May 17, 2024

Episode 25: Your MSA is Broken. AI is to Blame.

Listen to the Podcast

Read the Transcript

Erick and Rich discuss the federal government’s Secure By Design pledge, a modest first step toward getting software and hardware makers to adopt security best practices they should have embraced long ago, as well as the many rewards of hosting open house gatherings for your customers. Then they’re joined by Rob Scott of Monjur for an eye-opening look at how using AI internally or providing AI services to your clients can expose you to legal risk if you don’t update your MSA. And finally, one last thing: a Florida Man’s less-than-ingenious scheme to bring snakes on a plane.

Discussed in this episode:

The Secure By Design pledge has a shot

Secure by Design Pledge

Threading the AI Risk/Reward Needle

Snakes almost on a plane: TSA discovers a bag with small snakes in passenger’s pants


Rich: [00:00:00] And three, two, one, blast off, ladies and gentlemen. Welcome to another episode of the MFP Chat podcast, your weekly visit with two talking heads talking with you about the services, strategies, and success tips you need. To make it big in managed services. My name is Rich Freeman. I am chief content officer and channel analyst at Channel Master, the organization responsible for the show.

I am joined this week as I am every week by our other co host, our chief strategist at Channel Master, Erick Simpson. Erick, how goes it?

Erick: It goes well, Rich. I’m in sunny Phoenix, Arizona at an event for one of our clients this week doing a couple of sessions and I gotta say it is super pleasant outside.

And I think I caught it just at the right time. It’s not too hot. It’s not cold. It’s beautiful.

Rich: I love it. I love it. Yeah we’re not actually that far past spring training season in that part of the world which I’ve visited there for, and yeah it’s pretty nice this time of year.

It certainly is. Let us dive into our story of the week here Erick, and as we record this I am just back off the road. I spent the last two weeks on the road. First at the Kaseya event that we talked about in the previous episode. And then last week I was at the RSA conference which is this giant cybersecurity conference in San Francisco.

Lots of interesting stuff going on there, but I think I want to zero in on one particular development during the show that I think is interesting and in part, because there’s a role here to really make this work for all of us. Listening and even for you and me, I’m here, Erick. During the show last week, the folks at CISA who are responsible for cybersecurity in the federal government, they unveiled a new initiative called Secure by Design.

And, as background, Erick, it’s a little hard to believe, but, in, even in this day and age, when ordinary end users understand the severity and the number of security risks out there, how serious. Security dangers are there are plenty of software vendors and hardware vendors that are not doing some really basic things to protect their products.

And I’m talking about hardware products that ship with default passwords in place along the lines of admin. Products that don’t have or even encourage people to use MFA or don’t keep after end users about patching. There are some really basic best practices out there that a lot of vendors in the industry overlook, and it leads to a lot of breaches.

And so what CISA decided to do to make an impact there was create the secure by design program and then encourage vendors to sign the secure by design pledge and several dozen security vendors. At the RSA show, went ahead and signed that pledge. Now these are security vendors for the most part.

They’re doing most of those things on the list, but the hope is we can build some momentum here that gets a lot of the other vendors in the industry doing these things as well. And this is really basic stuff. Erick, there are seven commitments that you’re making if you sign the pledge. And they are not nearly as onerous in a lot of ways as they should be.

So there is one. Where you commit to get significantly more of your users employing MFA within one year. You commit to get significantly more regular patching among your end users. So we’re not talking about automated patching that happens whether or not you’re diligent about it. We’re not talking about enforcing MFA and both of those things should probably happen, right?

We’re just as someone I spoke with from Sophos said, We’re just raising the lowest common denominator in the industry right now. So that’s some really basic things are happening much more universally than they are right now. Now it, it’s easy to dismiss this and I tend, I admit to be a little bit cynical when the federal government does some kind of cyber initiative like this, because a lot of times it feels to me like a photo op.

There’s no follow through. Nobody really pays attention. It doesn’t have much of an impact. But in this case, I gotta say based on conversations I had with people at the event, and I’m talking about people from the security vendors and also just security experts I know who are at the conference, I actually feel like this thing might have an impact.

It, you can imagine scenarios where a company signs the pledge, doesn’t follow through on one of the commitments and get called out for it. You can imagine scenarios where one of the companies that has signed the pledge calls out a competitor for not having signed the pledge. And in fact, I will tell you this.

Erick, I know for a fact I spoke [00:05:00] to the PR person from Huntress and she had a conversation, because Huntress signed the pledge and this PR person was at the signing ceremony, she was speaking with Sissa’s PR person, and the Sissa PR person said, Within hours of this initiative being announced, 10 additional vendors agreed to sign just because they were worried about how bad it would look for them not to be a part of this.

So we’ll see if that momentum continues. One way that it will continue though is if all of the MSPs in our audience here Ask their vendors, have you signed? Because every vendor you work with folks should be doing the things, at least doing the things in this secure by design pledge, ask your vendors if they’re doing it and if they’re not, and they don’t have a good reason for why they didn’t sign the pledge.

