Compliance is a big market opportunity for MSPs and a growing necessity for businesses of all sizes. Still, some of your clients may be resistant to putting the necessary security controls in place to meet compliance requirements, putting them at risk of a cyber incident. At the same time, it puts YOU at risk of a potential lawsuit.
“If you have bad clients who aren’t going to take the basic steps to get compliant and get things done — those bad clients could easily cost you $100,000-150,000 in a lawsuit, minimum, says Jennifer Morris, a partner with Dunlap, Bennett & Ludwig, and former CIA and Army JAG attorney, and general counsel in Intelligence & Acquisitions for the U.S. Navy.
“Cyber fines can truly be business ending,” Morris states, citing several DOJ lawsuits by the new Civil Cyber Fraud taskforce, one of them hitting a defense contractor for over $9 million in cybersecurity fines.
“A lot of MSPs think that fines only happen to massive companies a lot bigger than them—they don’t think that a lawsuit will target a small business like them,” Morris continues.
But fines can come through things like class action, and even HIPAA violations by a client that will secondarily impact an MSP, according to Jon DePerro, chief compliance officer of Visibility MSP. “Say a physician’s office you have as a client violates HIPAA,” he says, “Do you think a jury anywhere will excuse that? No way.”
Tips For Protecting Yourself
Here’s some advice from industry experts on how to protect against legal ramifications.
First, make sure you are internally compliant, recommends Morris. “If an MSP gets compromised, all of their clients are potentially going to sue them, because all their information has been potentially compromised.”
She adds, “And if an insurance company is involved, they’re going to sue whoever presents the biggest claim they want to avoid.”
Second, says DePerro, if you have clients who are reluctant about compliance, “make sure you’re talking to the owner of the risk. The CFO or office manager who signs off might not actually be the owner of the risk. Put it in writing, and give them options, and have the risk assumer sign it.”
He continues, “The clients who still want to use Gmail, and not assume any security measures…those are likely bad clients, so it might be an opportunity to narrow your marketing to really go after and take care of the clients who are serious about security, because those are going to prove to be your best, and likely biggest, customers in the long run anyway.”
The third way to protect yourself is “to have a tightly written contract,” Morris says. “And I use contract to mean anything in writing. This could be a client agreement, a term sheet, anything. It’s very important that whatever you are doing is clearly spelled out in writing.”
For example, she says, “Say you’re managing 15 [software products]—have a list of every single one; have a detailed inventory list. If it’s not on that list, make sure your contract says you are NOT responsible for anything not on that list.”
“It all goes back to who owns the risk,” DePerro adds. “It all has to be documented and prescribed. Your contracts…and how they assign responsibility and acceptance of risk is huge.”
The bottom legal line according to Morris? “You are liable for anything you’ve agreed to do. So, make sure that even what you are not doing is in the written contract or statement of work.”
Getting Started With Compliance-As-A-Service
Once you’ve taken those steps to protect yourself, Will Nobles, CEO of Vector Choice, has three recommendations if you are offering Compliance-as-a-Service:
- Get your legal house together. “Have your MSAs squared away and understood by all parties,” he says.
- Audit yourself. “Everyone thinks they have it all together,” Nobles says. “Until they truly take a look.”
- Pick something to start with. “Even if it’s cybersecurity insurance, go get it and take that first basic step to get yourself compliant,” Nobles adds.
What To Do If A Client Gets Hacked
Even with the proper security controls in place, the worst can still happen.
“The first call that should always be made is to your lawyer,” Morris says. “Because attorney-client privilege is paramount, it supersedes everything at the outset.”
DePerro notes that the insurance company’s interest in these cases is directly opposed to the MSP’s and client’s.
“The insurance company is going to actively find ways not to pay—at all,” DePerro warns.
Morris agrees. “You might actually say something inadvertent to your insurance company that gets them out of paying,” she notes. “So always have a cybersecurity lawyer on a call with your insurance company.”
“The time to create your incident response plan is not after something happens,” DePerro adds. “That’s not a plan.”
Worth The Effort
According to Nobles, DePerro and Morris, understanding and selling Compliance-as-a-Service to your clients is increasingly necessary in the ever-evolving world of the MSP. Whether a one-man shop or a multinational organization, internal compliance is becoming a foundational necessity—and selling it could prove to be a larger-than-realized boon for your bottom line.
In addition, it separates you from the herd.
“MSPs can be like Chick-fil-As in Atlanta,” Nobles jokes. “They can be everywhere, on every corner.”
Offering compliance is “another open door,” DePerro says.
“And what you may find is that a client really will spend money with you — and it may even surprise you how much — if you bring them to understand your value.”
Want to keep current on compliance? Subscribe to MSP Success today! We’re going to be continuing this series diving into the ins and outs of Compliance-as-a-Service.
