Signal // Noise #021 - 3rd Party Risk with Eric Tilds episode artwork

EPISODE · May 22, 2026 · 30 MIN

Signal // Noise #021 - 3rd Party Risk with Eric Tilds

from Signal // Noise · host Chris Loehr & Bob Miller

MSPs are absorbing liability they didn't agree to take on — because their vendor contracts let it happen. Here's what to do about it.EPISODE OVERVIEWSignal // Noise #021 brings in a special guest: Eric Tilds, an attorney whose practice represents approximately 500 MSPs and MSSPs worldwide. With third-party software compromises happening weekly, Bob Miller and Chris Loehr sit down with Eric to break down what MSP vendor contracts actually say, why that language is costing service providers, and what a properly negotiated agreement looks like. This is not a legal theory episode. It's a practical session on what needs to change in your document stack right now.WHAT WE COVER- Why fewer than 5 of Eric's 500 MSP clients have their vendor contracts reviewed before signing- How standard vendor liability caps (typically one year of fees paid) leave MSPs exposed when a third-party compromise causes real damage- The three contract clauses that matter most: required security controls, mandatory breach notification, and indemnification- How the IDEsaster supply chain attack pattern connects directly to current third-party compromise risk- The GitHub repository breach carried out by Team PCP — and what it cost downstream- Why "they don't allow contract negotiation" is almost always false, and how to push back- What a vendor management program looks like for a 10-person MSP versus an enterprise shopKEY TAKEAWAYS- Your customer agreement and your vendor agreement need to work together — a gap in either one becomes your liability- If you haven't negotiated security control obligations into your vendor contracts, you likely cannot recover your actual losses- Documenting your vendor vetting process (including SOC reports) is as important as the vetting itself- Small MSPs are not exempt from this exposure — limiting your tool stack is a practical starting point- The community-wide answer is a unified front: MSPs collectively pushing vendors toward responsible contract languageABOUT THE SHOWSignal // Noise is a cybersecurity podcast where Chris Loehr and Bob Miller break down the latest security incidents, threats, and trends. Each incident episode runs the same event through five leading AI analysis tools (Claude, ChatGPT, Perplexity, Grok, and Gemini) and compares results live on air. Subscribe for weekly analysis that helps security professionals and business leaders stay ahead of emerging threats.RESOURCES- Cyber Constitution (free download): https://cyberconstitution.org- IRGame: https://irgame.aiTAGSthird-party risk, MSP security, supply chain attack, vendor contracts, cybersecurity law, MSP liability, third-party compromise, Team PCP, GitHub breach, IDEsaster, vendor management, cybersecurity podcast, Chris Loehr, Bob Miller, Eric Tilds, Signal to Noise podcast, MSSP, infosec, IT security, contract negotiation

MSPs are absorbing liability they didn't agree to take on — because their vendor contracts let it happen. Here's what to do about it.EPISODE OVERVIEWSignal // Noise #021 brings in a special guest: Eric Tilds, an attorney whose practice represents approximately 500 MSPs and MSSPs worldwide. With third-party software compromises happening weekly, Bob Miller and Chris Loehr sit down with Eric to break down what MSP vendor contracts actually say, why that language is costing service providers, and what a properly negotiated agreement looks like. This is not a legal theory episode. It's a practical session on what needs to change in your document stack right now.WHAT WE COVER- Why fewer than 5 of Eric's 500 MSP clients have their vendor contracts reviewed before signing- How standard vendor liability caps (typically one year of fees paid) leave MSPs exposed when a third-party compromise causes real damage- The three contract clauses that matter most: required security controls, mandatory breach notification, and indemnification- How the IDEsaster supply chain attack pattern connects directly to current third-party compromise risk- The GitHub repository breach carried out by Team PCP — and what it cost downstream- Why "they don't allow contract negotiation" is almost always false, and how to push back- What a vendor management program looks like for a 10-person MSP versus an enterprise shopKEY TAKEAWAYS- Your customer agreement and your vendor agreement need to work together — a gap in either one becomes your liability- If you haven't negotiated security control obligations into your vendor contracts, you likely cannot recover your actual losses- Documenting your vendor vetting process (including SOC reports) is as important as the vetting itself- Small MSPs are not exempt from this exposure — limiting your tool stack is a practical starting point- The community-wide answer is a unified front: MSPs collectively pushing vendors toward responsible contract languageABOUT THE SHOWSignal // Noise is a cybersecurity podcast where Chris Loehr and Bob Miller break down the latest security incidents, threats, and trends. Each incident episode runs the same event through five leading AI analysis tools (Claude, ChatGPT, Perplexity, Grok, and Gemini) and compares results live on air. Subscribe for weekly analysis that helps security professionals and business leaders stay ahead of emerging threats.RESOURCES- Cyber Constitution (free download): https://cyberconstitution.org- IRGame: https://irgame.aiTAGSthird-party risk, MSP security, supply chain attack, vendor contracts, cybersecurity law, MSP liability, third-party compromise, Team PCP, GitHub breach, IDEsaster, vendor management, cybersecurity podcast, Chris Loehr, Bob Miller, Eric Tilds, Signal to Noise podcast, MSSP, infosec, IT security, contract negotiation