Think a little bit about whether this is somebody you want to be doing business with. Somebody who’s shipping default passwords. Is that really a vendor you want to have a long term relationship with? So I’ll just point out in parting Erick, before getting some thoughts for you, I I met with Kyle Hanselovan, the CEO of Huntress.

Like I said, Huntress signed the pledge. He considers this a step in the right direction. It’s only a step from his point of view. What we really need to see is the federal government using penalties and incentives to really push vendors software and hardware vendors. In the direction of doing the things they should have been doing years ago.

At this point, CISA doesn’t have that kind of enforcement authority, but the fact that they’re at least trying to encourage vendors to do the right thing, reward the vendors who do the right thing, maybe shame some of the vendors who don’t do the right thing a little bit is progress. And like I said, this progress will have more of an impact.

If all of us hold the vendor world’s feet to the fire over this a little bit.

Erick: Rich when I read the pledge and I thought about it felt to me as the complete opposite Of what we’re used to seeing in terms of Regulatory compliance frameworks and things like that because it seems a little bit, you know Very dip your toe in the water.

The water’s fine. Come join us I can see the strategy or I can sense the strategy being You We’re not trying to make this very onerous. We’re just trying to move the ball in the right direction down the field and try to build some momentum behind it. And while I felt it wasn’t You know super specific on the definition of what?

Achieving, components of this pledge are at least it gives you a little bit of guidance, right? So when it says, you know have a significant number of this or that it lets you know What they’re looking for as well, so it’s interesting to me to watch and see how the channel vendors respond to this because You They may be onto something here.

Nobody wants to be called out, right? So they’re, so the idea, as I’m taking it in is the peer pressure of the channel, which is comprised of vendors, distributors, and partners, is what they’re hoping fills the sails of this ship as we move them to the next, level, let’s say, so this is today’s pledge gain some momentum.

I’m interested to see what the next evolution of this looks like.

Rich: And it’s interesting because peer pressure is exact. It’s in fact exactly a phrase that this gentleman from Sophos I spoke with used when we were talking about this was one of his hopes for the program. And you can imagine a scenario where some manufacturer of a video surveillance camera.

Is the first company in that category to sign the pledge and commit that there will be no default passwords on our devices anymore in the future and using that for competitive marketing purposes, right? We’re the first to do this, ask all the other vendors out there if they’re doing this as well, and that’s how you can maybe build this momentum.

I think a lot of how, the degree to which this has legs Erick is going to depend. The body language at RSA was encouraging there. It didn’t look or feel like a photo app for Gen Easterly. Gen Easterly, the director of CISA, flew out to San Francisco from Washington, D. C. She gave a talk about this.

She did she talked to the press a little bit. She signed, attended the signing ceremony with a bunch of these vendors. If it turns out to just be a photo op, then maybe this kind of comes and goes, but she actually brought a whole bunch of people from her team who are going to be responsible for managing and monitoring this initiative, and they were all meeting with vendors at the show.

It feels like they’re committed to this, and if they follow through on this start, it could have an impact.

Erick: It certainly could, Rich, and sometimes, as you mentioned, peer pressure is the strongest motivator. Nobody wants to be left behind or felt or feel like someone [00:10:00] can have, take advantage of their unwillingness to sign a pledge like this and put them, at a competitive disadvantage.

So be interested to see the velocity. And the uptake and the growth of the initiative.

Rich: So let’s see if this segue to your tip of the week works or not Erick, cause hundreds and hundreds of security vendors exhibiting on a giant show floor at RSA. It’s a little bit like the cybersecurity industry’s open house.

And open houses have something to do with your tip of the week. Nicely done, Rich.

Erick: Yes, absolutely. So we’re going to talk about using. An open house event for lead generation sales prospecting as well as client appreciation. So just think about it, Rich, how many times in our lives do we get invited to an open house?

We typically get invited to an open house when somebody, maybe buys a new house and moves in, or maybe they move into a new building and it’s a one and done kind of thing. So the idea of having an open house is you want to again celebrate this new beginning this new phase of growth and Appreciate the folks that you know have helped you get there But not so much kind of business building or sales prospecting things like that Not when we’re buying a home or things like that But when we’re having a regular open house, let’s see, we have an annual open house, rich.

I’m an MSP and I have, no matter what my office building looks like or what my offices look like, we’re going to have an open house where we’re going to celebrate and appreciate our existing clients. And we’re going to invite our prospects to join us and network and talk about the great work that we’re doing for our clients and tour them through our facility.

Rich, I’ve done many consulting engagements with MSPs when I walked into their offices and have said to them, Hey, have you guys thought about putting up like a glass wall and enclosing the data center or the knock or the service desk and throwing up a few flat panels on the wall and making it look like what someone expects a technology firm to look like when, watching TV and movies, it doesn’t cost that much to do that anymore. And no matter how small your organization is, you can certainly spruce it up for an open house event, have the food out there, get local media and reporters out there. I have clients that do this on the regular basis, rich, and they get so much exposure and branding and awareness that they then can promote in their marketing materials and get write ups and they’re friendly with the local journalists and media.

