Managing Risk in Managed Services
This past week I had the opportunity to present on the topic of managing risk in managed services to the OTX Roundtable. I want the thank the OTX Roundtable and Mark Jennings in particular for inviting me to speak. What follows is Mark’s transcript of the meeting.
Rob Scott opens with a brief introduction of his background and experiences within the MSP business as well as many companies in the office equipment and telecom industry.
Rob starts out with a provocative question:
“Why would people with good businesses in office equipment or telecom, get into a business that is so risky? Where you take all of the responsibility for the things that go wrong, and your vendors are the ones that are getting the lion’s share of the revenue? What kind of business model is that? It sounds like a stupid business to get into.”
Rob goes on to explain that our vendors’ contracts all stipulate that if something goes wrong, it is your responsibility, not the vendors, to make the customer whole. If anything goes wrong with your customer data, that is your responsibility. If anybody gets sued you have to indemnify and defend them regardless of whether it was their fault. They are getting the money and you are taking all the risk.
Rob clarifies that an MSP is not an insurance provider but rather a service provider that is aggregating a number of different solutions for the benefit of the customer in a manner that enables them to manage the environment better than the customer could themselves. But that does not mean the MSP is responsible for every vendor solution they introduce into the environment.
Although the consumer thinks that everything involved with IT is your responsibility, that is not true. However, if we allow our customers to believe that and enter into agreements that don’t clearly disabuse them of that, then your business is not going to be worth much of anything.
Unlike office equipment or telecom, the key to success in the MSP business is the ability to manage risk, namely privacy and data security.
The Sources of risk are:
- Vender and Channel Partners
Your customers are a big risk. Do we want to have customer that won’t invest in the most basic security measures? We need to view our network as not only our internal network but also all of the customer networks we support. Therefore, our customers are a potential risk to our network. Customers that do not have adequate security in place need to be upgraded or exited.
Employees and the employees of our customers are a risk as well. Over 42% of data privacy incidents occur because of employee negligence. This demonstrates the need for things like employee cybersecurity training and testing.
Criminal behavior such as ransomware is a very common threat. Rob’s firm has very specific language regarding criminal activity and specifically ransomware. Their agreements stipulate that, in the event of a ransomware attack the client has the choice of paying the ransom or paying the MSP for all services required to remediate at their current rate. Ransomware remediation is clearly out-of-scope and not included in the contract.
Scott and Scott has a four part process to help MSPs manage risk:
- Policies and procedures
- Regulatory risks
Rob explains that they have very specific language regarding the MSP services. These contracts have been developed over 15 years of experiences of clients getting burned. Having a contract that clearly and unequivocally identifies the scope of your services and the exclusions of those services is critical.
Policies and Procedures
All MSPs should have:
- Written Information Security Policy,
- Breach incidence response plan
- Acceptable use policy
- All client implement a “verbal confirmation of transfer”
All MSPs must carry Professional liability insurance(E&O) specifically covering cyber liability. (This has been covered extensively in previous meetings). Look at the indemnity provisions of your insurance policy (what you have insurance for) and carry that directly to your customer contracts. Minimize the gap between what you have transferred to your insurance company and that which you are taking on from your client. There should be no gaps.
These are on the rise. More and more states, countries and industries are a enacting data processing regulations. Rob uses GDPR as an example. If your customer processes data on any EU citizen, that customer is subject to GDPR regulations and by extension you are subject through your contract with the client as well. But how would an MSP know which regulations your customers are subject to? They couldn’t. Therefore, their contracts specifically name regs like GDPR and others and stipulate that the MSP is not responsible for this. If the client does need services related to the regulation, they need to enter into a separate data processing agreement with the MSP.
When working with clients in regulated industries,. MSPs must be familiar with the regulations and have the appropriate data processing agreements in place. MSPs should have their own versions of data processing agreements available to present to clients when needed versus allowing the client to present their own version.
On-line Contracting Platform
Scott and Scott has created an on-line contract system whereby all contracts, quotes, and SOWs are presented to the customer through an on-line portal, electronically signed, and stored. All contracts are collapsed into a single system with references to companion contracts. This web-based terms allows for a streamlined approach by placing links into sales documents to the contracts.
Many Office Equipment or telecom businesses have tried to use there existing contracts as the basis for their MSP services contracts. This is a bad idea.
