it's easy for us to every spend everybody's money, but four days versus, and I'd, let me, Robert, maybe your perspective on this too, if, if you could chime in on this, but, uh, how about you first Spencer and then Robert? You, I think what, so it's a really good point, right?

'cause you do have those approved panels and you're gonna get carriers out there that are just, uh, not, I understand why they want trusted, vetted partners on the MSSP and the, I want MSP and the attorney side because there's a lot of people out there claiming, um, and it's pretty easy to vet someone like me if I'm not on a panel or another cyber council who maybe's not on say like a IG or chu or whatnot.

Um, but to kind of get around that, to start, if clients are getting counsel and an MSSP written into policies, it makes your life so much easier. Right? Then you instantly streamline things. They're already approved. If they're not approved. What I say to people is, look, put 'em on notice. Retain us, retain x, retain y start with them. And then if you wanna shift to that panel council, do it. And that's fine. And I mean, that's happened once or twice. 'cause I understand it's awesome. Right?

And sometimes if an insurance carrier is not gonna pay, then, you know, when I hear the name of the firm, there's a couple of really good firms up there too. I'm not, I'm not shy to say that. I'm like, no, you, you're gonna be in good hands with them. I understand you don't wanna pay my legal tabs. So, you know, maybe I stay on the curse like the periphery with them. Sure. Robert, And then back Paragraph to you. Yeah.

So I, I mean, OB obviously, uh, Spencer's got a lot more experience than I do. And I can only speak from the point of view of what happened with us. But, um, and, and not to contradict anything that Spencer said, but my experience was that I floundered for about 90 minutes, unsure of what to do. Made lots of phone calls to people, ended up actually even speaking to an attorney, uh, who came, uh, through a recommendation of a friend.

Uh, and that attorney said, you really gotta talk to your insurance carrier because I may not be on their approved panel. Um, and so long story short, once I activated that call to our insurance carrier, it was, you know, it was all downhill from there. Meaning it was, well, I shouldn't say smooth sailing, but at least that part of it was right. Um, a smoother sail. I felt like I was finally on the right track. They had assigned a, uh, you know, breach coach, uh, a legal team.

I shared, uh, their name with Spencer before the call. He knew who they were. Um, I think he, uh, would give them a thumbs up. I certainly would give them two thumbs up. Um, I mean, I can go on from there, but my advice, uh, to anyone listening would be, call your insurance first. So again, you know, couch that in the perspective of One MFP in one particular incident.

So here, here's my, my, what I would say about this is maybe the best ways to step back and say, and Spencer alluded to it, Ryan's alluding to it Yeah. In chat. This is a conversation with your insurance company and interview with whoever you're gonna use. You'll talk to their approved people if you don't like them, find someone else and try to get 'em approved. But it all has to happen ahead of time. Mm-Hmm. Like, it can't happen right. Of boom. Right.

I think that's the most in important thing here. And I, I have a question for Spencer, but what have we said, Talk tabletops and prepare ahead of time, have we Not? Yeah, absolutely. And I, and listen, and, and you're hearing similar things from Robert, but I'll share like, some direct feedback from, again, like, I think what was the largest MSP, at least one of the largest MSPs that got breached. They, they had done this and they had, uh, an approved breach attorney.

And the feedback I got was, it was the most, it was that making that decision. And they did it, by the way. Mm-Hmm. Because they come to the cyber call stuff and had been to our events that made them do it. Had this happened eight months before, it would've been completely different. But because they had that in place, it just felt like from the very beginning that he wasn't really backwards. He was like making, and most importantly, wasn't gonna do something.

Not just what you do, but what, you know, what you don't do, but also what you do that might not be the right thing. Right. In terms of evidence and all the things we talk about. So that kind of leads to my next question, um, which is, what are some of Spencer, the common missteps that MSPs make in their reaction to an incident? What are some of the most common mistakes? Um, I would say the first one is, and it goes to what you was just talking about, right? The beforehand.

So the first mistake's already happen where you don't have a process and a plan baked in. When I say a process and plan, I don't mean you just have something printed out from the NIST or IO 2,700 or from the FTC. 'cause I can't, I mean, I can't tell you how many plans I've seen. It's like 20 pages. And I like, oh, I've got it from X. Right? But one, I I don't, you are, if you have something on paper and you're not following it, that's a real big problem.

But if you don't have anything on paper, um, and you haven't actually tried it out and practiced it, everyone on this call can attest anybody that's been an incident, you don't have months. This is not litigation right at the start. I look at it. 'cause I used to be a trial attorney for trials. I had a year to prepare. I did discovery, I would send questions, depositions. And then when I got there, I had two weeks to get ready for that trial.

