Last year, the average cost of a data breach in the U.S. clocked in at $9.44 million, according to IBM’s annual Cost of a Data Breach report. The most commonly cited cause of these data breaches is stolen credentials, accounting for 19% of all breaches. Other common attacks include phishing, compromised email, third-party software vulnerabilities, and internal weaknesses. Cyber liability refers to the extent to which you can be held responsible to pay for data breaches, data loss, and compliance failure damages. Cybersecurity should be a top priority for companies seeking to mitigate risk, prevent data loss, and protect sensitive information.
The potential damage for MSPs is even greater, since they are responsible for client data as well as their own. With these losses at stake, MSPs need to be clear on where potential liabilities are and how to protect themselves.
Know Your Liability
As an MSP, you may think it’s clear that you should have limited liability in these cases depending on the extent to which a client has followed your recommendations and implemented a strong security plan.
Your clients, however, may have a different perspective on who should be held liable. Additionally, that’s why it’s critical to know what your liability is and how you can protect yourself with cyber insurance. Here are three situations in which you may be held responsible:
- Security Breach – Security breaches result from third-party attacks, failed hardware or software, network vulnerabilities, and other security incidents. Consequently, these losses may result in a court case if steps are not taken to limit your liability.
- Damages – You can be held responsible not only for the actual breach, but also for any related damages. This may include lost data, backup failures, and revenue losses due to extended downtime.
- Compliance Failures – If your security strategy fails to comply with HIPAA, GDPR, or other guidelines, you may be held liable.
Any of these situations could incur heavy costs, including legal costs if a client decides to sue for damages. However, to prevent this worst-case scenario, you need to structure contracts and service agreements to limit liability as an MSP and ensure proper insurance coverage.
Protecting Your MSP From Liability Costs
A robust cybersecurity strategy is a good starting point for liability protection but more steps are needed to designate responsibility, define services, and secure insurance. Here are 5 key ways to mitigate risks and protect your MSP from catastrophic losses:
1. Liability Insurance
The number one thing you can do to protect yourself is to carry cyber and professional liability insurance. Cyber liability insurance covers costs associated with the data breach including customer notification, data recovery, system repairs, remediation, and other related expenses. Professional liability insurance covers the abstract issues related to an attack, such as claims of negligence, mistakes, or oversights.
2. Evaluate your MSA
Your MSA, or Master Services Agreement, should clearly spell out what you are and are not responsible for. It should also state which actions the client is responsible for, what you will and won’t help them with, and all terms and conditions.
For example, your MSA may state that you require clients to carry cyber insurance, that you are available to coach them in filling out the application but not to fill it out for them (which is its own form of liability), and what you will do in the event of a security incident.
3. Ask a Lawyer to Review Your Contract
Once your MSA is complete, ask your attorney to review it. They can verify that all applicable state requirements have been met, spot any language that may weaken your protection, and vet all of your documents. Because the MSA is legally binding, it’s helpful to go over it with your lawyer before signing to ensure that your company’s interests are protected and that you understand proper procedures for confidentiality, delivery requirements, and dispute resolution.
4. Create Refusal Waivers
If your client chooses not to follow your cyber security recommendations, a refusal waiver protects you from any future legal action they might take. Additionally, By documenting that the recommendations were made and that the client refused them, the waiver ensures that you cannot be sued for negligence or lack of compliance.
5. Require Customers to Carry Insurance
Each of your clients should carry their insurance policy and incident response plan to ensure they are fully protected. If they don’t, it shows that they don’t take their cyber risk seriously and puts you in a difficult position if a breach occurs. Clients should fill out policy forms, work with a broker, and make decisions about how much coverage to carry. Also, as their MSP, you can coach them through responsibilities, taking them on yourself can lead to additional liability.
Managing Your Risk with Cyber Liability Insurance
Undeniably, cyber liability is based on an assessment of risk. As risks continue to increase, the cost of cyber liability insurance coverage will increase as well. This is why it’s important to revisit your insurance policy regularly and many controls in place to limit liability. Evidently, with a robust policy in place, it’s still critical that you and your clients design a strong cybersecurity strategy. Strategies should codify security best practices and mitigate risk.
At CyberFOX, we help MSPs like yours protect sensitive data with password management and privileged access control. Our software helps you be compliant based on cyber insurance guidelines. Register for one of our weekly demos to see our tools in actions!