Hackers have found a new way to quickly create multiple victims. They are increasingly setting their sights on IT vendors and Managed Service Providers (MSPs), because this way they can gain access to sometimes thousands of end customers. This is also evident from Datto research: as many as 95% of MSPs report that their own companies are more at risk.
This means not only that MSPs must also protect themselves well, but also that hackers have found yet another route to end customer data. This leads us to a new issue: who is liable if an end customer is hacked? The customer or the MSP? Two experts in this field - Hans ten Hove, Director Sales Northern Europe at Datto and Joost Schmaal, partner at law firm Kennedy van de Laan and an expert in IT-related disputes - dive deeper into this issue.
The answer to this question depends largely on the agreements made, especially in the areas of security and continuity. MSPs used to take security seriously, of course, but clear agreements were not always put on paper. That is now substantially different. It is more important than ever that parties know what to expect from each other in terms of security and continuity. "There are several reasons for this," Joost Schmaal explains. "Of course, there are more and more and bigger cyber risks. In addition, the AVG has come into effect involving the data breach notification requirement, and there are potential fines as a result." Despite these developments, situations still regularly arise where a company becomes a victim of ransomware, and then there are discussions about liability. Hans ten Hove explains: "If an end customer becomes a victim of a cyber-attack, the MSP is regularly pointed at when the question of blame is raised. After all, the MSP is hired to relieve the company of IT concerns, including security and backup. But the situation is often not that simple. What agreements have been made? Did the MSP recommend security and BCDR solutions? And did the customer follow the advice?"
In addition to ambiguity about blame, lack of knowledge and awareness is also a problem. "It is important that MSPs inform customers about the risks they face," Hans continues. "There is a big gap between MSPs and SMEs when it comes to awareness of the danger at hand. Our recent research on ransomware in the channel shows that most MSPs are very concerned about malware threats (89%), while only 19% of SMEs feel that way. This raises the risk that SMBs may choose not to invest, or not invest enough, in security and business continuity solutions. This is because they think it is not worth the investment, believing they are unlikely to be victims. Then, if they do get hacked but don't have a BCDR solution, a nasty situation can arise."
To avoid ending up in a discussion as an MSP about the question of blame and liability, Joost believes it is wise for an MSP to be clear in advance about what you do deliver, but especially what you do not deliver. "Don't make promises you can't keep. For example, do not state in the sales documentation that all data is safe with you if you do not subsequently deliver a complete package of solutions that ensures this. Discuss all options and the consequences with the customer so that the customer can make an informed decision. Then specify the arrangements in the agreement. Even if a BCDR solution is recommended, but deliberately not purchased by the customer. We also increasingly see that in such cases a customer is asked to sign a waiver in which the consequences of this choice are placed on the customer. Given the developments in case law regarding the sometimes far-reaching duty of care of suppliers, this is a logical and good development for MSPs. This way you avoid ambiguity and there is no reason for discussion the moment things do go wrong."