This, and then I had time to get ready for the storm, right? The trial storm, this is literally when I get to a client, if they're not ready, it's so chaotic and you get it. It's stressful, it's emotional. And so an MSP that is already there, right? And has really gotten to that point and understands, here are my thresholds, here are my pain points. Here's who I'm gonna call, here's exactly what I'm gonna do, always better.

Um, the second part is not understanding beforehand and during the downstream impact. Um, I mean, you all are so important. You're so important in everyday lives and everyday business lives and the downstream impact that could potentially happen, unfortunately. Right? And that can come back. Um, but honestly, at that point, it's them recognizing it, but not having a good relationship with your clients.

Um, if you have a good relationship, I mean, I, I, there's a statistic out there that the amount of malpractice lawsuits against doctors occur primarily because the doctor didn't go talk to the person, didn't have a conversation afterwards, doesn't have that relationship. Um, so it's almost neglecting that relationship portion, right? To counteract the emotional side.

Um, when I had an MSP in a cyber incident, the first thing I had him do, which is very unusual for me, usually I don't want anybody talking to anybody, um, was all his clients. That was a smaller shop. He had like 15. He doesn't have a hundred, 300 call. All his clients say, Hey, this is what's going on, but you're okay, right? Everything's fine. Um, sorry. Everything's fine. And the reaction from them is always so much more positive than the other side.

Now granted, look, you've got a thousand clients. It all makes it a lot harder. It does. Um, lastly, I would say, uh, not trying to take care of the problem themselves. Um, you just, you do not wanna do this yourself. You just don't. It's, this is something that you really need a specialist to come in, a security expert. Um, because if you try to tackle it yourselves, it's like, if I represented myself or if I was a doctor treating myself, it just does not work.

Well, Robert, I'm, I'm curious what your conversations look like with your clients. Going back to what Spencer just said, um, and, and what lessons learned you have out of that. Uh, so early on, uh, I was given advice, well, I was actually given a lot of advice. And, and you've got to distill it, uh, quickly. I think, uh, as Spencer had alluded to, you're, you're in war. You're not preparing a year in advance, so you're making, uh, rather quick decisions.

But the counsel that we were provided through our insurance, um, I quickly learned, you know, that they were, and I really mean that word, counsel, right? They were, they were counseling me. And I, you know, I pushed back on them on a couple of things with communications that I did not wanna hide behind an attorney.

Because the most valuable asset I had was the integrity of the relationship and the trust and confidence that these folks had put in us as an organization and as, as individuals, uh, uh, as well. Uh, so the last thing I wanted to do was throw a bunch of legal speak out there and kind of hide behind words and the attorneys and things like that.

Um, however, um, they understood that, uh, and helped coach me through, alright, let's just be a little careful about, you know, the, the, the amount of content and the number of things that you're saying, and let's pair this down so that it doesn't come across As much Legal speak. Um, so I, I think we found In writing right, We found a healthy balance. Yeah. Especially if it's in writing, Correct? Yeah, absolutely.

Um, you know, one thing is, you, you mentioned, um, Spencer having that relationship with your, you know, customers and, you know, that's not measured by csat, that's measured by, like, if you're in a situation where you're not dealing with the decision makers at that company, if your relationship is not, uh, a strategic one, um, boy, you're gonna have a hard way to go, uh, when something like this.

'cause you can't, you wanna make that relationship for the first time with the right people during a breach. I think not. So, it's almost, it's, you know, and, and I'm gonna, I'm gonna pass things over, um, Andrew, uh, back to you and then, and then over to Ryan. But I just wanna mention, you know, being at, um, an event for the first time, right?

In, um, you know, almost two years, the, the thing that I was struck me the most is that there's less of a gray area between MSPs that are less prepared in general and more prepared. It's more like, there's two camps. Yeah. People that are getting it, they're selling, they're, you can see it by their seat price and the questions that they're asking, and then a bunch that don't. And that's the scary part about this.

We gotta get that other group, at least to the things we're talking about today, the minimum things you can do so that even if your posture is not where it needs to be, you're prepared for the, to manage that incident as best you can. So this is really timely. So Andrew, I'll send it back over, um, to you. Uh, now can I piggyback on one last thing? Yeah, Of course. One common misstep.

I mean, the one thing y'all could take, well, I'd love for you to take a couple things away from this, but they, your clients are gonna blame you to start. I'm telling you right now, your clients will blame you either outwardly, bluntly, implicitly, explicitly, every one of my clients, I get on the phone. Now, there's a caveat to this.

Every one of my clients who I don't have a good or, you know, relationship foundation with somebody, maybe they're put through like 12 different relationship managers. I'm not kidding. Uh, out of a hundred, 150, first thing they say to me is MSPs at fall, probably a hundred, there's been 50 that have not a little bit more 50 that have good relationships. And they don't say that. They understand that it's, I literally then have to pry the team back into order. Right?

