Litigation has always been a risk in the MSP industry. Often the allegations made by the plaintiff are based on an assumption the MSP was providing services that they, in fact, were not. Two recent events provide lessons for MSPs to be very clear with their clients on the services they are providing, the services they are not providing, and the responsibilities the client holds. In this article, the names of the MSPs are being withheld so as not to throw unnecessary  shade, however a quick Google search will identify them easily if you are so inclined.

 MSP Sued by Client Over Ransomware Attack

The first event involves a law firm in Sacramento, California that suffered a ransomware attack in February of 2023. In a lawsuit filed in February 2024, the law firm Mastagni Holstedt claims their IT Service Provider failed to adequately protect their data from attack. According to the lawsuit, the law firm initially experienced connectivity issues and contacted the MSP. The MSP serviced the issue and indicated it was resolved but they provided no additional information regarding cyber security risks. Three days later the law firm was hit by major outage whereby their data was completely inaccessible. A ransom demand was made to the firm by a group known as Black Basta to restore the data.  The law firm then attempted to restore the data from their Acronis backups only to find that the backup had been deleted. The ransom was allegedly ultimately paid. The firm is now seeking more than $1M in damages. But other details paint a grim picture for both parties.

As part of the investigation it was determined that the agreement between the MSP and the law firm was based on a handshake and no formal written contract existed between the two parties. Without a clear contract declaring the terms and conditions and a clear statement of services provided it is impossible to determine exactly what the MSP was responsible for and where the law firm's responsibilities lie. Based on a reading of the MSP's website it appears this MSP offers a standard stack of legacy MSP services such as monitoring, server hosting, backup, spam filtering, etc. In the category of network security specifically the website states:

 "Our technicians will check for malware and security issues that may indicate your company network is vulnerable. We can help you address any issues we may find to help keep your data safe and your network secure."

It is not clear exactly what that means. In the absence of a contract it is unclear as to what the MSP should have or could have done to prevent the situation. Additionally, without a contract there can be no limitation of liability. Even with a Tech E&O/cyber insurance policy (if it exists) it is unlikely the claim will be covered.

As to why an established law firm with forty-two attorneys would engage with a service provider based on a handshake, that is a question unanswered at this time.

Client Sued, MSP Blamed for Failures

Meanwhile, all the way across the country in Portland, Maine an IT Consulting Firm is facing a law suit from some of its clients due to a data breach that exposed their PII and PHI to hackers. However, it is not the law suit that is the interesting part of this story.

In a statement posted to its website, Berry, Dunn, McNeil, & Parker (BerryDunn) claimed their MSP, who managed a system called Health Analytics Practice Group (HAPG) on behalf of BerryDunn, was at fault. The firm claimed that it was "notified that one of its vendors, (The MSP), a managed service provider of HAPG, had discovered suspicious network activity that was impacting its network, including systems it managed on behalf of HAPG." According to BerryDunn, they engaged with cyber security experts and determined that an unauthorized actor had gained access to the MSPs network and stole data stored on the HAPG System. The firm goes on to state that "BerryDunn has taken steps to secure the HAPG data, such as decommissioning all BerryDunn systems under (The MSP's) control and migrating all HAPG data to secure internal BerryDunn systems that are continually monitored as part of our cybersecurity program.

A little background before we move on. BerryDunn is a large CPA with more than 500 employees. They also have a consulting practice that includes Information Security Consulting including Disaster recovery and incident response, security compliance and gap assessment, vulnerability scanning, and penetration testing, among other services. So this is  an organization that understands cybersecurity.

Now let's hear what the MSP has to say about the situation. In an open statement on their website the MSP shoots back claiming:

 "while performing its network monitoring services, (the MSP) discovered suspicious activity affecting Berry Dunn’s network, and promptly notified Berry Dunn of this activity. Notably, however, the data breach did not occur on (the MSPs) own network, nor its internal systems. Furthermore, none of (The MSP's) other clients’ networks or systems were impacted by this data breach."

 Contrary to Berry Dunn’s baseless allegations, Berry Dunn’s own network and system were breached by a third-party, through no fault of (The MSP)"

Additionally, the MSP claims it:

 "has worked with Berry Dunn for years, providing technology consultation services, on-demand IT support and training, and maintenance and monitoring services for Berry Dunn’s own networks. Berry Dunn, however, did not retain (the MSP) to serve as its cybersecurity protection/prevention vendor."

 So far this incident has not resulted in a lawsuit between BerryDunn and the MSP however that may develop later.

 Lessons Learned

 So what can MSPs learn from these two experiences?

 Solid Contracts

MSPs must have a clear and complete contract with their clients that clearly states the services being provided and those not provided. The responsibilities of both parties should be clearly defined. The MSP must also document when services are offered to clients but declined. The Master Services Agreement should clearly state the limitations of liability. Consult with an attorney that specializes in cybersecurity law to develop and maintain a proper contract stack. In a recent article on MSSPAlert Donald Geiter, an attorney specializing in cybersecurity law reminds us, “What this [lawsuit] brings to light is a common thing that I see in the industry is you’ve got MSPs that know technology very well and businesses that know their business well but don’t know technology,” he said. “There’s a big difference between the delivery of technology and the delivery of cybersecurity.”

 Modern Services Stack

MSPs must provide a solution stack that addresses today's cyber threat landscape. It is no longer acceptable to claim you offer cyber security services by simply providing managed antivirus, web filtering, and spam filtering. MSP must have an answer beyond that. Does that mean that every MSP must now be an MSSP?  No, however the MSP must develop partnerships and alliances through resale or referral that can offer clients the full suite of services required today.  MSPs must be continually reminding their clients of the threats and educate them on proper defenses. The decision to purchase those services is up to the client but they need to be made aware and be provided an opportunity buy in.

Comprehensive Tech E&O/Cyber Policy

In today's world MSPs must carry a comprehensive Tech E&O/cyber insurance policy. Work with an insurance company that specializes in insurance for MSPs (there are several). Most modern MSP-focused cyber insurance carriers are implementing security frameworks that require their clients to meet higher standards to qualify for coverage. These in include the implementation and maintenance of specific controls and the requirement for a strong services contract with the MSP's clients.

Summary

We can all learn from the misfortunes of others. Now is a good time to review your internal practices to see if your MSP would fare better in a similar situation. For more information on these cases tune into YouTube videos by cyber insurance expert Joe Brunsman.   

OTX Roundtable GRC

 These are great examples of situations our peer group, OTX Roundtable GRC, is endeavoring to prevent. We discuss topics such as contractual integrity, cyber insurance, and compliance with cybersecurity frameworks. Members set goals and hold each other to achieving them. Successes, challenges, and lessons learned are shared among members. Together, members improve their MSP practices, gain a competitive edge, and command higher rates.

If you would like to find out more about joining OTX Roundtable GRC or find out more about other services OTX Partners offers please click here.