NOW PLAYING

Signal // Noise #021 - 3rd Party Risk with Eric Tilds

0:00 30:34

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Techlore Surveillance Report Techlore Techlore Surveillance Report is your weekly deep-dive into the privacy and security news that matters for your digital freedom. Hosted by Henry Fisher, founder of Techlore and long-time digital rights educator, each episode cuts through the noise to bring you carefully selected stories with the context, analysis, and historical perspective you need to truly understand what's happening to protect yourself (and others!) in the digital space.Topics covered include:• Privacy tool updates and vulnerabilities• Data breaches and cybersecurity incidents• Surveillance technology and government overreach• Big Tech privacy policies and practices• Encryption and security standards• Digital rights legislation and court cases• Open-source software developments• Corporate data practices and accountabilityWhether you're a beginner trying to stay informed or a seasoned expert tracking the ecosystem, Surveillance Report has Explicit Tri-Cities Mixtape 3cmxtp [email protected], mp3, or Download LinkAll Genres welcome to submit music.We aim to be a signal boost for PNW Musical Artists, and offer a playlist that will be as diverse as the artists actively creating music in the Tri-Cities, PNW, and beyond.Also, we will feature interviews with local artists, venue owners, journalists, DJs, musically tangential people.Logo Designed by Heather Yu Williamson (@brownie.pops) Explicit Modern Noise Media Suplex City Limits Suplex City Limits is an uncensored comedy pro wrestling podcast featuring weekly guests. Explicit The Most Important Question Important, Not Important You already know things are broken. You read the news, you listen to the analysis, you've got the outrage. What you don't have is a plan.The Most Important Question — 6x Webby-nominated, 2x Signal Award-nominated — is a weekly conversation with one person who stopped asking "what can I do?" and went and found out. Not pundits. Not commentators. The scientists, doctors, nurses, journalists, farmers, activists, and policymakers who are doing the actual work on the frontlines of climate, public health, democracy, AI, food, water, medicine, and justice.Host Quinn Emmett goes deep with each of them — the infectious disease doctor building new outbreak surveillance tools, the investigative journalist who traced how forever chemicals got into 97% of our blood, the economist building emergency lifeboats for foreign aid that got axed overnight, one of the greatest writers alive reckoning with the history we were never taught — and every conversation ends with something nobody else gives Explicit

Frequently Asked Questions

How long is this episode of Signal // Noise?

This episode is 30 minutes long.

When was this Signal // Noise episode published?

This episode was published on May 22, 2026.

What is this episode about?

MSPs are absorbing liability they didn't agree to take on — because their vendor contracts let it happen. Here's what to do about it.EPISODE OVERVIEWSignal // Noise #021 brings in a special guest: Eric Tilds, an attorney whose practice represents...

Can I download this Signal // Noise episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!