But the ones, if they like you, here's what I, my business model's really simple in my life. My client model, it's affable available able, we're all able, we, we wouldn't be here, we wouldn't be doing our jobs. It's the ones that they like, you, you have that relationship, you like, they become family. And that's cliche. And then obviously available. I can't tell you how many times I've come in and an MSP has not gotten back to the client. It's been two weeks, week and a half.

The admin credentials, if they like you, it's a lot less likely that it's gonna be a problem. So, So lemme just take that Andrew before, like one step further, and we've been preaching this, but to my peer members, this is Mike. I'm constantly beating this drum. You need to have a conversation about living in an assumed breach world. You need to let them know that no matter what you do, they're, they will inevitably, someday have some type of a breach.

No matter you're gonna do everything that's reasonable, but you just can't control the factors. And there's plenty of stories we've told on here from Microsoft to other things that realize that you can't. And, and when you, you have to continually have that conversation with them, keep them focused on write a boom. So when this happens, they don't have that expectation. 'cause not only do they need to like you, but they need to have the right expectation.

And so many MSPs are still preaching protection. And so they're blamed. Mm-Hmm. Yeah. Yeah, really good point. Gary, I have a question to you, Robert, and whoever else wants to chime in on this, because, you know, we've been talking about that relationship and that right relationship. So we do know a lot of MSPs have co-managed relationships. And a lot of those are at the, you know, IT level where they don't necessarily get up into that quote unquote executive level Gary.

But that co-managed relationships, sometimes they're using our tools and that's a lot of the relationship. Robert, I see you shaking your head. Do you have any thoughts out of the gate on this one? And if not, I can let Gary go first, but I mean, I think that is a potential challenge based on what we're just talking about. Is that, is that fair? Uh, yeah, it's a fair question. And I mean, our largest account falls more in that bucket. Uh, our largest account by a wide margin too.

Uh, actually our top two now that I think about it, are more in that camp than less in that camp. I mean, it's not a pure tools play, right? Um, but, but we're dealing, uh, primarily with IT departments, not the senior leadership. Uh, simply because just the nature of the relationship, it'll never be that way. Uh, hands down. It just won't. Um, so navigating, uh, that, uh, the occurrence that happened with us, you know, was a little different.

But I think as long as you take the page of building strong relationships and understanding, uh, you know what it is, you know, it's not just gee, uh, like a geek relationship, that it's truly bringing a business conversation to the table consistently and constantly. Uh, we found that those IT departments were more in defense of us. And because oddly enough, in our case, because they were IT people, they understood the attack and the anatomy of it so much better than a layman did.

So they were able to, I'll say, more, properly defend us in the eyes of their management. Interesting. Very, very cool. Um, any thoughts on Gary and Spencer's interaction that you might wanna put a bow on?

Robert, or, and, and you don't have to, but, uh, just, just wanted to get your, closing your thoughts on that part and then we can move over to Ryan if, if not, Um, I mean, other than, you know what they've said, I, you know, I, again, I'm only speaking from my particular circumstances and you know, what happened with us. But, you know, I, I would echo a lot of what has has been said.

Uh, if I could turn back the, the, the hands of time, uh, I certainly would've engaged our insurance better to understand and get an assignment of a breach attorney, uh, ahead of time to maybe role play some things out. Uh, I think we were fortunate that even in our, uh, unprepared chaotic state, it still seemed to go pretty well. Um, um, but that's certainly not advice to, you know, alright. Screw it. Just, you know, roll the dice when it happens. Uh, this is great advice that I'm hearing.

Can I ask you before we go, Andrew, can I ask Robert one question? Um, I know the feedback I want to ask you from your, you, you, you said you're in an evolved peer group. Um, so our, our peer member, one of the other things they told us was how helpful the peer group was uhhuh, they got it to the point where they needed hands and they were able to get like, between all the people they got access to like seven technicians. 'cause they need it, they just need it more faster.

And like, and they said just, we'll just do the work, put it into the insurance claim later, and they just jumped in and help 'em. Did you lean on your peer group? Uh, indeed. Again, this was one of those things could probably capitalize the rest of the conversation, but let me say it this way.

And that is, we, you know, we talk about things like, you know, firewalls, antivirus, now, you know, security awareness training, uh, you know, anti phishing, antip, like all these layers of protection that we're putting in right now, we're getting into conversations like cyber liability insurance policy. Maybe I'm the first to say this, maybe I'm not.

Um, but I think that all MSPs need to layer in community as part of their security protection because there is no chance in hell, I don't care how big, small, smart, not smart. Yeah. It does not matter who you are. I really don't care. You don't have the resources to handle a 100% breach like the way we were affected or by the firm that you're, you're speaking about. There's just no way. And so how do you overcome that? If it were not for the community to come to our aid, we would be dead.

