MSP Incident Response: What Happens When Things Go Wrong - MSP Guide Australia

When an MSP gets hit by a cybersecurity incident, the consequences cascade across every client they manage. Unlike a breach at a single company, an MSP incident can affect hundreds of businesses simultaneously. Here is what actually happens when things go wrong, and how the industry handles it.

The MSP as a Single Point of Failure

MSPs manage access to multiple client environments. They typically have:

• Administrative credentials for every client's Microsoft 365, Active Directory, and cloud infrastructure
• VPN access to client networks
• Backup systems spanning dozens of organisations
• Monitoring tools with broad visibility into client environments

This concentration of access makes MSPs an incredibly attractive target for attackers. Compromising one MSP can provide a gateway to dozens of clients — a force multiplier that cybercriminals understand well.

Real-World Incidents

The Kaseya VSA Attack (2021)

The REvil ransomware group exploited a vulnerability in Kaseya VSA, a remote monitoring and management (RMM) tool used by MSPs worldwide. The attack affected approximately 1,500 businesses globally.

What happened: Attackers deployed ransomware through Kaseya's automatic update mechanism, encrypting files across MSP clients' networks. Many MSPs had no idea their own tools were the vector.

The lesson: Your MSP's security is only as strong as the tools they use. If your MSP relies on a single RMM platform and that platform is compromised, every client is exposed.

The Supply Chain Problem

In 2023, a major Australian MSP suffered a breach when an attacker compromised their documentation system — a tool that contained client credentials, network diagrams, and security configurations. The attacker used this information to pivot into three client environments.

The uncomfortable truth: Many MSPs store sensitive client data in tools that were never designed for enterprise security. Password managers, documentation wikis, and even shared drives become attack surfaces.

The Ransomware Double-Extortion

Modern ransomware does not just encrypt your data. Attackers exfiltrate it first, then threaten to publish it unless you pay. When an MSP is the victim:

• Client data from dozens of organisations is at risk simultaneously
• The MSP must notify every affected client (often required by the Privacy Act)
• Legal costs multiply across multiple jurisdictions
• Reputational damage is shared between the MSP and its clients

How MSPs Handle Incidents

Phase 1: Containment

The first priority is stopping the bleeding:

• Isolate affected systems — Disconnect compromised servers, disable compromised accounts
• Preserve evidence — Snapshot affected systems before remediation
• Assess scope — Determine which clients are affected and how severely
• Engage incident response — Most large MSPs have retainer agreements with incident response firms

The problem: Many MSPs lack a formal incident response plan. They know they should have one, but the day-to-day pressure of client work means it rarely gets created or tested. When an incident happens, they are improvising. If your MSP cannot demonstrate a mature security posture, see our MSP Due Diligence Checklist before signing anything.

Phase 2: Communication

This is where most MSPs fail. Clients learn about the incident through:

• A generic email blast that lacks specific details
• Social media or news reports before the MSP contacts them directly
• A conference call where the MSP's leadership clearly does not have answers

What clients actually need: - What happened (specific technical details, not vague assurances) - What data was affected - What the MSP is doing about it - What the client needs to do - A timeline for updates

Phase 3: Remediation

After containment, the real work begins:

• Restoring systems from backups (if backups are intact)
• Resetting credentials across all affected environments
• Patching the vulnerability that was exploited
• Implementing additional security controls (see our Essential 8 Implementation Checklist for the baseline)
• Engaging forensic investigators to determine the full scope

The timeline reality: A significant MSP incident can take 2–6 weeks to fully remediate. During this time, clients experience degraded service, and the MSP's helpdesk is overwhelmed with incident-related tickets.

Phase 4: Lessons Learned

The best MSPs conduct thorough post-incident reviews and share findings with clients. The worst ones hope nobody notices and move on.

What Clients Should Demand

Before signing with an MSP, ask:

1. Do you have a documented incident response plan? Ask to see it (redacted for sensitive details). If they cannot produce one, that is a red flag.
2. When was your last incident response drill? Annual testing is the minimum; quarterly is better.
3. What is your notification timeline? Good MSPs commit to notifying affected clients within 24–48 hours.
4. Do you carry cyber insurance? And does the coverage extend to client losses caused by MSP negligence?
5. How do you segment client environments? If one client's compromise can spread to another, the MSP has a fundamental security architecture problem.
6. What is your backup strategy? Can you restore from immutable backups that attackers cannot encrypt?
7. Have you completed the Essential 8 maturity assessment? Our Essential 8 Maturity Model explains the levels and what to expect.

What Employees Should Know

If you work at an MSP, you are on the front line of incident response. Here is what matters:

• Know your role in the incident response plan. If there is no plan, raise it with management.
• Document everything. In an incident, your documentation becomes evidence.
• Do not communicate with clients directly unless authorised. A premature disclosure can create legal liability.
• Protect your own credentials. MSP employees are high-value targets. Use hardware security keys, not just passwords.

The Insurance Gap

Most MSPs carry cyber insurance, but the coverage often has significant gaps:

• Sub-limits on third-party claims — The MSP's policy may not cover losses suffered by their clients
• Exclusions for "failure to maintain" — If the MSP failed to patch or update systems, the insurer may deny the claim
• Coverage limits — A $5 million policy sounds substantial until you divide it across 200 affected clients

For clients: Your own cyber insurance policy is essential. Do not assume the MSP's policy will cover your losses.

The Regulatory Landscape

In Australia, the Notifiable Data Breaches scheme under the Privacy Act requires organisations (including MSPs) to report eligible breaches to the OAIC and affected individuals. Penalties for serious or repeated breaches increased in 2024, with fines of up to $50 million or 30% of adjusted turnover.

MSPs that experience breaches must navigate:

• OAIC notifications
• State-level privacy obligations
• Contractual notification requirements to each affected client
• Potential civil litigation from affected parties

The regulatory burden alone makes prevention far more cost-effective than response.

The Bottom Line

Cybersecurity incidents at MSPs are not hypothetical. They happen regularly, and the consequences are severe for everyone involved. The best protection is demanding transparency from your MSP about their security practices, incident response readiness, and insurance coverage — before you sign the contract, not after the breach.

Check your MSP now: Use our MSP Health Score to evaluate your provider's security posture, or read MSP Contract Red Flags to see what security clauses to demand in your agreement.