2024-08 ProTier Presentation by Randy Whitmeyer

Transcript

1. CrowdStrike, Contracts and Liability Randy Whitmeyer ProTier PeerGroup Meeting August

   13, 2024

2. CrowdStrike Incident and Liability https://www.informationweek.com/it-leadership/where-does-liability-reside-after-the- crowdstrike-outage-#close-modal https://www.wired.com/story/crowdstrike-outage-microsoft-delta-lawsuits-analysis/ https://www.crowdstrike.com/terms-conditions/ https://www.darkreading.com/cyber-risk/crowdstrike-s-legal-pressures-mount-could-blaze- path-to-software-liability

   https://www.govtech.com/blogs/lohrmann-on-cybersecurity/legal-financial-and-insurance- implications-of-the-crowdstrike-microsoft-incident

3. MSP Role Trusted technology adviser – Help Scope/Update/Monitor/Fix a Client’s

   IT Environment NOT a developer of software or hardware At the end of the day, should NOT be responsible for issues with systems it doesn’t control Certainly not responsible for malicious actors

4. Why is a Good MSP Contract Important? • Minimize legal

   risk and liability • Establish appropriate expectations and solid business relationships with your customers, leading to satisfied customers • Enhance the value of your business when you look to sell your company

5. What Makes a Good MSP Contract? Covers important topics in

   a clear fashion, especially “in-scope” and “out-of-scope”. Defined terms and separate document fit together. Has appropriate liability limitations Is tailored to the target customer (vertical focus, size) and competitive environment Likely has a master agreement structure Reflects the values, business model, and risk profile of the MSP’s owners and managers Avoids “contract gap problem”, i.e., making promises to customers without your suppliers making the same promises to you Reflects input of legal advisor, accountant/finance advisor, and senior technical management

6. Master Agreement vs. “URL Terms” Strong Trend in SaaS/Software world

   – and some MSP’s -- to “URL-based” Terms ✓Flexible, easy to incorporate and easy to update ✓Shortens your signed documents ✓But always have to remember to include. ✓Compare to Master Services Agreement - signed just one time and just refer to in Schedules/Orders for Services

7. 3 Parts to MSP Agreement ➔ Commercial Terms ➔ Commercial

   “Details” ➔ Legal Terms

8. Commercial Terms - Services, Fees, Term - May have “sales/marketing”

   feel Define in-scope and out-scope (here or in Commercial Details)

9. Commercial Details More services details, including legal-type terms/disclaimers specific to

   services May include terms required by your providers May include details regarding fee changes/scope changes

10. Legal Terms More “traditional” Legal terms, e.g. - Limits of

    Liability and Disclaimers - Term/Renewal - Termination/Suspension - Choice of Law/Jurisdiction - Employee Non-solicitation

11. Limits on Liability • Limit overall liability to revenue received

    over last X months • Exclude lost profits and consequential damages • SLA remedies should be exclusive

12. Disclaimers and Warranties • Warranty to provide services in a

    professional and workmanlike manner, using qualified personnel • No performance warranties • No hardware warranties • No warranties that monitoring and monitoring devices will be without error or will catch all issues • Exclude all other warranties

13. Sample Language

14. Sample Disclaimers / Language Client agrees that: (i) Provider makes

    no promises or guarantees that it will be able to resolve issues or “bugs” in in software, systems and technology (“Third-Party Systems”), and (ii) a failure by Provider to resolve any issue or series of issues in any Third-Party System is not a breach of this Agreement. Provider is in no way liable for defects or “bugs” in any Third-Party Systems, or for correcting errors introduced into data or software due to failure of Third-Party Systems, or for any cost of reconstructing software or lost data.

15. Sample Disclaimers / Language The parties agree that it is

    impossible to guarantee: (i) the trouble-free performance and security of computer hardware, software, networks, environments, and systems; (ii) the reliability of any technology or technology-related asset; and (iii) the applicability, outcome or performance of any training or the behavior of any human resources, all regardless of whether procured, provided, installed, managed, supported, administered, trained and/or supervised by Provider, or in any way associated with the Services.

16. Sample Disclaimers / Language Client agrees that the maximum aggregate

    liability of Provider or any of its suppliers relating to this Agreement and the Services shall be limited to the amount of fees actually received by Provider from Client under the applicable Schedule during the prior [three (3) months/six (6) months]. In no event shall either party or any of its suppliers be liable for any special, incidental, indirect, cover, consequential, exemplary or punitive damages; any damages based on injury to person or property or death; or any lost sales, profits or data, even if a party is told that any of such damages may occur. In no event is Provider liable for any systems related to medical devices, other life-saving devices, real time controls for critical processes, or other systems the failure of which might cause injury or death, including any interface to any such systems.

17. Sample Disclaimers / Language Provider does not guarantee or certify

    the prior, current or future integrity of the security of any Client network or system. Client is solely responsible for developing its own security policy and periodically testing its security to make sure it meets the requirements of its security policy. Client is specifically advised to obtain appropriate cybersecurity insurance to help protect its technology environment from malicious actors. Unless specifically agreed in a Schedule, Provider does not provide recommendations concerning the security of any Client network or system. Any changes made to a Client network or system may have direct or indirect impacts that are negative to its security. Provider cannot anticipate every possible reaction due to such changes.

18. Sample Disclaimers / Language Servers, workstations, laptops, routers, wireless access

    points, and other intelligent network devices and equipment that have been identified by Client and agreed by Provider to be covered (“Covered Systems”) will be monitored. To the extent possible, monitoring will include system and service up/down status, reasonable review of system and application error logs, and reasonable monitoring of performance of systems. Monitoring may not be available for all systems. Although monitoring is automated 24 hours per day, Provider will review, diagnose and respond to alerts during Regular Business Hours only.

19. Sample Disclaimers / Language Client acknowledges that some patches may

    cause operating difficulties or “break” other software and agrees that Provider will not be responsible for the potential adverse effects of applying any patches.

20. Sample Disclaimers / Language Client accepts responsibility to manage its

    environment and to take steps to mitigate loss of data, interruption of service or any element disruptive to the backup service. Client understands and agrees that identification of files and data to be included in the backup are the sole responsibility of Client. Provider will assist Client’s effort to identify the data to be backed up, but Provider will not be liable for any damages or breach for any data or program not included in Client’s backup. Provider recommends that Client always have verified multiple backups before purging any database or accounting system.

21. Sample Disclaimers / Language Monitoring software and systems are not

    100% reliable, and Provider will not be responsible for any losses due to its Service failing to report a problem, failure of the automated notification system, any other failure of systems and processes related to such monitoring.

22. Sample Disclaimers / Language A formal disaster recovery or business

    continuation plan is NOT covered under this Schedule. Although the Services to be provided under this Schedule are designed to help provide IT continuity and will, under certain conditions, help to recover from certain disasters, nothing in this Schedule should be considered a formal disaster recovery or business continuity plan. If Client requires a disaster recovery or business continuity plan, including testing of the plan, Provider can assist Client with the development of such a plan at an additional fee

23. Supplier Contracts ➢Do they provide appropriate rights (e.g. White Label)?

    ➢Do they require you to pass through specific terms in your customer agreement? ➢Can you negotiate expanded liability if they are the cause of a data breach or claim?

24. QUESTIONS?