I would not be on this call and I'd be shopping for a job right now. Wow. Awesome. That's really great. I I, I knew what your answer was gonna be, right? Uh, before you, before you set it. And, um, that's just really awesome. Everyone needs to be part of a, a of a Community, and I'm serious. It needs to be like, almost like a line item in your pro, you know, in your layers of protection that you're offering, like almost as a pitch to your customers, right?

Like, and by the way, here's another layer, my community, how is that po? How is that gonna help us? Because when it happens, this is, these are the forces that I've got, right? My riders of Rohan are gonna show up. Oh, that's a great Analogy. Can you, can you share a little bit about how they helped, like, I'm sure people are itching to know a little bit more. Uh, yeah. Again, I mean, you know, trying to keep things a little short, uh, they offered everything from, um, field generals, right?

So, uh, other, other MSP owners who, uh, flew in and literally, you know, came into my war room, my conference room, and took over specific functions like, how do we get another RMM stood up, right? That was a huge challenge, right? And I needed a general for that, right? Not technicians, uh, although you need technicians for that.

Um, but you know, the, the bulk of the help was in the form of those engineers that, for us in New York came as far away as California, Texas, you know, the Midwest, uh, Florida, uh, Massachusetts, everybody just like showed up in masses.

And then there's of course, the vendor community, which should not be overlooked because not only are they providing you the technological help, but even in some cases they provided some engineering efforts to help, uh, uh, uh, you know, uh, staunch the, you know, or, you know, slow the bleed or to, or to help overcome. Um, it took us 17 calendar days to get, uh, everybody at at least about 85, 90% whole.

Uh, we still had a lot of work to do after that, cleaning up the mess, but there's no way we would've done it without the community. So I don't really care what your technical knowledge is, how smarter than you are than me. How many initials come after your names. It just doesn't matter because you're not dealing with a situation like this without the proper help. Really good stuff, really, really Good stuff. Robert Ryan Weeks, I can tell you, uh, I come from banking. You come from banking.

I can't name a single bank that person come to my aid like that, can you? No, I think, I think that's one of the really special things about this industry is, um, yeah, and we, and we saw, we were, we were trying to connect MSPs with other MSPs to help them. And um, and I think we, we actually wanted to give an RM RMM away for free for a few months too. A couple affected MSPs because it's like, we don't need to make money off of you, your unfortunate day. You need a tool to run your business.

So yeah, I think that's one of the good things about this community is over time we're starting to act together. Instead of that, what I used to call vendor, uh, you know, uh, uh, MSP naming and vendor shaming, right? Is where we, where we used to be. I think we're moving out of that a little bit, but, um, Can I share one quick thing with you and we can move on from it? Um, a different situation. This goes back like probably three years ago.

Uh, somebody had, they're in a little bit smaller market. They had 30, 34 customers, they all got breached. One of the things they said, you know, they got help from peer community, but they got a call from like, basically there was one other company that was like them, like the two, they were like the two main MSPs. He got a call from his competitor and his competitor jumped in and really was a key, him and his team in helping him through it.

And the idea that that, and also when people tried to call him to say they should leave, he told them, you know, not to that they had worked together. And he's like, you know, 'cause he would want that same thing on the other side. And they both became, you know, better and stronger from it. And that's a, that's a, that's the way you have to think about these things is that it's not good for anybody. All of us doing better with this and is good, even if it's your main competitor.

So Ryan, let, let me let you, uh, dig in here a little bit with Spencer. Great. Great stuff everybody. Thank you. Yeah. So, uh, Andrew gives us little threads to pull on when, when, when our sections come up. And I'm gonna explode one of the threads he gave me a little bit here. So we've talked a lot about assume breach, right? Which is the mentality that if you have not already been breached or are actively breached right now, you will be breached.

So the question becomes, what are you doing to prepare for that, which is left of boom, and what are you going to be ready to do to minimize the damage after that event? That's right of boom stuff. And your breach counsel sits right and left of boom, right? They're helping you prepare for the eventuality of the bad thing, and they're helping you to recover with as minimal damage, uh, you know, as possible from that, that event, right? But you're also part of a team, right?

You've used the word a team a couple times. Your, you're part of, uh, you know, uh, uh, the MSPs team. You are part of, um, a, a broader, what I'll call crisis response team, which is really where I think Breach Council sits, right? And they sit there with PR and they sit there with incident response and forensics. And so in your role as a breach attorney on that team, what are you doing before the incident? What are you focusing on left of boom with the MSP to get them prepared?

And how are you interacting with all these other parties? Mean? I would say the first big part for me is to understand your organization. I need to understand who is the champion privacy, cyber champion almost. Um, because I need an advocate. I need an advocate inside the organization. Um, especially with MSPs. You all have a better understanding of the security risks, the compliance side. I've run into, hit some walls though. Um, so I need someone internally.

