Cybercriminal tactics are becoming more sophisticated, increasing the risk of a cyberattack for organizations of all sizes. But what happens, from a legal sense, when a cyber breach occurs to you or your client?
Defendify’s Shanna Utgard sat down with Sid Bose, Data Security and Privacy Attorney for Ice Miller Legal Council, to discuss how Managed Service Providers (MSP) and Integrators can better protect themselves against potential legal issues arising from a cyber incident.
Reduce exposure and take precautions to protect your business
Sid advised MSPs on what steps they can take to decrease their exposure to cyber threats. Some of the critical internal processes Sid spoke of will not only reduce the likelihood of a cyber breach occurring, but minimize the damage should a cyber attack occur:
- Segregate client’s data to minimize the reach of a cyber breach.
- Create an incident response plan for your business and your clients.
- Amend client contracts to adapt to any necessary changes (Example: Physical infrastructure changes to reflect a work from home environment)
- Perform third-party risk assessments on all partners and suppliers to ensure they are following the right security measures.
What happens if you get breached?
Your primary job as an MSP is to focus your efforts on finding out how the cybercriminal got into your system, how far did they get into your network, and how to stop them. From a legal standpoint, there are multiple factors and obligations to consider:
- The scope of the breach
- The data or intellectual property compromised
- Reporting obligations triggered by the client contract
- The amount of data taken compromised
- Government and industry regulated obligations and laws
A comprehensive incident response plan allows you to build a course of action that keeps these factors and obligations in mind. Many industries and government entities require companies to report promptly - therefore, a proper response plan that allows you to act swiftly is essential.
Reduce legal liability with MSP agreements
The first step an MSP can take to protect themselves in a cyberattack is to clearly communicate their services and expectations to their clients through written agreements. Many small to mid-sized businesses go off the assumption that their MSP works to not only keep their systems operational but also to manage their cybersecurity - which is often an extra service due to its complexity. Your clients must understand the services they are and are not receiving from you as an MSP to avoid legal liability in the case of a cyberattack. A recent study reported that SMBs that use an MSP, 69% claim they would hold their MSP accountable at some level in the event of an attack. 74% of SMBs who use or plan to use an MSP would take legal action against them in the event of an attack. Setting expectations of service with your client is the best legal approach and best for a respectful working relationship.
When you need to present an MSP agreement to a client, it may be tempting to find a template through a quick Google search or add a short boilerplate message to an existing contract. Sid Bose advises against using this type of templated format. An agreement template found online will not constitute legal advice and rarely hold up in a court of law. Additionally, the generalized messaging will not have the contract language necessary to cover your client’s specific government and industry regulations. By consulting with an attorney specializing in cybersecurity to form your MSP agreements, you can include language best suited for you and your client.
Waiver of Liability
There may come a time that you explain the importance of cybersecurity to a client, but they do not want to add cybersecurity to their service agreement. In this case, a waiver of liability or a refusal waiver is recommended, which states that your company offered cybersecurity protection. Still, they declined and assumed the risks of a cyberattack. A signed waiver does not mean they cannot take your company to court in the case of a cyber breach, but with a waiver, you have proof that your organization is not at fault and that you had made the client aware of the risks.
Cyber insurance is an effective way to safeguard your business in the case of a cyberattack- if you have a comprehensive policy that meets your needs. The language used in a cybersecurity insurance policy can vary greatly, affecting the coverage you receive for a cyber breach. Here are a few factors to keep in mind when looking for cyber insurance:
- What type of risks is prominent for your business and industry?
- What kind of coverage does the policy provide?
- Are there any exclusions listed in the policy?
- What type of response plan does it require in the case of a breach?
These factors are unique to each business depending on the business’s size, the type of data they handle, and any governmental or industry regulations. To secure the right policy, seek assistance from a cybersecurity attorney, like Sid Bose, who can ensure that it meets your business’s needs and has the proper safeguards in place.