And. So even if let’s say that you’re a distributed organization, let’s say that you’re a hybrid. I have clients that are completely hybrid. They don’t even have, a real physical office. We’re doing virtual. Let’s do a virtual open house. Let’s get a list of all of our clients and our key prospects and let’s send them out something.

I know there are many states where you can send adult beverages and snacks and things like that. And just see for an hour, Let’s get on and celebrate and talk a little bit and network. And that way you can do a virtual open house. And while you’re not in person, rich, you can still get some benefit from that.

And you can still record it and you can slice and dice it up and use it in marketing and so forth and so on. So I think it’s a great idea to have this top of mind awareness that says, Hey, once a year, if we do, if we do nothing else, we’re going to have an event that appreciates our clients. And allows our prospects and the folks that we’ve been, working on winning their business to have another look at us, not, just from a kind of a relaxed mode, be able to engage with our other clients.

If we have a facility, see the facility, and then it gives our sales team the opportunity to follow up with everyone afterwards with existing clients. Hey, if we’re going wide and deep and we haven’t gotten to every single one of them to subscribe to our enhanced cybersecurity program. Great opportunity for leads that we’ve been working for prospects that we’ve been trying to get to, authorize that agreement and sign up with us or to move the ball down the field as we say through the sales process.

This is another accelerant, another touch point. That doesn’t come off salesy or pitchy, which is the key.

Rich: Yeah. Lots of really good stuff there, Erick. And I, I’ll underscore what you said that the best reason to do this is because you are showing your customers that you appreciate them. And even if they don’t show up.

Just knowing that you do appreciation [00:15:00] events on an annual or regular basis Will be noticed and will be appreciated by them if you do have an office, like you said here’s an opportunity for them to either see it might be the first time or to Be reminded how professional an organization that you run they’ll see the bright gauge displays on the wall and the conference all the stuff that you should Be doing like you said To create a very professional image and that should be reassuring for that.

And then the other thing you said that really resonated with me, we, you and I are both friends with a an MSP in Michigan named Amy Babinchak. And Amy in a talk I heard her give a few years back, talked about something that she did. It wasn’t open houses or office visits, that kind of a thing.

She was doing webinars, but she would invite her current customers to those and then sales prospects as well. And she found this to be. One of her most effective lead generation techniques, because it’s one thing if you tell a sales prospect, how great you are, it’s a totally different one. If a peer business in the local community is telling that sales prospect, I am an extremely satisfied customer.

And yeah, if you can get sales prospects and your customers mingling in that off open house, that is powerful. Stop. I

Erick: agree a hundred percent rich. And think about that third influencing factor that you have. Which is your team your staff. So all of your staff are there if it’s virtual They’re logged in but if they’re in a live event scenario these Clients and prospect.

Prospects certainly don’t know and have never engaged with them So it’s great for them to have these, hallway conversations and ask different questions Right and then for the clients typically it’s going to be the decision makers that show up to the open house. You’re going to invite everybody, of course, your clients that can show up, but the decision makers may not engage quite as much as the rest of the user community at that client’s company.

So having them have the ability to really get to know more of your staff and more of the folks in your organization provides a much different perspective, a deeper, a relationship building opportunity and, I think it just engenders a lot more goodwill collaboration. And guess what, the next time your team calls on your clients or prospects for, setting an appointment, a QBR or a discovery appointment for a sales initiative, they’re more likely to say yes, because they’ve had that experience.

Rich: All right. We are going to take a quick break here. When we come back, we’ll do our spotlight interview segment for this episode of the show. I was on the road a couple of weeks before Erick’s on the road right now. So he was not able to join in on this particular interview. I though had an opportunity to speak with Rob Scott.

He is the chief innovator at Monger which is an organization that works with MSPs on legal contracts and so on. This is going to be a really interesting, this is a conversation you don’t want to miss, MSPs, because to the degree that you and or your customers are getting into artificial intelligence, you may have some legal exposure you’re not aware of, and Rob’s going to talk to us a little bit about that and what you can and should do about it he will join me for that conversation in moments when we come back from the break, stick around.

Brace yourselves.

All right, welcome back to part two of this episode of the MSP Chat Podcast, our spotlight interviews segment where I am joined this week by Rob Scott of Monger to have a very timely and important conversation. about the legal implications of offering AI services to your clients. Rob, first off, welcome to the show.

Thank you, Rich. It’s good to be here. So you and I have known each other for a while. For folks in the audience here who are new to you, just tell folks a little bit about who you are and your background in the managed services world. Yeah,

Rob: My name is Rob Scott. I’m a co founder of Monger, which is a Cloud based legal service that came out of a legal practice called Scott and Scott LLP, of which I’m the managing partner and have been since 1999.

I started representing clients in managed services in the early 2000s and have been focused on computer law in general and specifically IT managed services since that

Rich: time. And more recently you can refresh my memory on how recently, but you are also the chief. Innovation officer, chief innovator for Monger.

