Readers will have seen the recent joint statement by US, UK, and others about the importance of proper engagement with managed service providers against cyber-attacks (I am not including links to this article as I respect readers’ nervousness about clicking on links they may not recognise). As well as the usual sensible encouragement to deploy multifactor authentication and ensuring that appropriate measures are in place to reduce the vulnerability to attack, there’s an encouragement for customers to work with their suppliers to ensure that the right security posture is achieved and that MSPs are held to account for their end of the security bargain.
Whilst this is sensible stuff, it is also in practice quite difficult particularly with the large service providers who are effectively providing services as a commodity. There are numerous examples where MSP terms and conditions are very one-sided: there is little or no acceptance that there is a joint risk rather than something that is purely the customer’s problem. Many MSPs seek to exclude all cyber risk from their contracts and take no responsibility for any problems that might arise because of a customer accidentally triggering a Phishing email. Worse, many MSPs are silent on the steps they take to ensure that they do not provide a vector for an attack on one of their clients.
When the managed service provider is a large corporate, it is very difficult for even mid-size businesses to insist on terms and conditions relative to cyber security (for example including warranties, guarantees or indemnities in their contracts which will help mitigate the cyber risk and require the MSP to take as much care of clients’ data as the client does). Provisions such as these can be negotiated in of course, but this escalates the cost quickly. In general, these contracts are often one-sided, reflecting the limited buying power of most businesses against the (very) large MSPs.
In some cases, MSPs may themselves have been designated as operators of essential services under the Network Information Systems Directive and its equivalent legislation in other countries. In these cases, MSPs have to take additional precautions to ensure that they do not leave their systems unprotected.
We have yet to see, in the contracts that we have reviewed, more than the bare minimum of risk being assumed by the supplier and while it is a good idea to seek to include such indemnities and warranties in one’s contracts, the actuality is somewhat different.
MSPs and their clients need to be more creative, and in considering this issue recognise that there is mutual dependency and that a risk to one could be a risk to all. We would advise our clients to review their contracts with all third-party organisations, including MSPs, to ensure that the balance of risk is not all on their side of the line. Unfortunately, in cases where there are existing long-term contracts between suppliers and customers, the cost envelope has already been stretched quite thin and there is little scope for improving cyber posture without a hike in price.
In other cases, particularly where contracts were negotiated some years ago and the cyber situation has got worse in the meantime, clients and their suppliers may not actually fully understand or remember what is in the contract. For them, there is no alternative: not only should customers review their Service Level Agreements, but they should also review the body of the contract with their MSP to ensure that there are no other clauses that could have a material impact on the supplier’s willingness or ability to respond promptly and appropriately to a breach. Once that is understood, negotiations can begin to ensure that the cyber security support and services provided (or not) by the MSP is known and understood.
Pressure should also be brought to bear at the start of contract negotiations e.g. for renewal or a mid-term review to seek an equitable sharing of risk and some comfort that these issues will be taken care of.
In the meantime, it is important that you scrutinise your contracts and ensure that any commitments the supplier makes to test its own systems on your behalf, involve themselves in disaster recovery and BCP exercises; SLA management should be rigorously enforced. You may find yourself having to invoke the change control process to augment the services you are receiving. In our view it is better to do that than to find yourself in a breach without access to the right resources at the right time from your MSP. This will also put your MSP on notice that you are serious about cyber and their role in protecting you from cyber-attack.