Managed Service Providers Hit with Ransomware Attacks

Thursday, November 7, 2019

Cyberliability insurance provider Beazley Insurance Company has analyzed its internal breach response data and determined that in its experience, there has been a thirty-seven percent (37%) increase in ransomware attacks this most recent quarter from the last quarter of 2019. Twenty-five percent (25%) of those incidents were against managed service providers (MSPs).

An MSP assists small- to medium-sized businesses with IT infrastructure and services, either on site periodically, or virtually. MSPs provide services to numerous clients, and support clients remotely to provide the services in a cost-effective way. Often, MSPs are small businesses as well, and don’t have the resources to combat persistent cyber-attacks. Hackers know that these MSPs are supporting numerous clients, and target MSPs to gain access to multiple organizations. If the MSP gets hit with a ransomware attack, the result may be that not only is the MSP’s own system down, but it cannot provide ongoing cybersecurity services for its clients, including patching and other critical security measures. Furthermore, when an MSP is the victim of ransomware, its customers may not have access to their own data, and MSPs may request that their customers assist with paying the ransom in order to regain access to their data.

Unfortunately, when an MSP suffers a cyber attack or security intrusion, the incident may also be a reportable data breach, which then could be the responsibility of the customer. Security incidents are difficult to respond to in your own system, let alone trying to coordinate with an MSP in the middle of a crisis.

All in all, when your MSP is the victim of a security incident or a data breach, it often becomes your problem, too. Here are some tips to consider when outsourcing your IT function to an MSP:

Complete data security due diligence on the MSP
Confirm that the MSP has cyber liability insurance
Negotiate and require the MSP to sign a contract that includes, for instance, (this list is not exhaustive, but may be helpful)
- Prompt notification of any security incident that affects the confidentiality, security or integrity of your data and cooperation and coordination;
- Indemnification and reimbursement for all costs associated with a security incident or data breach, including first- and third-party claims;
- No limitation of liability for a security incident, ransomware attack or data breach;
- Encryption of sensitive data both at rest and in transit;
- Compliance with all applicable state and federal laws relating to data privacy and security; and
- Termination in the event of a security incident or data breach, with provisions for an orderly transition to a new provider.
Confirm that the MSP has contingency operations and disaster recovery processes in place in the event of a security incident, ransomware attack or data breach. and that it has tested them

These are just some examples of things to consider when choosing an MSP. The key takeaway is not to choose your MSP based on cost alone. You get what you pay for, and picking the cheapest MSP may not serve you well in the long run. Understand that MSPs are being targeted, which means your data are at risk. Talk to your MSP about how it is protecting its own system and your data, feel comfortable that the MSP is the right choice for you, and document obligations and responsibilities in a written contract to protect yourself in the event of an incident. Many companies simply sign the contract given to them by the MSP, but these form contracts do not have provisions that can be needed to protect you in the event of an incident. The contract with your MSP is a high-risk contract, and therefore, needs special attention.