The $4.33 Million Question: Who Owns the Clock?
Breaches involving third-party MSPs cost an average of $4.33 million, 12% higher than the overall average. IBM’s Cost of a Data Breach Report documents the premium paid when incident response crosses organizational boundaries. The coordination overhead isn’t theoretical. It translates directly to extended exposure and elevated damage.
The additional cost stems from identification time. Involving third parties increases Mean Time to Identify (MTTI) by 15 days. Two weeks of additional exposure while organizations determine who detected what, who should investigate, and who has authority to act.
The Declaration Problem
Most MSP contracts fail to specify who declares a breach. The gap creates 4-24 hours of critical delay during the moment when speed matters most.
Consider the scenario: Monitoring detects anomalous data exfiltration at 2 AM. The MSP’s Security Operations Center sees the alert. Is this a confirmed breach requiring declaration? Or a suspicious event requiring investigation? The distinction matters for legal notification timelines, insurance triggers, and regulatory obligations.
Without defined authority, the MSP escalates to the client. The client contact is asleep. Morning arrives. Discussion ensues. By the time declaration occurs, the window for containment has narrowed.
| Declaration Authority Model | Pros | Cons |
|---|---|---|
| MSP declares | Faster response, clear ownership | May over-declare, liability concerns |
| Client declares | Control retained, legal alignment | Slower response, requires availability |
| Joint declaration | Shared accountability | Coordination delay, potential deadlock |
| Threshold-based | Automatic below threshold, joint above | Threshold definition is complex |
Answer depends on organizational risk tolerance and regulatory environment. The conversation must happen before the incident, not during it.
Escalation Clarity: The Chain That Breaks
Incident escalation paths differ from routine escalation. The IT manager who handles normal issues may not have authority for breach response. The CISO who should be notified might not be in the communication chain.
Breach escalation requires separate protocols:
Immediate escalation. Security events skip normal tiers. The path goes directly to designated incident commanders.
Parallel notification. Legal, executive leadership, and technical response activate simultaneously. Sequential notification wastes time.
External engagement. Cyber insurance carriers, law enforcement, and forensic specialists have defined trigger conditions.
Communication lockdown. Who can speak externally? Who cannot? Premature disclosure complicates response.
The protocols must exist in writing, accessible during 2 AM emergencies, and tested through tabletop exercises.
The Clock Ownership Problem
Incident response operates under multiple clocks:
Technical clock. How long until the threat is contained? Every hour extends potential damage.
Legal clock. Notification deadlines vary by jurisdiction. GDPR requires 72-hour notification. State laws vary. Miss the deadline, face penalties.
Insurance clock. Policy notification requirements may have specific windows. Late notification can void coverage.
Business clock. How long until operations resume? Each hour of disruption accumulates cost.
The clocks run simultaneously. Prioritizing one may harm another. Technical containment that destroys evidence complicates legal response. Rushing notification may trigger premature panic. Balancing requires coordination.
Who owns each clock? The MSP may own technical response. Legal owns notification timing. Finance owns insurance coordination. Operations owns business recovery. Without defined ownership, clocks get ignored until they trigger consequences.
The Forensic Preservation Failure
Incident responders want to contain threats quickly. Forensic investigators need preserved evidence. The goals conflict.
Rebooting a compromised server may stop active data exfiltration. It also destroys memory artifacts showing exactly what the attacker did. Wiping and rebuilding restores operations. It eliminates evidence needed for attribution and legal proceedings.
Forensic preservation requirements must be established before incidents occur:
Evidence collection procedures. Memory capture, disk imaging, log preservation before containment actions.
Chain of custody documentation. Every evidence touch gets recorded. Gaps compromise legal utility.
Preservation vs. containment decision tree. Which systems require forensic hold? Which can be contained immediately?
Third-party forensic engagement. When to bring in external investigators? Pre-negotiated retainers enable faster response.
MSPs without forensic capability may inadvertently destroy evidence through well-intentioned containment efforts.
The Third-Party Cascade
Your MSP gets breached. Their compromise becomes your exposure. The 2021 Kaseya attack demonstrated this cascade: one vendor compromised, 1,500 downstream businesses affected.
Third-party breach introduces complications:
Visibility gaps. You may not know about the breach until days after it began.
Control limitations. You can’t directly contain a threat in infrastructure you don’t own.
Attribution complexity. Was the breach in MSP infrastructure or yours? The answer affects liability.
Notification obligations. Your customer data was exposed. You must notify. The MSP may prefer silence.
Contractual provisions should address third-party breach scenarios. Notification timelines when MSP is breached. Access to forensic findings. Right to engage independent investigators. Termination rights if MSP breach poses ongoing risk.
The Insurance Intersection
Cyber insurance denial rates rose 20% in 2023. Carriers scrutinize claims more aggressively. MSP involvement creates denial opportunities.
Common denial triggers:
MFA absence. Policies increasingly require multi-factor authentication on all admin access. 90% of insurers mandate this. MSP admin accounts that lack MFA void coverage.
Unpatched vulnerabilities. If the breach exploited a known, patched vulnerability and your systems were unpatched, carriers may deny.
Policy exclusions. “System failure caused by unpatched MSP software” increasingly appears in exclusion lists.
Notification failures. Late notification to carrier, regardless of reason, creates denial opportunity.
Insurance coordination requires understanding what your policy requires and ensuring MSP practices satisfy those requirements. The MSP’s security posture affects your insurance coverage.
Building the Incident Response Framework
Effective MSP incident response integration requires documented framework:
Roles and responsibilities matrix. Who does what during each incident phase. Named individuals, not titles.
Communication protocols. Channels for each stakeholder. Backup contacts. After-hours procedures.
Decision rights. What can MSP decide unilaterally? What requires client approval? What needs joint agreement?
Escalation triggers. Specific conditions that escalate from event to incident to breach.
External engagement criteria. When to involve forensics, legal, law enforcement, regulators.
Post-incident process. Root cause analysis, improvement identification, framework updates.
Test the framework annually. Tabletop exercises reveal gaps that static documents hide.
The Retainer Advantage
Organizations with pre-negotiated forensic and legal retainers respond faster than those engaging during crisis. The relationship exists. The scope is defined. The billing is settled. Response begins immediately rather than after procurement negotiation.
Retainer types to consider:
Incident response retainer. Guaranteed response time from forensic team. Often 2-4 hour commitment.
Legal counsel retainer. Cyber-specialized counsel available for immediate engagement.
PR/communications retainer. Crisis communication support for stakeholder messaging.
Forensic tooling pre-deployment. Endpoint detection tools already installed, waiting for activation.
The retainer cost is insurance premium for response capability. The return appears during incidents that would otherwise suffer from procurement delay.
Sources
- Third-party breach cost premium: IBM Cost of a Data Breach Report 2024
- MTTI extension with third parties: Breach lifecycle analysis
- Insurance denial trends and requirements: Marsh and Aon Cyber Reports