MSP Sources of Risk
How Managed Services Providers Can Mitigate Risks
As a managed service provider, you may consider the main risks to your business are losing customers, becoming unprofitable or downturns in the economy.
While these are all very important to protect against, other risks revolve around your customers, your competitors, your employees, the vendors and channel partners you use, and criminal activity.
For instance, if a customer suffers a cyberattack using the antivirus software that you supplied, you may be exposed to a liability claim if it can be shown that a bug in your software caused the breach.
That is just one specific example. Cybersecurity, data privacy, IP, and compliance all add complexity to the risk environment.
Effective risk management relies on an integrated approach to identifying and addressing the various sources of risk and implementing processes to manage and mitigate the risk.
Let us consider the main sources of risk for MSPs, as well as how to appropriately respond to these risks.
MSP Sources of Risk
Managed service providers often hold a wealth of intellectual property. This makes competitors one of your main potential sources of risk
Loss of IP can mean brand dilution and loss of business.
Understanding the different types of IP and how to contractually protect them from the clutches of competitors needs to be a primary focus.
The four main types of IP are the following:
A patent is only valid if it is granted by the U.S. Patent and Trademark Office (USPTO). They are granted for useful and novel inventions that meet stringent legal standards. Patents are considered property and may be transferred to other entities.
Copyrights are available for writings, pictures, music, and other forms of art and begin when the work is completed. It does not need to be registered with the U.S. Copyright Office to be protected. Copyright owners have the exclusive right to reproduce and distribute the material both online and offline.
Trademarks are words or logos used in the sale of goods or services to distinguish them and prevent them from being used by others. It is advisable to seek registration of trademarks by the USPTO but they are actually protected when they are first used in commerce.
Trade secrets are ideas or information with commercial value because they are not widely known, including business methods, processes, formulas, patterns, and techniques. Note that you are not protected by trade secrets if the information is discovered by someone else independently.
If you become aware of an infringement of any of the above examples of IP, the first step is usually a cease and desist letter to the infringer. A lawsuit requesting an injunction to prohibit further infringement may follow.
Failure to take these steps can put you at risk of waiving your infringement claim.
Preparing the correct written agreements for employees, partners, and customers can help prevent exposure to the considerable risks posed by IP.
With IP, be mindful of the risks posed by infringing another company’s intellectual property, which may result in expensive and lengthy litigation.
Focus on the registration, monitoring and enforcement of trademarks and copyrightable content.
Also, consider introducing internal policies and appropriate contractual terms with employees and vendors regarding any trade secrets.
Your customers are the lifeblood of your business. But they are also one of the major risks. That’s why it is so important to get your customer SaaS agreements right.
First things first: your main agreements should be prepared by professional legal counsel.
An MSP Alliance survey found that half of all MSPs have master services agreements (MSAs) that are prepared by someone other than an attorney (such as CEOs, consultants, or IT team members). Generally, this is done to save on costs.
The same applies to service level agreements (SLAs), which outline the service-specific expectations of the parties in the business relationship.
The purpose of these agreements is to define the legal relationship between you and your customers. Failure to define this relationship properly can lay you open to an enormous level of risk, with the often eye-watering costs of professional liability cases and possible SaaS contract disputes.
For managed service providers, MSAs and SLAs are often used as part of the sales process in customer-facing interactions prior to the start of a business relationship.
The contracts are vital because the value of the business is determined by some multiple of the monthly recurring revenues. Strong monthly recurring revenues generated under sound contracts is the key ingredient of business valuation.
So, MSAs and SLAs are not the places to attempt cost-cutting measures because of the high element of risk involved.
A comprehensive MSA should include the following:
- Statement of Services
- Term of Agreement
- Holiday Availability
- Proprietary Rights
- Intellectual Property Rights
- Independent Contractor
- Client Covenants
- Limitations of Liability
- Termination of the Agreement
- Integration Clauses
- Force Majeure
Of particular importance in these agreements are the limitation of liability and force majeure provisions. You can see samples of these here.
An SLA for a managed service provider should include the following:
- Services to be Provided
- Service Hours
- Scheduled Maintenance Windows
- Problem Management
- Change Management
- Client-Supplied Equipment
- Provider-Supplied Equipment
- Service Levels
- Credits for Service Level Failures if any
- Disclaimers (especially for resellers)
In summary, you should look for clear and consistent service agreements that specify both parties’ obligations and manage expectations. Also, arrange professional liability coverage that is tailored to MSPs and the MSP industry.
