On July 1, 2020, Stu Panensky (Fisher Broyles) led a spirited discussion at NetDiligence’s Virtual Summer Summit. Entitled “Tricky Breaches: Managed Service Providers” this panel brought together a dynamic group to elucidate the complex difficulties of managing and insuring breaches at MSPs and MSSPs.
What are MSP/MSSPs and what makes them so tricky? Both MSPs and MSSPs provide services to companies which allow them to outsource their IT needs. MSPs (Managed Service Providers) can offer a range of services, while MSSPs (Managed Security Service Providers) focus specifically on network security. According to Nathan Little (Tetra Defense) almost all organizations have some dependence on these third-party providers. By their nature, an MSP or MSSP must have access to an organization’s IT system, and the tools that they use to connect provide threat actors with pathways to all an MSP/MSSP’s clients. So, a breach at an MSP/MSSP can ripple downstream, affecting not only the breach victim but all their clients and their client’s clients.
Brendan Kelley (CNA) calls a breach at an MSP/MSSP the “keys to the kingdom,” a one-stop shopping point for threat actors. They have become a hot topic because they are rich targets. David Walton (Cozen O’Connor) adds that MSP/MSSPs are attractive not only because of the volume of data they hold, but also the wide variety. Since an MSP/MSSP may have clients across multiple industries, a single breach can expose PHI, PHII, as well as a host of sensitive information related to internal business practices.
The tech nature of the MSP/MSSP provides other layers of complexity. Meghan Hannes (Hiscox) describes this as an “enhanced reputational event.” Since MSP/MSSPs are specifically providing a data security service, a failure cuts deep. Furthermore, because MSP/MSSPs are largely staffed with IT professionals, some friction may be inevitable when the risk management team includes vendors whose job is to discover how tech has failed.
Finally, insurers contemplating MSP/MSSPs face a moving target. As MSP/MSSPs develop their client base, a policy written to cover certain types of data may become inadequate over time. An MSP/MSSP that lands their first contract with a healthcare provider suddenly becomes a different type of risk overnight.
Hannes calls the breach of an MSP/MSSP a “hornet’s nest,” an event that “ticks all the boxes” of loss – data exfiltration, BI, investigation and repair, notification, and reputational harm – and not just for the MSP. Depending on the contracts they hold, MSP/MSSPs may face legal repercussions including breach of contract, breach of privacy, and a variety of lawsuits from downstream clients looking for someone to blame. Kelley concurs, stressing that each breach is unique, and that sorting out ownership of both data and responsibility is essential. A breach will trigger complex issues around subrogation, as MSP/MSSPs, their clients, and their client’s clients may all hold various types of coverage under a multitude of policies written by different carriers.
The panel agreed that strong, clear, and explicit contracts are key to managing this volatile situation. Little advises asking specific questions: Who will monitor backups? Who will review alerts? Who will patch firewalls? Walton stresses ongoing review, particularly around standard of care: The “reasonably prudent” standard required by law is ever-changing, as definitions can shift with litigation based on expert testimony. Hannes emphasizes a holistic approach: Beyond standard questions, how can all parties share a sense of ownership?