So I try to identify that person, really get them involved. And it could be C-E-O-C-O-C, cto, CTO, cso, whoever. It's, um, as long as they can help move the ball along. Second part is we have a long conversation about where your biggest pain points are. Um, for an MSP, you guys have a lot of pain points. 'cause you know, your clients are your pain points, but naturally some clients are going to be more of a pain point than other clients, right? We care about all of our clients equally.

I get that. But some, if there's an issue with them, we'll qualify. That's really not true. Like, uh, but let's just say it is. I'm not gonna comment. I think this is being recorded. So I care about everybody equally. Um, but then helping to rank and prioritize, right? And then understanding who is gonna cause that most harm and where's the harm gonna come from. Third, we do data mapping. And I, I mean like you could switch two and three if you wanted to, but I wanna know where your data is.

I wanna know how you're segregating it, how you're classifying it, how you're protecting it, why you're keeping it, um, what you're gonna do with it when you're done with it. So would it be fair to say that you would wanna see an inventory of data assets and a data flow diagram? Oh, yeah, yeah, yeah. Okay. I'm just checking. Yes, most definitely. If you have that available, you've made my life and your lives about a million times easier.

'cause if you imagine if something happened and you don't know where your data flow is coming from, uh, it makes it a little difficult when everything's encrypted. Let's go with that. Um, the fourth part would be we then need to bake in the incident response plan, right? We need to bake in council, the MSSP pr, um, I want you to understand the whole process, right? People don't understand data mining.

Um, they don't under, it's not not understanding, but they don't really get how it plays in, right? They just think, okay, security forensics done great, legal done. But it's like no data mining. You have to understand, you have to go through and figure out what's in all these servers, even if you know what's in 'em, right? Because then we gotta identify personal information. Uh, then I want you to understand the notification process. So I really want you to get your head around the cost too.

So that's not sticker shock. And then the round tables, um, round tables, people who have, so an average breach globally is 3.86 million companies that have an incident response plan, incident response team, and practice it, uh, save about 1.4 million scale up or down. You're still looking at about 35, 40% savings, which is significant. You're also cutting into time.

Um, so having that incident incident response plan, really understanding it, um, and understanding how quickly you can get a hold of somebody, get breach counsel, get an MSP written in, find one that's gonna put you at the top of their list, right? You don't wanna get thrown into a machine. Um, there's a lot of lawyers that are really good at this and won't put you at the top. And that's beyond me too. Um, so, 'cause once again, you gotta be nimble and you gotta be fast. And that's response.

And then I think you were talking about the pre pre-boom, left of the boom to start, right? Yeah. This is all pre-boom, right? Because yeah, I think the misconception is that the lawyer is the person, the first person you call when the bad thing has happened. A lot of people don't think about like, I mean even, even just building an incident response plan, right? Maybe that's, let's, let's kind of move into another question here, right?

You're looking into incident response plans with your potential customers, and there's some pretty fundamental questions, right? When do I call in breach counsel? Mm-Hmm. When do I call in external communications and pr? When do I call in incident response and forensics? When do I talk to the media? When do I communicate to my customers? Yeah. What do I communicate to them? Yeah.

If you are not including that type of analysis in your incident response plan, you are not really completing the full spirit of an IRP. So talk to us about, now, give us a four example. Like you're, I'm not gonna call you when I find malware on a workstation. I'm gonna call you when I think there's been inappropriate access of data. Mm-Hmm Mm-Hmm. So What, what are those triggers for you? Like, how do you walk them through those considerations and they're building the IRP? Yeah.

So the best part about the IRP is one, I would never have just a security person do it alone. I would never have a lawyer do it alone. Either I'd have, I I truly believe you need both sides. Um, because what you just said is right. Um, you're not gonna escalate it to me if somebody I don't know, is some, it's a small issue, right? Where you know it was contained. Maybe it was a phishing email, but you didn't click on it, right?

Just 'cause you get a phishing email does not mean you need to escalate it to me. Well, you escalate it, you need to escalate to bring in a breach coach is you get a ransom note. Um, the phishing email was clicked on and it's been, somebody's been sitting in the system for, or an email inbox for, I don't know, three weeks. Um, wire fraud. If you're highly regulated industries, um, if you've got, you know, anything financial, anything medical, I always say bring in breach coaches immediately.

Um, those are escalation points. That's very much more technical too. Yeah, because that's where I need a security and technical and the MS. B to really help me in these. And I think MSBs are in much better position to understand those escalating points. Well, can I, real quick, what if, um, what if you're an MSP? Maybe you're haven't, you're not where you need to be with your security posture.

You realize something's wrong, but maybe you don't feel like you have all the technical resources and knowledge to be sure. So it's, you think there's an incident, but you don't know enough about it yet. I would say, especially from the M MSP side, you all are gonna be judged higher at a higher standard than others. Um, play it cautious, honestly, because it's almost like I get held to higher standards as a lawyer when it comes to compliance aspects.

