Fiduciary Responsibility and the MSP
I have seen this industry change a lot in 30 years. Once upon a time we built and repaired desktop computers. We transitioned to consultants and some web developers. Then came managed services and outsourced IT. One thing that is clear is that IT providers have taken on more and more responsibility at each evolution. With the new cybersecurity risks and legislation around data privacy, what is the expected level of responsibility that clients expect us to bear?
What is Fiduciary Responsibility/Duty?
Fiduciary responsibility refers to the obligation that one party has in relationship with another one to act entirely on the other party’s behalf and best interest. My opinion is that our relationship to clients is like that of a CPA (accountant). We are skilled knowledge workers that provide regular services that the client does not have the internal resources to do themselves. We make sure that their IT works the way it needs to so that the employees can be productive, the business is protected from risk, and complies with industry/government requirements. There is a lot to that last sentence that many of my peers will disagree with. Here is my correlation to the accountant. The accountant prepares the tax returns for the client, and we provide IT services. If the accountant makes a mistake, they must answer for that mistake. However, if the accountant prepared the return correctly, but it is based on bad information supplied by the client they are not responsible. If the accountant can defend that they filled out the return according to tax law and professional best practices, they are protected. I believe it is the same for IT service providers.
The difference between accountants and MSPs is that MSPs do not have professional regulation and are only recently being referenced in new cybersecurity laws. This brings me back to the term fiduciary responsibility. What is our duty to our clients? Is it enough to simply do what they ask and nothing more? Should we recommend solutions that we know they need? At this point, there is very little compulsory responsibility. I think we can all see that it is coming.
As an outsourced IT provider, do we bear the same responsibility as an internal IT department? We love to call ourselves outsourced IT and much of our marketing makes claims that we handle all your IT needs. There has already been an example where an MSP was sued successfully because they made this claim and did not live up to it. If an internal IT department acts in the best interest of the company and has adequate security in place but is still breached, who is responsible? If they forget to patch a server for two years, are they responsible? In the first case, the internal IT department can defend what they did, in the second they cannot. I believe that it is the same with outsourced IT.
What should the MSP do to increase their defensibility? Here are my top six thoughts:
- Know your clients’ industries and the data regulations that apply to them.
- Partner with clients’ insurance carriers to make sure that all requirements are met.
- Use a known framework like NIST for building a security strategy and document how it is applied to each client.
- Review client security regularly, document and report your findings.
- When clients decline services you deem essential, make sure you get in writing and that you get it in writing every time you do a QBR or security review.
- Make sure your own house is in order, follow the steps above for your business as well.
Remember, it is not about guaranteeing that a client will not be breached or being responsible when it happens. It is about being able to prove that you did what you should have and informed the client of the risk of not doing what you recommend.
I know that there will be many in the industry that disagree with my stance. I am passionate about this for two reasons. First, the regulations are coming and MSPs are being named in that legislation. Second, as many of the tools we use become commoditized and IT services platform players erode market share, this is an area where an MSP can differentiate themselves from the competition. As always, I look forward to discussing this with all of you and helping you in any way I can.