So tell folks a little bit about what Monger is about.

Rob: So Monger was originally a platform that was going to be developed for our law firm to enable us to keep our customers contracts updated over time. What we learned is that [00:20:00] as time emerged, the contracts that we drafted for our customers began to get stale.

And so we wanted to create a platform that enabled us to deliver. A contracts as a service solution where we host the agreements, we keep them updated through the cloud and we bundle the legal services with a platform, which we call Monger, which has been wildly successful to answer your question. We just launched it just over two years ago in March of 2022.

We now have over 360 MSPs on that platform.

Rich: All right. All right. Very interesting. So Rob, the reason we are having this conversation on the podcast today is because you and I actually discussed this topic just a few weeks ago. I was researching a piece for my blog, Channelholic reached out to you to discuss this a little bit, and it was a really eye opening conversation for me because it raised some issues that I hadn’t really thought about at all with respect to AI and managed services, and therefore I imagine a lot of the folks in the audience haven’t thought about this much as well.

So I think everybody understands the benefits current, real potential of AI, both for MSPs in terms of how they’re running their business. And for the end users, those MSPs support. But what you really pointed out to me is there are also some new legal risks that AI poses for the MSPs themselves.

And in terms of their relationship with the end user. So tell us a little bit about what are some of those legal risks, legal dangers. That MSPs who are providing AI related services to their clients could potentially face.

Rob: I would start Rich with the concept that, AI based managed services are unique from a legal perspective, from traditional managed services, including IT managed services, cloud and hosting, backup and disaster recovery, managed security services, managed voice, and so on.

All of these agreements can share a platform from a legal perspective. But when you start thinking about AI managed services, there are new concepts from that need to be defined and there are new risks that need to be covered. And some examples of those new things that need to be defined are what I’ve referred to in the past as IP artifacts with.

traditional licensing you didn’t have a concept of learnings or a model or these inputs or output data. All of these things are things that have come to be defined as intellectual property artifacts that are unique to AI and therefore raising the issue that suggests that an AI specific managed services agreement Was needed and therefore they’re in addition to just those concepts around new ideas new artifacts.

You have to define those things so that you can allocate ownership and risk associated with them. So a simple example is who owns the output data? You have to define output data before you could say who owns it, and so it becomes very important. And for example, About learnings, a lot with AI when it comes to intellectual property is who owns the learnings, like the cumulative impact of the training is in large measure where a lot of the commercial value will be delivered from AI model.

And just from an intellectual property and ownership perspective, we start with defining those concepts so that we can then allocate ownership. And rights to those concepts throughout the agreement. So that’s in a broad class of terms. The other things that you think about from a broad category when it comes to AI is AI specific language around things like force majeure, what it, what if you implement a conversational voice system for clients and then the government says, Companies are no, no longer allowed to use AI to make phone calls.

That’s a risk that you would need to have covered in your agreement. That is something specific to ai. Another thing that’s specific to AI and is foundational is the concept of responsible ai. And responsible AI is a term of art within the industry that goes to both. Ethical use of AI, as well as things like transparency and a number of other concepts [00:25:00] that in my mind, both parties to an AI agreement should contractually bind themselves to.

So in our agreement, for example there is an obligation to be committed to responsible and ethical AI, both for the provider and for the customer. There are also a number of exclusions from the Service providers responsibility, including failures of third party providers in managed services. AI is going to be no different than security.

Many MSPs are, and will continue to offer AI solutions through a vendor ecosystem where the MSP is bringing a vendor through a relationship. And that vendor is really providing the technology that will be true in AI. And therefore. Responsibility for what vendors do needs to be excluded and never more important than in the world of AI, where everyone knows that AI can get things wrong.

You need to carefully disclose in your agreements with your customers that there are limitations to AI and it can do things like hallucinate and reach the wrong conclusion and do a lot of bad things. And therefore it’s not intended to be used without. People in the loop with close supervision and that the MSP can’t be responsible for unintended consequences of AI vendor platforms.

And more broadly, let’s be honest, cloud and AI are being delivered by the same handful of vendors. Your traditional cloud vendors are your new AI vendors. It’s Azure AI. It’s Watson, it’s Google. These are the AI platform and there will be specific. There are specific flavors for MSPs, but in large measure, they’re based on these public AI platforms like Azure.

It’s really important if you’re going to be offering AI services to really understand that legally AI is a quantum leap when you think about managed services. From the traditional what I’ll call security led stack of AI managed services that are prevalent in the market today.

Rich: Part of what was sobering about the conversation we had recently and why I thought it was important to bring this onto the podcast is, I’m sure there are people in the audience right now who are thinking there’s always some new technology in the I.

T. world, and I’ve got a master services agreement in place with all my clients, and so I’m covered from this stuff. And what you emphasized with me before is not really that most, probably, correct me if I’m wrong, the vast majority of MSAs out there do not adequately or fully protect MSPs from these AI related legal risks you’re talking about.

How exposed are people right now?

