MSP Supply Chain Risk: Manage Third-Party Dependencies
Your MSP uses a specific remote monitoring tool. That tool has a vulnerability. Attackers exploit it. Your environment — along with hundreds of other MSP clients — is compromised.
This is not hypothetical. The Kaseya VSA attack in 2021, the ConnectWise ScreenConnect vulnerabilities, and the ongoing targeting of MSP tools have demonstrated that supply chain risk is one of the most significant threats facing MSP-managed environments.
When you contract with an MSP, you inherit their supply chain. Every tool they use, every vendor they depend on, and every subcontractor they engage is a potential point of failure in your environment. Understanding and managing this risk is essential.
Understanding MSP Supply Chain Dependencies
Types of Dependencies
Core Platform Dependencies: - RMM (Remote Monitoring and Management) tools - PSA (Professional Services Automation) systems - Documentation platforms (IT Glue, Hudu) - Backup and recovery solutions - Security tools (EDR, SIEM, vulnerability scanners)
Cloud Infrastructure Dependencies: - Microsoft 365 / Azure - AWS, Google Cloud - Internet service providers - Telecommunications providers
Service Dependencies: - NOC (Network Operations Centre) services - SOC (Security Operations Centre) services - Helpdesk outsourcing - Specialised technical services (database, network)
Vendor Dependencies: - Hardware manufacturers - Software vendors - Licensing distributors - Insurance providers
The Concentration Risk Problem
The MSP industry has significant concentration risk. A small number of vendors dominate key tool categories:
- RMM market: Concentrated among 3-4 major players
- PSA market: Dominated by 2-3 platforms
- Security tools: Increasingly consolidated
- Cloud platforms: Microsoft and AWS dominate
When a single vendor has a vulnerability or outage, the impact cascades across hundreds of MSPs and thousands of businesses. Your MSP's choice of tools directly affects your risk profile.
Assessing Your MSP's Supply Chain Risk
Step 1: Map the Supply Chain
Request a complete inventory of third-party tools and services used in your environment:
| Category | Tool/Service | Vendor | Risk Level | Contingency |
|---|---|---|---|---|
| RMM | [Tool name] | [Vendor] | High | [Plan] |
| PSA | [Tool name] | [Vendor] | Medium | [Plan] |
| Security | [Tool name] | [Vendor] | High | [Plan] |
| Backup | [Tool name] | [Vendor] | High | [Plan] |
| Documentation | [Tool name] | [Vendor] | Low | [Plan] |
| NOC/SOC | [Service] | [Provider] | High | [Plan] |
Step 2: Assess Impact
For each dependency, assess:
- Criticality: What happens to your environment if this tool/service fails?
- Duration: How long could you operate without it?
- Alternatives: Are there backup options or alternative approaches?
- Security: What security controls does the vendor have?
- Data exposure: What data does the vendor have access to?
Step 3: Evaluate Risk Controls
Assess what protections are in place:
Technical controls: - Does the MSP have contingency plans for vendor outages? - Are there alternative tools that could be deployed quickly? - Is there monitoring for vendor service degradation? - Are there data exports or backups independent of the vendor?
Contractual controls: - What SLAs does the MSP require from its vendors? - What data protection obligations exist? - What happens to data if the vendor relationship ends? - Are there audit rights or security requirements?
Process controls: - Does the MSP have a vendor risk management process? - How often are vendor risks assessed? - Is there a process for evaluating new vendors? - Are there incident response procedures for supply chain events?
Managing Supply Chain Risk
Vendor Risk Management Framework
Your MSP should have a formal process for managing vendor risk:
1. Vendor Assessment - Security posture evaluation - Financial stability assessment - Compliance verification - Reference checks
2. Contract Management - SLA requirements - Data protection obligations - Incident notification requirements - Termination and data portability provisions
3. Ongoing Monitoring - Service performance tracking - Security incident monitoring - Financial health monitoring - Compliance status verification
4. Exit Planning - Data portability procedures - Alternative vendor identification - Migration planning - Knowledge transfer requirements
Contingency Planning
For critical dependencies, ensure your MSP has contingency plans:
RMM/PSA outage: - Manual monitoring procedures - Alternative remote access methods - Ticket management workarounds - Communication plans for affected clients
Security tool failure: - Alternative security monitoring - Manual security procedures - Incident response without the tool - Restoration procedures
Cloud platform outage: - Alternative access methods - Business continuity procedures - Communication with affected users - Recovery procedures
Due Diligence for Your MSP
Ask your MSP these questions about their supply chain:
- "What third-party tools do you use to manage our environment?"
- "What happens to our environment if [tool] has a major outage?"
- "Do you have contingency plans for critical vendor failures?"
- "How do you assess the security of your vendors?"
- "Have you experienced any supply chain security incidents?"
- "What contractual protections do you have with your vendors?"
- "Can you demonstrate that you monitor vendor service performance?"
- "What is your process for evaluating and onboarding new vendors?"
Contractual Protections
What to Require in Your MSP Contract
Your MSP contract should address supply chain risk:
Transparency requirements: - Right to know what tools and vendors are used - Notification when critical vendors change - Access to vendor risk assessments
Performance requirements: - SLA obligations that account for vendor dependencies - Contingency planning requirements - Incident response procedures for supply chain events
Data protection requirements: - Data protection obligations for vendor-provided services - Data portability provisions independent of vendor - Prohibition on unauthorised subcontracting
Exit provisions: - Data return in standard formats - Transition assistance independent of vendor tools - Knowledge transfer requirements
Red Flags
No vendor visibility. If the MSP cannot tell you what tools they use in your environment, they do not have supply chain management.
Single points of failure. If critical functions depend on a single tool with no backup plan, the risk is concentrated.
No contingency planning. If the MSP has never considered what happens when a vendor fails, they are not managing risk.
Vendor lock-in. If the MSP is dependent on a specific vendor to the exclusion of alternatives, your options are limited.
No security assessment of vendors. If the MSP does not assess vendor security, they are inheriting unknown risks.
Related Guides
- Cyber Insurance MSP Requirements — Insurance and supply chain risk
- MSP Remote Work Security Guide — Security in distributed environments
- MSP Data Breach Response Plan — Responding to supply chain breaches
- MSP Compliance Framework Guide — Compliance requirements for third parties
- MSP Technical Debt Assessment — Vendor dependencies and technical debt
Was this helpful?