Um, as for you all, I wouldn't, I would escalate, I'm a more conservative person. Let's go with that, especially with MSPs. Escalate it quicker than a non MSP because of the impact it could potentially have downstream. Um, but really get those things defined and understand 'em and practice 'em. Because you're right, it doesn't have everything. You're Both, you're both hitting on something really important, which should be included in your IRPs as well.

What do I do when I've gone a certain amount of time and don't have an answer? Those, those things which would normally cause you to be like, alright, well I haven't figured out this thing yet, which would be my normal escalation trigger. These periods of time where you're not finding out the information, those should be triggers to escalate as well, right?

If you're going 24 hours and you still don't know anything new than you knew yesterday, you're probably past the point where you should have escalated to get additional help. And so again, a breach counsel will walk you through that. You know, if you, you're dealing with EPHI, there's very specific time periods when you have to make notifications into who you have to make them to. And so you're gonna back into a lot of this just through that understanding.

And so, yeah, that's, to me, that's a lot of the left of boom stuff. You, you don't really have an IRP plan that's actually gonna minimize damage to your company if you're not baking in those types of considerations, um, for you and your your customers. Which is why I said earlier in the chat, a good breach council not only seeks to understand you and your business as an MSP, but also that of your customers.

Because a good breach council is gonna understand and drive help, drive your breach response to those standards of care and notifications and all those requirements, um, that you have based off of the customers you serve and the data that you're a custodian of in providing them a service. Mm-Hmm. Cool. Um, so I will keep alluding to this concept of team, right? This PR team, legal counsel, IR forensics.

How do you typically interact with, um, you know, let's use Chris Lair as an example because he's kind of the face of what a IR and forensics person is for this audience. How would you work with a Chris Lair, um, both, you know, left of boom and right of boom and like what role are each of you playing as this kind of comes together? Very good question. Um, so Chris and I have worked together a lot. So we've developed a pretty good synergy, um, about kind of understanding each's role, right?

And being able to, uh, support both sides. Um, I would say pre breach, pre pre boon, um, would be you need the legal and the technical perspective. Um, there's a lot of lawyers out there selling that they'll write all your policy plan plus and policies, procedures, protocols, and almost they don't need the technical side. I think that's just ridiculous. Um, but there's also a lot of security people out there that are doing the same and saying that clients are compliant.

Um, and what I tell anybody, any security expert is you don't want that viability, um, to say somebody's compliant legally. And if you can't back it up, you will be held negligent for that.

Uh, so Chris and I work kind of hand in hand in terms of, I look at, it's just like when a breach happens, I need the security technical side to come in first and identify, do that risk assessment, vulnerability test, penetrate test, really identify those gaps because at that point then we work hand in hand to develop a policy out where it's, okay, this is what you do to escalate, this is who you call, this is how you know Chris's team is gonna handle the security side because you have to have almost an understanding of both, um, vendor due diligence as well.

You know, it's the questions that you need to be asking the external parties that you work with, both from a legal side compliance and the security technical side. So, I mean, honestly, it becomes a hand left hand right, right hand relationship. Um, because we don't need each other during the breach. It's the same thing.

It's, I I can't do my job without Chris and Chris can do his job without me, but when the conclusions come back, Chris is not gonna be able to tell 'em what their legal obligations are. Just like if I walked in to start, I can't tell 'em what their legal obligations are until I know the forensics. To some extent I can, but if I don't have a forensic analysis, then how am I supposed to do anything?

Um, so once again, it's really understanding Each's Lane, but then supporting, so what I tell clients who are getting mad about Chris or whatever, who, it doesn't really matter who it's, I'll say, look, they're doing their job right? Their job takes a while. It's x, y, or Z. Chris does the same thing for me. So it's really looking for those synergies.

Uh, and having the MSP too with that synergy makes life so much easier when you have an m Ms P who's got a good relationship with a client, um, when a breach happens, or pre-B breach, I mean, I need you all pre-B breach. I, I mean beyond, I need you guys because if I don't have you guys involved, then what is going, like, if a breach happens or innocent, I'll stop using the word breach. 'cause we should just call it incidents rather than breaches.

But if you have a cyber incident, if I don't have you all involved beforehand, I'm not gonna understand how to get to what we need to get. Right? So you really need to work hand in hand in hand. This is why it's such a team. This is a team game. Um, this is not a solo sport whatsoever. So I just want to, lemme just jump in, Ryan, is it okay if I have Wes maybe take, pick up where you are.

I was actually gonna yield the re of my time to the professor from the great state of Florida And, uh, yeah, Wes and, and Robert, anything you want to, you know, um, come top of mind at all to you during this last thing that you'd like to share? And again, no pressure if not, Uh, just, just the, the term of that B word. I keep hearing it over and over again and it's making my ears bleed. Don't say breach, right? This is what my, our legal counsel had advised us.