Rob: A lot of it’s going to be depending on, to what extent they’re wading into the AI waters in terms of service offerings and or use of tools, we’re seeing it in two areas now, rich one, tools, platforms like roost and crush bank and others are including connect wise and can say are developing AI tools that are built into platforms that MSPs have used in the back.

So MSPs are now starting to offer as part of their own tool set AI powered solutions that could impact their legal risk and certainly raises a question about vendor risk and whether that’s being properly mitigated in light of AI vendors that the MSP is using to deliver its services.

Secondarily to that is an emerging set of options for MSPs to use with their customers to empower AI solutions for the customer separate and distinct from a legal perspective because it’s that arrangement that requires, for example, a service attachment for managed AI. That goes beyond the traditional managed services service attachment and goes into these discreet topics for which a specific provisions are required

Rich: looking at this.

So part of what makes this a somewhat tricky topic is there are the. The legal issues that directly affect the MSP in terms of the tools that they’re using, for example, as you put it. And then there are the [00:30:00] legal risks that their clients potentially face that could have spillover effects for the MSP.

Looking at this from the end user standpoint, are the legal risks that a typical MSP’s customers face more or less the same ones? Or are there different risks that MSPs need to be aware of with respect to their customers, which I imagine might depend a lot on the vertical industry that customer is in.

Rob: Yes, Rich, that’s where I was going to go with the answer. So much will depend on the vertical industry. And in that regard, my opinion is that the analysis. Regarding what risks the customer faces will be of a similar analysis to the data privacy and security analysis that MSPs do. They focus on the vertical market in which the customer is operating.

And if it’s federally regulated, such as healthcare or financial services or DOD contracting, then they have a certain process for that. I think in large measure, you’ll triage your customer’s legal risk related to AI. Along those same regulatory concepts. So you’ll look first at federal, then it’s state laws.

And there is an emerging patchwork of AI specific state laws that you’ll need to be cognizant of in that regard. But most of the time, the concerns about. AI usage that are from a legal or regulatory perspective, track very closely to the data privacy and security regulations that would be applicable to IT managed services, not focused on AI.

Rich: From a legal standpoint, how exposed, how vulnerable is the MSP if their customer commit some violates the law, commits a legal error with respect to their use of AI. That they, theoretically got some assistance with from their MSP.

Rob: I think what I’ve found in all the years that I’ve been representing MSPs is their customers have a major fallacy of understanding, which is that anything that goes wrong regarding IT is the MSP’s responsibility.

I think there’s a prevailing yet on debunked myth about that. And we all have to do a good job of making it clear to the customer, what risks they’re taking and what risks the MSP is taking than that the MSP is not the insurance company. That’s a different role. That’s a different category of business than the MSP.

And in that regard, I would say that the MSP. Has significant exposure for anything that happens within its client organization that gets the client in trouble of any kind, whether that would be regulatory, a loss of business, a loss of income, damage to reputation. For the most part, even if it’s not the MSP’s fault, many times they get drug into cases and have to defend themselves to prove that it’s not their fault.

And unfortunately in the United States. Any idiot with a filing fee can sue somebody. And the way the wheels of justice grind sometimes slowly, it’s not that easy to vindicate yourself, even if legally in under your contracts, it’s clear that it’s not your fault. And from that perspective, anytime your customers are engaging in risky activity, that affects your network.

And in my mind, the MSPs network. Is only as strong as his customers. That’s the weakest point in the chain. And so if you’ve got clients that are, being rogue about their use of AI and being cavalier about, what they’re doing with it, then that raises a security question for you and your business in the same way that a customer who instructed you to turn off firewalls or.

Was engaging in improper behavior that you knew was wrong. You as the advisor, I think should escalate that within the client organization and do everything you can to make your voice heard about why that should stop. I think more importantly. From a legal perspective, if you think about legal as a way to build a bridge from where you are today with your service offerings to where you want to go, I think you started rich with the concept that we have some general understanding that there’s a lot of upside for MSPs with AI managed service.

And what I want to focus on is developing a way that AI managed services can be delivered. Where the risk is mitigated to the point where it makes sense for the MSP to offer the services. I think we can all agree that there are managed services that people could offer that aren’t worth offering on a risk adjusted basis.

It’s too dangerous, but I think that with AI and with the tools that are available MSPs can and should be [00:35:00] engaging with all of their customers in a conversation about AI that starts as simply as asking them three questions. What’s your strategy, rather what’s your policy, what’s your strategy and what’s your plan?

Because no matter what the customer answers to those questions, as the trusted advisor, the MSP has a role to play. And when it comes to policies, there’s going to be two types. One is going to be restrictive and the other is going to be permissive. What I mean by that is there’ll be some MSP clients that will say, I don’t want AI.

I don’t trust it. I don’t think it’s good for my business. I’m worried that I could get in trouble or worse yet, my secrets are going to be out in the public and I just want to make it clear that we’re not using it. And I want you as the MSP to help me make sure that nobody’s using it without my permission or knowledge.

