Huntress CEO Kyle Hanslovan: Kaseya Should Make Billing Concessions To MSPs
‘Whether that forgiveness comes today, tomorrow... I have high hopes that [Kaseya] will do something to compensate those partners,’ says Huntress CEO Kyle Hanslovan.
Huntress CEO Kyle Hanslovan, who played a key role in alerting MSPs to the Kaseya REvil ransomware attack, said that while Kaseya legally may not be required to reimburse MSPs for the time its VSA remote monitoring and management (RMM) software was offline it would be the right thing to do.
“Legally there’s probably nothing in the Kaseya contract that guarantees uptime in SLA (service-level agreement), so they’re probably not legally obligated,” Hanslovan told CRN. “But I think this is a really cool opportunity for (Kaseya CEO) Fred [Voccola] and the Kaseya team to say, ‘Hey we know you were down, we know you had some outage’…maybe do a minimum prorate for those 10 days some MSPs were down.”
“That’s one-third of the month, that’s not unreasonable,” he added. “I don’t think the Kaseya team has ruled that out either, I just think they’re paying a lot of things down so we’ll see what happens.”
CRN reached out to Kaseya on whether there would be any billing concessions or reimbursements to partners but had not heard back at press time.
The Kaseya ransomware attack, which is widely considered the biggest ransomware attack ever- resulted in an estimated 60 MSPs and 1,500 end user organizations with their data locked up by the REvil cybercriminals. Ultimately the 10 day VSA outage impacted 36,000 Kaseya MSP customers.
[Related: Kaseya ‘Likely’ Got Ransomware Decryptor From REvil - Huntress CEO Kyle Hanslovan]
Hanslovan, who has emerged as a fierce advocate for MSPs grappling with security issues with MSP platform providers, believes how bill concessions are mitigated by Kaseya will be on a case-by-case business basis. “Whether that forgiveness comes today, tomorrow…I have high hopes that [Kaseya] will do something to compensate those partners,” he said.
Kaseya CEO Fred Voccola told CRNtv three weeks ago that Kaseya will pay “millions of dollars of restitution for all of its customers who have suffered for this, whether they were breached or whether they were just held offline for two, three, four, five or six days. We will take care of it financially.”
That said, one Kaseya MSP still recovering from the July 2 ransomware attack told CRN that he was recently billed by Kaseya the full amount after the 10 day outage. “My credit card got hit last week for our monthly Kaseya bill,” said the CEO, who did not want to be identified. “Kaseya has not suspended billing.”
Kaseya charges MSPs per device, the CEO said, with each device costing about $5.
During the COVID-19 pandemic, Hanslovan said some Huntress partners struggled to pay their bill, so the threat detection company stepped in to make bill concessions. “I can’t tell you how many folks we gave forgiveness or extended their bill or gave them a discount to get them through this,” he said.
He added that nothing in the Huntress contract said it needed to give forgiveness to its partners, “we just happened to be in a situation where we could,” he said.
Julie Machal-Fulks, a partner at Scott & Scott LLP, a technology law firm headquartered in Southlake, Texas, said in a blog post that the Kaseya subscription license agreement and reseller terms and conditions “are not friendly” to MSPs.
“It is not uncommon for MSP’s channel partners to have some unfavorable terms that put most of the responsibility on the MSP, rather than on the partner,” said Machal-Fulks in a blog post titled “Seven Things MSPs should Know Before Filing a Lawsuit Against Kaseya For the Recent Ransomware Attack. “Kaseya is no different. There are many provisions that attempt to shield Kaseya from responsibility, and Kaseya will likely rely on those provisions (or at least it will try to do so) as a defense to any litigation instituted by an MSP.”
Michael Crean, president and CEO of Solutions Granted, a master managed security provider, said the least Kaseya could do is to “provide some sort of remediation service to the customers that were affected.”
“If they do nothing more, if a customer was down for a period of time, I don’t think they should be billed,” Crean said. “That would be like your electricity company coming in and saying, ‘Even though there’s been an outage for the last 10 days, we’re going to go ahead and assume what your usage would have been. Even though there wasn’t any usage, we’re going to bill you for it anyhow….My hope is that behind the scenes they’re doing something to offset all of these costs and loss.”
Additional reporting by Jennifer Zarate.