Uh, because, you know, you know, we walked into that situation throwing, tossing that term around, and we were, you know, grabbed by the back of the neck and shaken pretty hard to say, don't use that word, right? Um, from my understanding, uh, Spencer, you know, and maybe you can comment on this, it, it, it invokes a certain legal term and you gotta be really careful about it.

So I then put a gag order on the rest of my team to say, you can use the word incident and you can use the word attack, but if I hear you say the word breach, you're gonna have a problem with me. So don't, and you know, that kind of set the, the stage for the rest, uh, of Our communications. Yes, it's a really good point.

I I was fine with the word breach in the context we're talking about it because I think we're using the, the legal definition of the term, and we're talking about it in the sense that it is a crisis, right? And we're really talking about breach councils, right? In a crisis scenario, like the July 2K event.

But I agree with you that especially your sales teams, that's a, that's an area where you would need, those people are gonna be the people that are communicating on your behalf with your customer bases. They need to eradicate that word from their dictionary because they do not use it correctly. Technical people can be taught to use it correctly, but, um, yeah, your sales teams need to forget that word exists.

It, it's funny when I speak to peers who have not suffered an attack and they call it a breach, and those of us that have, don't use that word. Yeah, you have, you think this is a breach, you have no idea what you're in for. Every breach, every breach starts with a cyber incident. Not every cyber incident becomes a breach. You're right. That distinction is so important because when you use, that's what I tell my clients. Like, stop using the word breach. Thank you for that clarity, Spencer.

That was great the way you just said it. That every cyber incident or every breach is starts as a cyber incident, but not every cyber incident is a breach. So professor, let's, uh, give you some time. Sure. Yeah. Uh, I wanna zoom in into maybe the greatest fear that MSPs have in all of this. And, um, get, uh, Robert's response as soon as you're, you're finished. And that's, uh, due diligence, third party risk management. How does that play into all this?

Spencer, from your point of view, give us your feedback on that. And then Robert, I want you to answer the same question of like, how third party risk management has impacted you post, post-incident. I guess. So from my perspective, uh, the July incident and then SolarWinds before that, I've been preaching vendor due diligence to clients for a while because, you know, especially with MSPs, vendors are such a vulnerability.

I mean, if you look at Target in 2014, I mean, I'm sure everyone on here knows it was fio, a small HVAC company. I mean, it's crazy, like it's nuts. Um, and that's where, that's where our vulnerabilities are. We're all decentralized, which I get. So what I do a lot now I'm like, look, we've gotta identify pain points. Uh, honestly, you guys are huge pain point because you have access to everyone's systems. Um, the due diligence part is everything I do with a client, right?

You wanna make sure, um, that a vendor has the same policies, administrative, administrative, physical and technical safeguards in place, policies, procedures, protocols, incident response plan, written information, security policy, uh, technical what? MFA software updates, firewalls. I try not to get too security because God knows one of you will throw a shoe at me. Um, and obviously physical safeguards and, but you know, the ones that are really your vendors that are up to date, uh, sorry.

And then you, almost every law says you've gotta have a con contractual obligations built in about cybersecurity. Um, but organizations that have these things in place, they're much more willing to say, yeah, look, I've checked all the boxes. I'm not worried about it. Um, so especially with an MSP, what I see happening now moving forward, is you guys are gonna be under the gun and under the spotlight.

Um, more and more people like me, unfortunately, are gonna be coming knocking, saying, look, we want, we need to know this for our client's due diligence. Um, but I don't think it's truly a bad thing because if I'm, I'm preaching to the client to do it, it's just kind of changing the culture around everything. Um, so I, I actually think it's, it will be a good, it'll be a painful thing to start, but it will be a good thing at the end. Agree.

And, and Robert, I look at MSPs as the great juggler of third parties, uh, who then also extend to their own clients fourth party risk because of the third party that you manage. Talk to me about that. How has this changed for you in the aftermath of your incident? So, just, uh, segwaying off what Spencer said right at the end. Uh, yeah, that pain, the pain that we're going through in my mind, uh, putting on my business owner hat on, uh, is an opportunity for me to, uh, bolster my valuation.

So as my weaker competitors are unable to navigate this new land that we find ourselves, and those of us that are still around and, you know, painfully getting through this process of, uh, managing risk better, and, uh, you know, shoring up our defenses with all of the, you know, things that we've already spoken about that everybody knows that they either should or could be doing, uh, is, uh, a pathway, I believe, into greater valuation, right?

I mean, one day I will exit this business, and when I do, uh, that valuation better be as high as I possibly can. But, uh, to answer your question a little bit more directly, Wes, uh, the, you know, one of the things that I learned, and by, you know, certainly I am not an expert here, right? I'm, I feel like almost still a bystander in all of this. Uh, one of the things that I learned is that security is not a destination. It is a journey.