And that’s worst case scenario. You can help that client with a policy to document that you can help them lock down firewalls and quarantine apps. that are known for, would be restrictive of a, of that policy. And you can implement reporting for the customer to, to show them that you’re policing that and the infractions would be escalated to the customer.

So you’d be adding real value and so far you haven’t done anything with AI. Doesn’t require you to be a data scientist or know anything other than what you know. Just go help that client with a restrictive policy, implement a policy and configure the firewalls and do a few things. Now, the vast majority of the clients will be more in the permissive policy, which I’m interested.

I’m intrigued. I know it’s the future. I don’t know much about it. I have some concerns. I’ve read some things I’m worried about, but if you know how you can use it for me in a way that I can make money or save money and help my customers more, I’m open minded to it as long as I don’t get in trouble and I can afford it.

From that perspective now, you could develop a permissive policy. You could start doing some assessments around AI readiness. You could start recommending and evaluating tools, implementing tools, and doing training. Doesn’t this sound a lot like IT managed services? My point is that no matter where you are in your journey to join the AI revolution, it starts with a conversation with a customer.

And just asking that those questions to your customer about where are they with AI and what are their goals and I can assure everybody that there’s going to be a lot more tools that are available right now that are going to enable you to deliver a variety of services to your small business customers that include revolutionizing their customer experience, their sales operations, their training and onboarding, their knowledge based management.

And all of these tools are readily available for MSPs to start implementing right now.

Rich: I think that’s a really important point, actually, because I know in my own writing about AI for MSPs I tend to really emphasize the revenue opportunity around teaching people how to use it, implementing AI based solutions.

And like you were saying that’s the permissive approach. That’s probably going to be the majority of the end users out there, but there is a revenue opportunity. For the, even for the customers who are saying, I’m not ready yet. I don’t want to do it. I don’t trust it. Whatever. There’s still a revenue opportunity for the MSP in helping those end users protect themselves from unauthorized use misuse, et cetera.

Rob: 100%. That’s why I recommend rich that every MSP just sit down with every client and ask them what’s your policy, what’s your strategy and what’s your plan. It’s going to position you as the trusted advisor on an emerging technology, and it’s going to create revenue for you regardless of what the client sets.

Rich: Now there was a particular legal issue that you pointed to earlier on in the conversation that I want to circle back to because I think it might be a good way to help tease out a little bit the distinctions here between changes that you’re making to your MSA to protect yourself from actions you’re taking and changes you’re making to protect yourself from things that your customer might be doing.

And this was when you were talking about responsible AI. And you said you want to make sure that both parties to the agreement are essentially indemnifying one another from that. Talk a little bit about the two different dimensions of responsible AI and maybe how that kind of exemplifies those two different kinds of legal risk in terms of what you’re doing and what your customers are doing.

Rob: Yeah. So the concepts of responsible AI have been deeply rooted in the AI conversation long before lawyers like me started to scratch their head about AI. And those conversations were led by ethicists people in all realms in a [00:40:00] multidisciplinary concept that said there’s certain guardrails that we can all agree would be hallmarks of how we want this to Technology to be promoted and understanding its great power to recognize this potential for evil.

And so we’re going to create some basic concepts and guardrails around what it means to use AI responsibly. And one of the concepts is transparency. And this relates more to those that are developing AI solutions more than so the implementation partners that are delivering them. But the concept of transparency is like how does this solution take decisions?

What is it doing? To the point where if it took a decision or made a recommendation That was based on bias or discrimination or something else that created a question. How would we unpack that? For example, famous case when apple came out with its new apple credit card. It was alleged that it had a bias for husbands over wives when it came to credit issuance That it was alleged that the bank that was behind the underwriting was using an ai solution For underwriting that would calculate the credit limit In a way that was biased against women applicants, and it became a big story.

And so bias bad data, unethical data, bad intent, using AI solutions in a way that would be in any way inappropriate or unfair, all violate these principles of responsible AI. So it includes both the ethical concepts of ethical AI and the openness. And transparency of a non black box approach to AI development and deployment.

And so to make sure that everybody’s fully committed to that, because really the big issues with AI, the most extreme philosophical example is the automated car is driving through the streets of San Francisco and it has to take a decision. It can either stay the course. And the two people inside the vehicle will be crushed by the train, or it can veer to the left into the busy intersection where a number of pedestrians, including children, will be killed or seriously injured.

How do you train the AI to make that decision? And what are the legal or ethical implications for such a programming decision? Now in the automotive world, they answered that question to say, we’re going to design the vehicles to protect the people inside and essentially implicitly deal with the legal implications of that decision when the other people sue is essentially where they landed, but these types of ethical quandaries exist in potentially all AI implementations.

And so responsible AI keeps everybody grounded. To a set of principles in the same way that a compliance with laws provision in a contract would keep both parties bound to whatever the legal rules are that govern the use of the solution or the parties using it based on their vertical market.

Rich: It occurs to me Rob, we’re talking about the legal implications of AI, but AI is basically the latest innovation in an industry that’s constantly coming up with some big new innovation.

