As a Managed Service Provider (MSP), managing vendor risks is a critical aspect of your job. Your clients rely on you to ensure that their IT systems are secure and running smoothly, which means you must carefully vet and manage the vendors that provide the software, hardware, and services that support those systems. Such vendor due diligence is required by federal regulations, including HIPAA and GLBA. MSPs also may be called upon to prove that they acted reasonably under the circumstances in selecting and deploying vendor tools. One of the most significant legal risks our Contracts-as-a-Service solution is designed to address, are those created by your vendor partners.
MSP Security Incidents
I am sure you remember some of these well-known security incidents impacting tools widely used by MSPs:
- Kaseya: In July 2021, Kaseya, a popular remote management software provider used by MSPs, suffered a ransomware attack that impacted more than 1,000 of its customers. The attack was caused by a vulnerability in Kaseya’s software that was exploited by the attackers.
- ConnectWise: In February 2021, ConnectWise, a popular MSP software platform, disclosed that it had suffered a security incident that resulted in unauthorized access to some of its customers’ data. The incident was caused by a vulnerability in a third-party plugin used by ConnectWise.
- SolarWinds: In December 2020, SolarWinds, a popular IT management software provider used by MSPs, suffered a supply chain attack that impacted thousands of its customers. The attack was caused by a vulnerability in SolarWinds’ software that allowed attackers to inject malicious code into the software.
- Accellion: In December 2020, Accellion, a file transfer service widely used by MSPs, suffered a security breach that exposed sensitive data belonging to its clients. The breach was caused by a zero-day vulnerability in Accellion’s file transfer application.
- Citrix: In March 2019, Citrix, a popular virtualization software vendor used by MSPs, suffered a data breach that exposed sensitive data belonging to its clients. The breach was caused by a vulnerability in Citrix’s systems that allowed attackers to access customer data.
- Continuum: In 2019, Continuum, an MSP platform provider, suffered a security incident that resulted in unauthorized access to some of its customers’ data. The incident was caused by a vulnerability in a third-party plugin used by Continuum.
- Webroot: In 2019, Webroot, an anti-virus software provider used by MSPs, suffered a security incident that resulted in the deletion of critical files on some of its customers’ systems. The incident was caused by a faulty software update.
- LabTech: In 2016, LabTech, a remote monitoring and management (RMM) platform used by MSPs, suffered a security incident that allowed attackers to access customer data. The incident was caused by a vulnerability in LabTech’s software.
- TeamViewer: In 2016, TeamViewer, a popular remote access software provider used by MSPs, suffered a data breach that resulted in unauthorized access to some of its customers’ data. The breach was caused by attackers using stolen credentials to access the company’s systems.
Assessing How Risk is Managed by MSP Contract Templates
In the wake of the Kaseya incidents, our partners took a fresh look at how vendor risks were being managed in our MSP contract templates. The result is now called the Schedule of Third-Party Services. Our Schedule of Third-Party Services contains a clear and unequivocal waiver of your customer’s right to sue you for acts or omissions of Third-Party Services. To make the waiver clear, we use bold face type and plain language at the very top of the document. This approach allows our clients to practice transparent IT in that it discloses all the vendors you use, what service you use them for, and what terms and conditions will govern your clients’ relationship with the vendor. The broader disclosure was intended to meet the known right standard many courts use to evaluate the enforceability of waivers of the right to sue which are generally disfavored by courts.
Our Schedule of Third-Party Services comes pre-populated with over 170 vendors in the managed services community. We customize the Schedule of Third-Party Service for each client, and it is updated 4 times per year as MSPs make changes to their vendor stack.
After representing over 200 MSPs, we have developed an innovative contracts-as-service solution that provides comprehensive legal protections to MSPs based upon industry leading templates customized for each client and regularly updated to make sure MSP always have the lates protections and legally compliant customer contracts. If you are interested in managing your vendor risk, schedule a demo today and we will show you our Schedule of Third Party Services.