Limitations of Liability, Indemnity, Insurance
Most claims should be covered by your E&O insurance. However, for any claims that are not covered, the contract should declare significant limits such as “three month of revenue for the service giving rise to the claim.” Rob goes on to say that when an MSP goes to sell the business, or buy others, they must look at the exposure in the contract base. This is governed by the customer contract. If the contract is loose regarding Liability limitation and indemnity, the contracts are not worth as much and therefore the value of the business is diminished. Rob’s contracts require the customer to carry their own first-party cyber liability insurance.
Typical Contract Stack
- Master Services Agreement
- Manages Services Agreement
- Backup and Disaster Recovery Agreement
- Managed Security Services Agreement (MSSP or MDR)
- Cloud and Hosting Agreement
- Statements of Work
- Service Level Objectives
All agreements are incorporated by reference to avoid duplication of language.
Data Backup Contracts
Rob explains that his contracts, unless otherwise specified in a separate agreement, specifically call out that the client is responsible for maintaining their own local backup. Why? Because, no backup is 100%, and secondly, the #1 rule is redundancy. Finally, if a it is in your contract, and the client fails to do so, it significantly reduces their exposure.
Early Termination Clause
The MSP business has been built on the premise of a 36 month commitment between MSP and client. Therefore, the contract should carry some penalty for early termination without cause. This does not preclude the MSP from offering some other arrangement in the course of a cancellation.
Rob also suggests that if a client wants to only sign a 12 month agreement that should come at a 20% premium over the 36-month contract. Month-to-Month, if offered should gain a 25% premium.
If a contract is cancelled for convenience (not cause), the client should be responsible for 50%-75% of the remaining premiums of the term. Any out-of-pocket costs from third party vendors should be recouped as well.
Transition Fees and IP
Rob discusses the issue of transition services in the event the client is moving to another provider. Your contract should have clear terms that, provided all early termination fees and any other outstanding invoices are paid in full, you will provide transition services at your agree upon hourly rate. Likewise, your Intellectual property (scripting, configuration, other confidential information) does not belong to the client. That should be stated in your contract and removed upon termination.
Software vendors can be very aggressive. If a customer is subject to an audit, you don’t want to get caught up in any irregularities. So you contract should indemnify you of any liability regarding the clients use of software or other third party services.
MSPs should carry Errors and Omissions, Cyber Liability, and First Party coverage. First party covers your network (which includes your clients network). Rob explains if an employee does something within your operation that causes you to lose data, that is a first party claim. If an employee does something that causes your client to have a privacy incident or lose data, that is an E&O claim. Customers should have their own first party insurance.
Rob returns to the topic of Regulatory risk and discusses the various regulations that MSP should have data processing agreements with all clients that are subject to those regulations.
Rob wraps up his talk by returning to the question he asked at the opening. Why would you want to be a stupid business like the MSP business? Rob states that if you implement all of the suggestions above, suddenly you have a scalable business where you can deliver relatively high value for a low cost, do most of the work remote, realize margin of between 7%-30%, and maintain long term contracts with clients.
The MSP business is a privacy and security business. You don’t take care of computer systems, you keep clients safe from cyber threats. If you are not focusing on security you need to revisit it. Your messaging should center on security
Rob discusses the issue of MSPs that offer other business services. Should the MSP business be under the same entity as other businesses are. Rob suggests that the risk of the MSP business is typically greater than other forms of business. Rob recommends separating the MSP business into it own separate entity.
Mark Jennings asked whether single EU citizen staying at a local hotel makes that business subject to GDPR. Rob says yes, there are no thresholds that need to be met to enable GDPR. Again Rob sys that you need to have those data processing agreements in place. There may be some regulations that MSPs wish to steer clear of and therefore choose not to do business with clients subject to those regulations.
Vince Altomare asks whether it is better to start with a clean slate as opposed to editing you existing contracts. Rob says that the vast majority of his clients use the forms that are provided by Scott and Scott. They still need to be modified to include the specific services offered by the MSP. Most pre-existing contracts so not lend themselves well to the on-line contract system used by Scott and Scott.
Scott and Scott offers the on-line portal for presenting, signing, and maintaining the contract stack. Robs firm will work with the MSP to integrate them into the PSA
Bill England discusses a “real-world scenario” in which a client was affected by an employee clicking on a bad link. The client is looking at Cobb to cover their damages. A 20-minute discussion regarding the details of the case.
Rob closed with an offer to review the agreements that are in use today on a complimentary basis. He will then schedule a call to discuss his findings. He can then generate a proposal to work with you on your contracts.