There will be others ahead. There have been others in the past. And you’ve been consulting with MSPs about their master services agreement since well before AI was a conversation topic. And it just makes me wonder, we know that the vast majority of MSPs in the audience. Are not currently protected via their MSA from AI related risk.

Are there other? Risks that in your experience, a lot of MSPs have not properly covered themselves from in their MSA. Yeah, Rich, I would say more

Rob: broadly outside of just AI vendor risk, just the vendor ecosystem, all of the tools that MSPs use, the RMM tools, the backup tools. I’m talking about cases like the Acronis case in California, Where an MSP is being sued by a law firm and they’ve got an oral agreement.

And it’s a question about a backup failure and a ransomware attack. The Casaya ransomware incident where purported Russian actors perpetrated Ransomware attacks on Kaseya related products. These cases [00:45:00] highlight the need for MSPs to have protection beyond what was traditionally in an MSP legal agreements that really goes into a greater level of detail with regard to the nature of those third party solutions that are in the ecosystem, what terms and conditions apply from that vendor solution.

Then what privacy policies are applicable to that vendor’s tool set? So if you think about it, in order for an end user of an MSP to validly waive the Right to sue an MSP for an act or omission of a vendor such as Microsoft or ConnectWise, or Kaseya, or Enable. Many others not to single those companies out.

But the point of the matter is your vendors have the potential to do harm to your customers and thus raise the question under what circumstances is the MSP legally responsible for that act or omission of that third party service. And so it becomes critically important to make it 100 percent clear and unequivocal that what that client is waiving and to meet the requirement that waiver is knowing.

It’s our view that all of those vendors need to be specifically listed in a schedule, as well as their vendor terms and conditions be included, as well as their privacy policy. To give our MSP clients the greatest position to argue that the client clearly and unequivocally waived the right to sue the MSP for an act or omission of that third party when that third party is specifically listed in the agreement and we have a clear and unequivocal waiver in writing in bold terms.

So that’s the one area where MSPs come to us and they’re thinking about how does what they’re doing today. Differ from, where they could be if they were being. Adequately protected and that vendor risk management piece is the one that almost all of them are missing.

Rich: Which is really interesting.

Cause again, like I was saying, it’s all about AI now, but it was all about cloud computing in the not so distant past and basically any cloud based solution vendor is potentially posing the kind of risk you’re talking about there because the MSP is not in control of that service or the infrastructure, but.

Is passing that along to the end user. It does occur to me though. MSPs are constantly adding or changing vendors, cloud vendors and otherwise. How often should they be updating the MSA to reflect the vendor relationships that they have in place right now?

Rob: Best

Rich: practice

Rob: would be quarterly but not less than annually is what I tell people.

Rich: Now, a

Rob: lot of rich, a lot depends on the velocity of changes. If you’ve got a mature MSP and you’ve got a very entrenched stack with little change in it, that’s going to require a much, different answer than if you’re a dynamically growing MSP, whether you’re small and really growing fast or you’re giant and growing through acquisition or organically.

It’s those situations where the need for more, more frequent review of the vendor stack is required.

Rich: So that right there is a good best practice to to lead folks in the audience with you should be having. Ideally quarterly, but certainly regular conversations with your attorney about your MSA.

In regards to any issues that might have arisen or changed since that last meeting, but specifically around AI, if you were to leave people here. With some next steps, some best practices, what should they do to protect themselves as quickly as possible? And, what should they do between now and whenever it is that they’ve got that protection in place?

What would you say?

Rob: I’m going to say to them what I’m recommending they say to their clients. What’s your strategy, what’s your policy? What’s your strategy? What’s your plan? If your policy is to offer AI managed services, then you need to start evaluating your stack, your partners, how you’re going to deliver it.

Just like you would, if it was a cybersecurity solution. With respect to your customer contracts, you need to make changes to those agreements before you start offering those services, but in the meantime, go sit down with your customer and have that conversation and evaluate what the appetite is for them.

Thank you. To engage in these conversations with you either to have you engage in projects to restrict their usage of AI or to partner with them to show them how you can help them as an I. T. consultant to navigate the options and the choices that are available and implement the solutions and get them trained up on how to use [00:50:00] them so that they can benefit from.

The automation and other promise that this technology holds.

Rich: And to be clear, none of this stuff is it’s stuff that MSP should be figuring out on their own. So at a bare minimum make sure you’re having this conversation with an attorney. For sure.

Rob: The other one that comes up a lot, Rich, is in the context of descriptions of services.

Yeah. We recommend that our clients have their lawyers review. The, any service description changes in your offering, your bundles, your packages, your promotions best practices is to have those reviewed every quarter as well.

Rich: Rob, thanks so much for coming on the show, speaking with me about this.

Like I said, very timely and important topic for folks listening right now, they want to maybe get in touch with you, learn about more about you, more about Monger. Where should they go?

Rob: So you can find me on LinkedIn. I’m IP attorney, Rob Scott with Monger plenty of good stuff there. We have a YouTube channel at Monger, C A S, which stands for Contracts as a Service.