Vendors and channel partners
Vendors and channel partners also present a risk of IP liability, contract disputes, and noncompliance with licensing agreements.
If you are considering associating with a partner or reselling the managed services of another provider, you should work with your attorney to ensure that you have an MSA and SLA that encompasses all the provisions contained in your agreements with your clients.
Besides this, you should include the “indemnification and hold harmless” provisions in any agreement with your service provider.
That way, it will be made very clear who is making promises to the end-user and who will be responsible in the event of a service failure.
A sample of such a provision is included here.
MSPs must also ensure compliance with software vendors’ licensing agreements for the software and services used. Vendors are increasingly taking a hardline approach to breaches of software use agreements and this can end up in extensive fines or even litigation.
To summarize, there is a need for a regular, periodic inventory of software deployed internally and on behalf of customers to ensure compliance with applicable agreements (software licensing audits).
Also, conduct careful reviews of applicable agreements and, where appropriate, negotiations to revise the agreements.
Employees are a key asset and independent contractors can add huge value to your business – but both can present big risks to any MSP if you do not take necessary measures to protect it.
The main area of risk with employees and contractors are IP liability and loss of business.
Initially, an important decision for the business is whether consultants will be employees or independent contractors.
There are important differences, including the level of control the business has over the worker:
A worker is likely an employee, regardless of the description of the relationship, if the business:
- Has the right to direct and control how a particular task is done
- Retains financial control over the business aspects of the worker’s job
- Indicates that the relationship is indefinite, and
- Provides employee-type benefits
A worker is likely an independent contractor, regardless of the description of the relationship, if the business:
- Does not provide any training or otherwise retain control over when and where the work is done, what equipment is used or where the work must be performed
- Does not reimburse for business expenses
- Does not prohibit the worker from engaging in other business activities
- Does not provide benefits, and
- Pays a flat rate for a project
You will need to take certain precautions in your agreements with both employees and contractors to ensure that they will not end the relationship with you and take your employees, customers, or intellectual property with them.
Many states enforce restrictive covenants that govern the post-separation behavior of staff in employment agreements.
The two most prominent types of restrictive covenants are:
- Covenants not to compete, which prevent staff from competing against their present or former employers (usually limited by scope and geographical range) and from disclosing their former employers’ confidential information.
- Non-solicitation agreements, which prohibit employees from actively recruiting other employees or customers during employment and after separation.
You can see samples of these provisions here.
In summary, employees should be bound under agreements including provisions for confidentiality (both as to internal and client materials) and competition during and following employment.
Internal policies and procedures should also be developed, implemented, distributed and updated regularly to cover appropriate use of and access to IT infrastructure, licensed software, and disclosures regarding trade secrets.
MSPs are also at risk of criminal activity like hacks or cyber-attacks. The threat of such malicious activity has never been higher.
We’ve all heard about large organizations with the most stringent security measures suffering breaches and customer data losses.
Smaller MSPs might not be so high on the radar for hackers, but if the opportunity presents itself, someone out there is likely to take it. Email phishing scams are still the most common form of cyber-attack, and no organization is immune if their employees are not educated on such matters.
A security breach is bad enough for any business. For a managed service provider that heavily relies on its reputation for providing high-quality services with guaranteed uptime and security, it can be devastating.
The reputation hit for a seriously hacked managed service provider, where all of its customers were also attacked, would potentially be difficult to recover from. It could shut down the whole organization, with customers potentially canceling their contracts overnight.
This means that stringent measures must be taken against the risk, to minimize the cybersecurity threat for MSPs.
Start by conducting user account management reviews. Then consider introducing two-factor authentication and mobile device management policies, VPN policies, email spam software, regular patch and configuration assessments, password vaulting, and introduction of comprehensive DR procedures.
You might also like to consider conducting security awareness training for employees to educate them on security risks and the in-house/client security programs.
Reducing MSP Liabilities
The risks are clear and present for all MSPs and not going away any time soon.
The solutions that your organization implements now to minimize these risks and protect it will help define it in the future.
With sufficient focus on IP, customer contracts, communicating the relevant information to staff, introducing the right security protocols, and having the right insurance to protect you, a strong risk management response will shield your organization against future risks and challenges.