First time ever Governments around the world started to put a minimum guideline recommendation for Cybersecurity .
What this says in summary is you need to provide MDR (Managed Detection & Response) and IR (Incident Response) services to your customer.
Will not providing this service put you in legal jeopardy?
It will if you haven’t done your MSA properly or got a “Waiver” from the customer.
So here are some ideas about what to do: (I am not a lawyer, please get your own legal advice)
-offer every customer your MDR & IR services as a standard
-have your MSA cover:
- Your MSA must tell your customer that you will provide/facilitate only those services listed in a quote.
- Your quotes must specifically state that your services are limited to the scope of the quote, and all other services or projects are out-of-scope.\
- Your declination notice should tell your customer about the declined service (what it is, what it does, etc.)
- Your declination notice should provide an example of what could happen to the customer without the declined service (e.g., “you could irretrievably lose data,” “your IT environment could shut down without warning,” “you won’t learn of newer or better strategies,” etc.)
- Your declination notice should tell the customer that the declined service will not be provided unless both you and the customer agree to the service in a separate, written, mutually accepted quote in the future.
Make sure your MSA is written correctly, and then when your customer declines a service, deliver a declination notice–and don’t ask your customer for permission to not deliver that service.
This way, if a customer suffers a breach and they have previously declined to use your MDR service you should not suffer from “Corporate Negligence”.
(Please take your own legal advice, I am not a lawyer, just providing this information so that any MSP who is new will know what questions to ask)