Missing Security Provisions: 10 Key Questions every Private Equity firm should ask their MSP  

Why are so many private equity firms frustrated by their MSP? 

IT Managed Service Providers (MSPs) play a vital role in the delivery of business operations for alternative investors, and the benefits are well understood: they offer flexibility, scalability, and expertise in an area that most middle-market firms prefer to outsource. But almost every PE firm we speak to tells us that their colleagues are disgruntled with their MSP.  

It’s no surprise. The industry’s increasing reliance on MSPs has generally been a good thing – allowing investment professionals to focus on what they do best – but, as with any outsourced function, MSPs can become complacent. Without proper accountability – clear, measurable expectations, regularly benchmarked against reality – their focus will turn to more demanding clients.  

Nowhere is this more true than in cybersecurity. PE firms expect their MSP to ‘look after’ IT security as well as performance, but this is a dangerous assumption. If you want your MSP to manage your cybersecurity, this needs to be an explicit requirement.  

“Never assume your MSP is looking after cybersecurity – and learn what questions you need to ask.”  

Regulators are starting to wake up to the risk posed by MSPs to the alternative investment industry, with regulations like DORA setting out how financial services companies in Europe should monitor their third parties. But many MSPs remain under scrutinised because they – or their clients – fall outside the scope of DORA, or because EU states have not yet started issuing fines. Regardless, we always tell our clients to treat regulation as a minimum expectation; in the case of potentially high-risk vendors like your MSP, now is the time to put in place proper oversight.  

The gap is communication. There is often misalignment between the services defined in your contract, the services you expect, and the services that your MSP believes it is responsible for delivering. In my experience the truth lies somewhere between the two, but rarely where either party thinks it is. 

One of the most critical services that falls between this MSP/client gap is cybersecurity. Private equity firms frequently allow their MSP to act as both control operator and auditor, removing their ability to put in place proper oversight mechanisms. Lack of cybersecurity knowledge within investment firms is another issue, albeit one that can be mitigated with good advise and a solid framework. The most worrying – and worryingly common – issue is that the MSPs themselves lack specific security knowledge.  

What does all of this amount to? Poor definition of requirements, poor execution of services, and the importance of cybersecurity simply overlooked. Don’t worry – this is more common than you think and can be fixed faster than you might imagine.  

To begin with, here are ten key questions that you should ask your MSP today:  

1. What mechanisms do you have in place to respond to an incident affecting your own organisation? 
2. Can you confirm what your own obligation would be in the event of a cyberattack on my organisation? 
3. How do you access my environment, do you permission each individual time, and do you use accounts assigned to individual users? 
4. How often do you obtain external assurance about your own cyber security practices; what form does this take? 
5. What cybersecurity KPIs do you report to your own board, and who is accountable for reporting and overseeing them?
6. What is your process for patch management, particularly in relation to the flood of newly emerging vulnerabilities?  
7. What mechanisms do you have to respond to a cybersecurity incident within my organisation? 
8. What security related KPIs are you able to provide my organisation on a weekly, and monthly, basis?  
9. How do you conduct backups (frequency and storage locations), including my own, and what do you do to protect my backups from interference?
10. How often do you test the backups, and do you conduct end to end back up restore and testing? 

The answers to these questions will put you back in the driving seat. If you don’t feel confident asking these questions or interpreting the answers, we can help. Thomas Murray acts as a cybersecurity partner to private equity firms and other alternative investors, supporting everything from cyber due diligence to third party oversight. Regardless of who you choose, it’s important that you have genuinely independent cybersecurity advice available to you.  

Finally – here are a few activities you should get started with today:   

• Review your current contract with your MSP and look for the following: audit requirements, exit support clauses/ support, security and performance KPIs.
• Establish monthly performance related meetings to discuss meaningful KPI delivery.
• Penetration testing; (ideally you should not have to inform your MSP of this).
• Tabletop exercise: in the case of an incident affecting your organisation, you will be responsible for responding at the business level, even if your MSP supports at a technical level. 
• A NIST CSF, or CIS review of your cybersecurity controls (some will be delivered by your MSP); an independent review can provide contextual risk-based insights as well as independent assurance to LPs or investors.  

Get in touch today for friendly, actionable advice from cybersecurity experts who work exclusively with investors like you.