April 12, 2021 • By the New Iron Blogger
The numbers are staggering. According to the FBI, there were more than 11 times as many phishing complaints in 2020 compared to 2016, as the pandemic exacerbated the problem (attacks in 2020 more than doubled from 2019). According to the Proofpoint 2021 State of the Phish Report, 74% of U.S. organizations experienced a successful phishing attack last year alone.
Not only are phishing attacks and email fraud increasing in sophistication, but victims are also starting to point the finger at their Managed Services Providers (MSPs).
In January 2020, Boardman Molded Products of Boardman, Ohio, filed suit against MSP Involta LLC for falling prey to a phishing attack that cost the company $1.75 million. Boardman is suing for Breach of Service Order and Professional Negligence and Malpractice and is seeking at least $25,000 in damages. The suit also claims that 114 PUPS (viruses) were found on Boardman’s virtual server.
This landmark case has the potential to set a precedent for the MSP landscape and should be followed closely.
After reviewing the case, many questions came to mind:
- Could this situation have been averted with end-user security training?
- Did Involta and Boardman have the proper insurance in place to cover this type of situation?
- What if the ruling is in favor of the plaintiff?
- How much of an impact will the verdict have on the MSP industry?
So, what would I do if I owned an MSP or use an MSP to manage my IT needs?
First, I would call my insurance company and ask them to read the case filing and verify that our policies would cover this situation.
The typical reply is that the client should have Cyber Insurance in place with clearly defined coverage for financial losses due to phishing. And as for the service provider, they should have professional Errors and Omissions coverage that would defend the suit and pay if a judgment is made. But perhaps most importantly, a firm client/provider contract should be in place to limit the liability.
I would then follow up with more questions:
- Is there specific language we need to have in our contract with our clients to limit our exposure? Do you, the insurance company, have examples of language we can provide to our attorneys?
- Would requiring our clients to take security training help in limiting our liability?
- Would mandatory security training provide a discount on our annual premiums?
My second call would be to our attorneys and forward them the case filing with our insurance company’s response.
- I would have them review our current contract and recommend changes per the insurance companies’ guidance with any other current or past litigation in mind..
- Discuss adding a security training clause that the client can either accept or reject.
- Ask if the client rejects it, will it increase or decrease our exposure?
- If we do not have a limitation of liability clause, can we add one? If so, can our liability be limited to X number of months of the monthly service charge for any damages if we are found liable?
- Is our contract in alignment with the coverage provided by our insurance?
Additionally, is the contract’s language strong enough that it will be very difficult for the client to obtain a change of venue? Laws can vary dramatically from state to state, and there can be many variables regarding liability.
Some final takeaways:
- If you do not offer end-user security training, now is an excellent time to offer it for you and your clients’ mutual well-being.
- Discuss with your sales team the implications of this lawsuit and, if a client brings it up, how they need to discuss it.
- Review your client contract annually with your insurance company and attorney. Insurance companies amend their policies annually, and laws change with new precedents to follow.
You should always educate yourself and your client, be proactive or be prepared to litigate.
The answer for today and tomorrow
New Iron Solutions realizes that it is more important than ever to not just fill a position but to fill it with a qualified candidate that will take the company to the next level. The cost of IT employee turnover and missed opportunities are just too high to ignore. We help drive the achievement of our client company’s strategic goals by identifying middle management to C-Level leadership professionals. They align with the culture, behaviors, and results valued by your organization.