As Managed Service Providers — or MSPs — we run our customers' IT services.
Our clients sign up and pay for a specific group of services that we promise to deliver. Usually, they commit to our services for a certain number of users at their institution over a set period, such as a year. They then pay for that number of users having access to the services we outlined in our agreement. We hope that this turns into an ongoing partnership; we get to know their structure and build solutions accordingly, and then they choose to renew each year.
Watch Arnie Bellini's keynote from IT Nation 2018. Especially the last bit where Arnie talks about cybersecurity and managed IT service providers.
But do our responsibilities end just with the services outlined in the contract? The answer is no.
You own the risk of your clients' security. You might think that if clients aren't paying for specific services, you don't need to worry about them, but that's not the case for MSPs and cybersecurity. While our business models center around menus of services to which clients subscribe, the underlying effects and consequences of IT management do not always line up with the items on the menu. The fact is that there is an assumption of general responsibility for security that underlies any offering of cybersecurity services for MSPs.
It's a potentially frustrating reality but it makes sense, right? IT is such a rapidly evolving field, with new technologies, capabilities, and also threats popping up daily. How could a static menu of MSP offerings possibly address every threat and contingency? Since you are the subject matter expert being hired by your client to manage their security, you are responsible. As part of the contract you have established with them, you must offer the specific services noted to the number of users that are paid for, but this is a baseline account of the services you will be offering. It helps provide clarity to the non-expert client on what they can expect, and helps establish a standard vocabulary so that the two of you can check in on the work performed.
But just because your client didn’t sign up for specific cybersecurity solutions, does not mean you won't get sued if there is a security breach. You still own the liability.
The only possible "workaround" for this is to have your lawyer draft up a release that explicitly details the data protection services your client is not paying for, and that frees you from responsibility for it; both you and your client will need to sign it for it to be valid. Most likely, the outcome of approaching your client with such a release will be that your client will change their mind. They will decide to commit to and pay for your services as needed to have you assume accountability for their data.
Use your sales process, on-boarding, and even your ongoing relationship with your client to facilitate education and turn them into your partner. You will have fewer problems with a customer who is compliant with security best practices, but the best thing you can do to make this happen is provided them with guidance and clarity on risks, the solutions you're offering, and the future security outlook.
Remember: at the end of the day, the responsibility for cybersecurity lies with MSPs.