We’re also on the web at monjur. com. Look us up. If you’re interested in connecting, talking about AI or managed services, I’d love to hear from you.

Rich: Fantastic. Thanks again, Rob. Folks we’re going to take a quick break now. When we come back on the other side, I will be rejoined by Erick. We’ll talk a little bit about the subject matter of this conversation here.

Maybe have a little fun. Wrap up the show, stick around. We will be right back.

All right. And welcome back to part three of this episode of the MSP chat podcast. Like I said going in this is important stuff eyeopening stuff basically I, what I want to emphasize, there are a couple of different things that came up towards the end of the interview there that I think are really important to your score, and one is.

Rob is an attorney, and Rob spent most of his time kind of flagging the legal issues you could run into if you’re not careful and you don’t update your MSA. But he’s also a believer in artificial intelligence as a business opportunity for MSPs, and so he said this himself, but don’t Let these issues that we were just talking about there keep you out of this market.

You just need to take some smart steps going in to make sure that you’re protected. And then some more kind of thing, and I thought this was a really important and interesting point. Not all of your customers, most of your customers these days are at least going to be curious about artificial intelligence and how they can put AI to work to be more efficient and more profitable.

But there will probably be some customers in your client base who are just uncomfortable with that technology for one reason or another. And that’s a revenue opportunity to like Rob was saying, basically, you need to talk about this with all of your clients. And for those clients who say this unnerves me, I don’t want to do it.

You can help them keep AI out as opposed to helping them bring AI securely in. So lots of good stuff to think about there. And especially if you’re already working with your clients on artificial intelligence in any way folks, you want to get on this quickly. Yeah, Rich. It’s ,

Erick: I’m doing some sessions regarding AI and how to use it for prospecting lead generation and sales processes here.

At this event, and I’ve got to say one thing that I disclaimed at the very beginning is I said, Look, this is not a session about, risk and gloom and doom. This is a session about how to leverage, existing platforms, not integrating them with anything that you’re doing, but using AI.

In a way that can help you identify your ideal customer prospects and, build relationships with them by creating, interesting articles to post on LinkedIn and things like that. There is, that is just, scratching the surface of this large conversation that is AI and, you and I, Rich, we’re trying to stay abreast of.

Of what’s happening here, but it is a game changer and it can impact business in so many different ways that You know if we’re not careful we can accidentally get ourselves in trouble. You know the interview with With Rob at Monjor should be, very valuable for our listeners to take heed and just think about how their customers are implementing AI and maybe giving them some guidance and some tips and how to stay out of trouble along the way.

Rich: It is not that hard to do folks as as Rob made clear you can get yourself in the right place legally easily enough, as long as you know that you need to do that. Alright, folks, that leaves us with time for just one last thing, and I’ll tell you up front, I don’t have a ton of detail about this, but it was a little bit irresistible because this is a an almost real life snakes on a [00:55:00] plane story, this this comes to us from Miami recently where TSA officers found snakes, a passenger trying to clear security was trying to sneak snakes past the TSA agents.

Where do you figure this clever, I guess this is Miami, so this is Florida man, right? Where do you think Florida man tried to hide those snakes, Erick? I read the

Erick: article, so I know, Rich, but I’m not gonna give it away. It’s, uh, only in AmEricka, folks. Only in Florida. How

Rich: about down his pants, folks? I guess he was thinking no one’s gonna go looking around down there.

This guy had a small bag of live snakes down his pants. I, I could, if I wanted to, go down the direction of tasteless jokes about, trouser snakes and so on. I won’t. I’ll just say this was not an ingenious criminal scheme. And, unfortunately, like I said, there aren’t a lot of details in the story that I read about this.

So I don’t know what ha I assume the snakes were confiscated. I don’t know what happened to the guy who tried to get them past T. S. A.

Erick: Well, Rich, you just nailed the teaser for this episode with the phrase, a small bag of live snakes down his pants. So just leave it at that. Oh my goodness.

Rich: Folks. So we will leave it at this week. Thank you so much for joining us. We’re going to be back again. It actually you know what, I think we’re going to be skipping a week because I’ve got a vacation coming up here, but we’re going to be back soon with another episode of the show for you folks.

Until then, you know what? Do this both as a video podcast and audio podcast if you’re watching the youtube version, but you’re into audio podcasts Go to wherever it is. You get those audio podcasts look us up there if you’re listening to us on an audio format, but you like to check it out on youtube You will find us there either way please subscribe rate review it’s going to help other people find the show and enjoy it Just like you are.

This program is produced by the great Russ Johns. Russ is part of the team of experts here at Channel Mastered. He can do a show like this for you if you’d like to. If you want to learn more about that, want to learn more about Russ, want to learn more about Channel Mastered, you should go to channelmastered.

com., all one word. And you know what? We’ve got a sister organization called MSP Master that consults with MSPs to help them understand and implement a lot of those tips of the week that are brings to you on the show all the time. You can learn more about that [email protected].

So once again, we thank you very much for joining us. We’re gonna see you again here real soon. Until then, folks, please remember. You can’t spell channel without M S P.