Eliminating Liability in Cybersecurity Agreements
Business technology attorney Brad Gross told attendees what they should include in their agreements to eliminate liability and manage their customers’ expectations when offering cybersecurity solutions. He’s counseled 6,000 MSPs.
“We’re going to start with your agreements,” he said. “Your agreements suck and that’s why you’re worried. It starts with your master service agreement. A good one covers legal. Here’s the problem: you don’t live in legal and your customers don’t live in legal. Where you exist is in reality, situational reality. You don’t go to bed thinking legal thoughts. Instead, what you’re worried about is reality in the cybersecurity world.”
MSPs recommend multifactor authentication to their clients and they say no, Gross said. Then something bad happens and “they blame you.”
“That’s why you’re worried about liability,” he said. “Show me in your agreement where customers have to listen to you … and if they don’t, it’s on them, not you.”
Agreements also should specify that you’re not responsible for what third-party providers are doing, Gross said.
“When an upstream fails, that’s not failure on your part, and at best you can help with workaround,” he said.
Partners shouldn’t be taking on incident response responsibilities unless it’s in a quote, Gross said.
“Everything should be done pursuant to a quote,” he said. “A quote is what you’re going to do and not going to do. In an incident response situation, the customer has no idea what to do. Have an incident response quote, a statement of work proposal. If you don’t do that type of detail that they sign off on, they will make up rules, assumptions.”
