Following the recent release of a report by PwC and BAE Systems entitled, "Operation Cloud Hopper", the National Cyber Security Centre (NCSC) announced that it had become aware of "ongoing targeted attacks against global Managed Service Providers". The report refers to a widespread campaign, most likely by an entity known as “APT10”, targeting managed IT service providers (MSPs) with the aim of infiltrating their customers' networks to steal intellectual property and sensitive data.
For companies that use MSPs, the report is a public flag as regards their vulnerability. This article explores the actions that such companies should take in light of the report.
Contact your service provider
Ideally your MSP will issue a statement in response to the report and welcome customer queries. However, if you are one of many customers, your MSP may be reluctant to conduct an investigation specific to your account. In addition, if your MSP is in the process of conducting its own internal investigation, it may be extremely guarded and not want to share information that might affect its liability.
If your MSP is not willing to cooperate, you will need to consider the different contractual tools at your disposal.
Consider the relevant contractual provisions
Some agreements contain security obligations with which an MSP is obliged to comply. If this is the case, it is worth considering whether there is a specific provision which requires the MSP to investigate in these circumstances.
Contracts with MSPs increasingly contain breach notification provisions however these often only bite where an MSP has identified a security breach. This would not oblige an MSP to look for one based on the contents of the report. However, if this provision was drafted more broadly, it might bite where the MSP has reason to suspect there has been a breach. Arguably the contents of the report are sufficient to trigger this obligation.
Failing this, consider whether your agreement contains a provision requiring the MSP to provide its services in accordance with good industry practice. It might be argued that this obliges the MSP to investigate a specific threat highlighted by a body such as the NCSC.
If the relevant agreement covers personal data and has already been "future-proofed" to ensure compliance with the General Data Protection Regulation, you may be able to use some of the more extensive obligations placed on an MSP as a data processor to achieve the same end.
What to consider when a breach is identified
If you or your MSP identify a breach, you will need to consider your obligations to your own customers and potentially also regulators. For example, do you need to notify your own customers or regulators of the breach?
The first priority is to determine the nature of the breach. Employing your own forensic investigator to ascertain the extent of the damage may be a necessary first step.
Is termination an option?
To terminate for breach, you would need to identify a clear material breach of the agreement and consider the associated termination rights, for example, do they give the MSP the right to rectify such breach? The agreement may contain a right to terminate for convenience in which case any associated charges and notification periods should be taken into account.
In either case, a customer should consider the nature of the services being provided and the obligations on the MSP in terms of providing exit assistance. For example: Is there an exit plan? Will exit involve the transfer of data? Does the customer have to pay for exit assistance?
Where to go from here
Only once you have spoken to your MSP will you be able to determine which of these steps are necessary. It is in an MSP's long-term interests to cooperate with its customers in this scenario. Even so, given the prevalence of cyber-attacks and the sophistication of entities like APT10, it is worth bearing some of these contractual tools in mind when engaging with MSPs in future.
Contributed by Julia Bishop, senior associate, Bird & Bird
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.