That was one of the key messages that Robert J. Scott, managing partner at Southlake, Texas-based Scott & Scott LLP, a law and technology services firm serving managed service providers (MSPs), passed along to attendees in a presentation on cloud law at last week's MSPWorld 2013 in Orlando, Fla.
While technology, high availability and customer service are vital to running a successful services business, it's not everything. "Cloud services are as much about liability and risk transfer [as they are about those other factors]," Scott said.
As more businesses embrace cloud services, more businesses are concerned about privacy and security risk, which from the customer perspective, according to Scott, is the No. 1 concern.
"The ability of service providers to sell more services will be based on the service provider's ability to address customer concerns about risk, whether it's real or perceived. It will also be a key differentiator for the service provider's business," Scott said.
There are four essential IT risk management strategies that service providers must enact to protect their business and customers, as well as strengthen their position in the market:
- Understand the regulatory requirements in the region where they do business, the industry they do business and their customers' industries.
- Use indemnity provisions in their contracts to protect against legal liability.
- Obtain cyber-risk insurance.
- Encrypt data in motion and at rest.
While regulatory compliance risk may not have been a big issue in the past, it is a very big issue for companies today. That's why more CIOs and technologists are becoming subject matter experts in matters such as the various state and federal regulations as they affect IT. Savvy MSPs and cloud service providers (CSPs) must do the same in order to "talk the talk" with potential customers.
Scott advised MSPs and CSPs that they must know about privacy, security safeguards and breach notification rules as they pertain to their business, as well as the customers they do business with. Regulatory compliance regulations, he said, aren't based on where the MSP or even the data resides, but rather on where a customer's business resides.
There are many industry-specific federal regulations as well as state regulations that can vary from state to state. And there's regulatory compliance risk that goes along with those regulations. Who covers those risks and how they're handled are key to successful contracting, according to Scott.
When it comes to solution providers and legal liability, the goal is to be in a "zero risk" position. The technology law expert recommends indemnity provisions and limits of liability language in contracts, as well as insurance provisions, to achieve a zero-risk position.
MSPs and CSPs that think carrying general liability insurance is all the business protection they need, they need to think again, Scott said. Cyber liability insurance is a must, he said.
When it comes to privacy and security risks, particularly as they pertain to regulatory compliance and legal statutory regulation, one way solution providers can protect themselves is by using encryption in flight and at rest. Scott refers to encryption as a "get out of jail free card."
"That's because the state laws that define customer information will either specifically exempt information that's encrypted or will define the information that's regulated as non-encrypted data. So the No. 1 way that a service provider can protect against privacy and security risks is [to] ensure that a customer's data in motion and at rest is encrypted," he explained.