And I would extend that to the risk management conversation. Risk management is not a checkbox that we just check it again, is a journey. I'm sure the conversation will be different in six or 12 or 18 months from now that we will be addressing new things, new risks, you know, new threats, new just so it's, it's a constant evolution here.

And, uh, what it's forced us to do is to take a really, really hard look at it, not the academic view of it that we had prior to the attack, but now real world, this happened past tense to us, and what are we going to do future tense in order to help mitigate, um, and reduce or manage that risk moving forward. Um, and then how do we then also, like you said, communicate this to our customers so that they are fully cognizant and aware of what relationship they're getting into.

And by the way, and not just with us, right? Because I've said this a few times, because doesn't matter what SP you use, right? You, it's the same story, right? Whether they're telling you about this or not, it, it's the same risks. Uh, it's just a question of now who do you trust and who do you have the most confidence that's gonna be able to help protect you? Uh, yeah, I appreciate that. And, and, uh, Andrews, I turn it back over to you.

The last thing I'll say is, uh, Robert, um, for those of you who don't know, Robert is gonna be sharing his whole story, uh, at IT Nation. Um, it's gonna be on November 12th, I think it's virtual as well. So Robert, thank you for your transparency and openness and approachability and wisdom. I know you think you don't have a lot to offer my friend, but you do.

Um, and I think MSPs all crave hearing, you know, war stories of, you know, what other, what, what it's looked like so that they can better prepare themselves. And so, um, if you guys are are going to connect virtually or, uh, on-prem, make sure you queue up Robert's talk. It's gonna be, um, it's gonna be the highlight, I think. Well, I hear the interviewer is gonna really make Whoever that guy is, good Luck, whoever that guy is, Right? Yeah.

Hey, I, I, Spencer, I just want to, I, I know we got a minute left here, but I think it's really important for those out there, and we still have a fair amount. I, I really, really, really would love for you guys to stay on for two minutes and listen to this. Spencer. We hear MSPs getting dropped by their carriers. You know, they get a call from their broker, you're no longer being written. Um, I got heard from Beasley, you know, Beasley, just this week.

Talk to us about what MSP should be doing to make sure they can sustain coverage and what is going to happen when they look, when that, you know, it's that, that sales motion you spoke about and the internal security program of that MSP. Can you kind of just walk us through that? 'cause I think it's really critical that we close on this and everybody hears this. You need to have a cyber broker, not just a broker, not just an agent.

You need to have a broker who basically specializes in this, just like after a breach, you need a breach coach, uh, an IR firm that does it. If you don't have a cyber broker, especially as an MSP, you all are getting painted against the wall right now. Uh, you know, until I got my, the two or three MSPs that I have into a cyber broker, they were not getting rid, they got dropped. Um, insurance carrier are really scared about taking on your risk right now.

So you need a really good cyber broker who knows the market, like has these relationships with underwriters. Once again, it comes back to relationships, um, and can paint a story, right? They need to paint a really good story about all the good things that you all have done, um, rather than just fill out your application and send it in.

Because the thing about it, if I'm reading an application, all I'm seeing is SP risk, risk, risk rather than Robert, look at all the stuff that Robert has actually done. I'm now hearing it and I feel a lot more comfortable, you know, write, Robert, I'm using you as an example, but just in general, I'm, you know, I feel comfortable as an insurer now writing this policy for you. But if you had, look, I'm not knocking general brokers, but I'm just telling you, I'm no dog in this fight.

Get a cyber broker, vet the broker to make sure that they know what they're doing. There are a bunch of really good ones out there. Um, I highly recommend that. Highly. Yeah. Yeah. So in closing, you know, the, the thing I took away from that, aside from get a cyber broker, is make sure you're working on your internal security program, because that is gonna be the difference between you being able to get coverage probably in the next 12 to 24 months and not getting coverage. Yep.

Um, so we, and we've All wanted the bar to be raised and trunk slammer is gone. And the barrier attention to being raised Now, it happened. You're right. Here's what you wish for. Yeah, exactly. Robert, first, thank you, really, really, uh, from the bottom of my heart and, and for everyone out here for coming on sharing your story, looking forward to seeing you at IT Nation. Um, uh, and, and Spencer, thank you for coming on and sharing your wisdom. This was awesome.

Look forward to seeing you later in the week. Ryan West. As always, we're one away from 4,000. We didn't quite make it, but we'll look forward to seeing everybody next week. Got Something to look forward to next week. There you go. Take care. Thanks for the opportunity, by the way, really appreciate it. Thank you, Robert. Thank you. All right. Appreciate it. Cheers.

Related Videos

What MSPs need to understand about breach attorney’s. | Right of Boom