Protecting Your Business from Managed Service Provider Cyberthreats

Kathleen McGee , Waleey Fatai


July 28, 2022

MSP Cyberattacks

The cybersecurity authorities of the United States, the United Kingdom, Australia, Canada and New Zealand recently issued an advisory alerting organizations and service providers of the rise in malicious cyberattacks against managed service providers (MSPs). The advisory defines MSPs as entities that deliver, operate or manage information and communication technology (ICT) services and functions for their customers via a contractual arrangement, such as a service level agreement. This advisory is timely in light of recent cybersecurity attacks and incidents. For example, T-Mobile, Nvidia and Okta were recently reported to have been victims of ransomware attacks by international hacker group, Lapsus$. Another ransomware group, Conti, recently compromised more than 60,000 messages dating back to January 2021 from the backend of a Jabber server.

While organizations typically engage MSPs to provide them with various ICT management and operation services, the organizations could themselves also be victims of these attacks. As such, even before addressing MSP-related vulnerabilities, risk professionals should first consider how to help their organizations mitigate their own risks of such attacks.

Risk professionals and their organizations must recognize that their greatest weak point is generally their email program, since most businesses and organizations rely heavily on the email in their day-to-day transactions. In fact, many of the recent cyberattacks have been achieved through business email compromise (BEC). BECs involve the hacking, spoofing and impersonation of business email accounts where the email sender poses as someone the recipient should trust and requests the recipient to make a wire transfer, divert payroll or change certain banking details. Organizations and their risk professionals should anticipate that the crackdown on ransomware attackers would likely drive up BEC attacks as an alternative for these attackers’ continued operation. Therefore, risk professionals must, on a continual basis, work with the company to train employees on how to recognize and treat impersonating emails. They must also put in place systems and procedures for filtering out, reporting of and ultimately disposing of such impersonating emails. Regardless of whether an organization’s IT infrastructure is outsourced, a fairly sophisticated internal IT team will be necessary to treat and manage these systems on a day-to-day basis.

Considering the widespread adoption of work-from-home policies by many organizations following the COVID-19 pandemic, organizations must also tighten up their virtual private network (VPN) servers. Although VPNs are supposed to establish a protected network connection when remotely connecting to a corporate network via a secure channel, they have easily become a soft target by cyberattackers because of the heavy reliance that organizations place on them. As such, the National Security Agency and the Cybersecurity and Infrastructure Security Agency recommend, among others, that organizations use only standard Internet Key Exchange/Internet Protocol Security (IKE/IPsec) VPNs that have been validated against standardized security requirements for VPNs. Upon deployment of a VPN, the organization should monitor access to and from its VPN through the adoption of web application security, appropriate network segmentation, restrictions to limited access and intrusion prevention systems.

Where an organization outsources its IT infrastructure to an MSP, now is a good time for the organization to review the MSP’s policy for avoiding and mitigating the risks of a cyberattack. An organization planning to engage an MSP to provide it with IT services should consider making the implementation of some of these risk mitigation factors by the MSP a condition precedent to any contractual relationship. 

In addition, risk professionals should also consider reviewing their service contracts with their MSPs especially for indemnity and limitation of liability provisions. One of the reasons organizations prefer to outsource their IT needs and infrastructure to third parties is to take advantage of the sophistication of the infrastructure system and shift of the burden of managing that system to the third parties. To ensure that the benefits are in fact realized, the indemnity and limitation of liability languages in the governing contracts should be tightened to give the organization the protection that it requires in the event of a cyberattack. Since an IT service provider should ideally have a high level of sophistication with respect to the management of the IT infrastructure, it should typically be indemnifying the organization against losses that the organization suffers as a result of a breach occasioned by the service provider’s negligence. Even in situations where the organizations bear certain liabilities under its arrangement with the IT service provider, its liabilities should be reasonably limited, and the extent of limitation would depend on the accompanying circumstances.

From an overall financial and business perspective, risk professionals should consider obtaining fairly broad insurance programs that would cover liabilities for a data breach involving sensitive personal and business information. The availability of an insurance program should however not affect the negotiation of fairly tight indemnity and limitation of liability languages with these service providers.

Kathleen McGee is a partner at Lowenstein Sandler LLP.

Waleey Fatai is a law clerk at Lowenstein Sandler LLP.