When The Sh*t Hits The Fan, What Is Your MSP Liable For?

This article is written by guest contributor Mike Semel, president of Semel Consulting and a nationally recognized compliance and business continuity expert.

I just met an MSP at a conference who told me he had a good Errors & Omissions insurance policy that protected him against lawsuits and liability claims. He said he had a $2 million general liability policy with an additional $2 million umbrella, for a total of $4 million.

I asked him what his contract protected him from. He told me he signs a non-disclosure agreement (NDA) with every client. I said that was great, but what about his Master Services Agreement (MSA) that defines the legal aspects of his relationship with clients?

He said he only signs the NDA. But he again stressed that he had $4 million in E&O insurance that protects him.

Then I ruined his day.

I asked him if he had a really bad day, and really screwed up a client, and the client successfully sued him and won $10 million in damages because they lost their biggest customer due to his mistake, how was he going to pay the additional $6 million?

He just stared at me in fear. Because he doesn’t use a contract that limits what he is liable for or the financial limits of his liability, suddenly, $4 million in insurance coverage didn’t sound like a lot of money.

With the recent CrowdStrike meltdown that crippled Delta Airlines and other critical businesses, the CDK cyberattack that crippled the car sales industry (which lost $1 billion in sales), and the Ascension Health cyberattack that forced 140 hospitals to operate using paper for a month, putting lives at risk, everyone is asking the same question.

Who Is Liable?

CrowdStrike admitted that an error in their security agent update caused over 8.5 million devices to crash. It is estimated that Fortune 500 companies alone had more than $5.4 billion in direct losses. The CEO of Delta is threatening to sue CrowdStrike because his airline lost over $500 million.

And CrowdStrike is likely to pay….

$100 per customer. Why? See what CrowdStrike’s terms and conditions (show below) include (their bold letters, not mine).

Liability may change based on the 2023 United States National Cybersecurity Strategy that says, “We must hold the stewards of our data accountable for the protection of personal data; drive the development of more secure connected devices; and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.”

It’s unlikely the government is going to act soon so you need to look out for yourself.

Your Action Steps

Liability.

Whether that word either sends a shiver down your spine or doesn’t make you flinch, you need to stop and review how you protect yourself in your client engagements.

Here’s why.

If you aren’t using an MSA with financial limits of liability and limits on what you are liable for, you are leaving yourself open to losing everything you own.

If you are using a Master Services Agreement with financial limits of liability and limits on what you are liable for that you copied from another MSP in your peer group, you may be leaving yourself open to large losses if the contract doesn’t comply with your state laws or if it doesn’t accurately define your scope of services. Using a free contract could cost you millions of dollars. Or if you didn’t copy it but it’s more than three years old, you should have an attorney familiar with your state laws review it to make sure it doesn’t need to be updated based on recent incidents or changes to regulations.

Do you have disclaimers and liability limits like CrowdStrike? When I was an MSP we limited our liability to two months of the current fee our client was paying us. My risk with a $2,000 per month client was $ 4,000 total. My risk with a $15,000 per month client was $30,000 total. Paying those amounts wouldn’t have caused me to close my company or sell my house and cash in my retirement plan.

But what about the MSP in California who was sued by a law firm client with which he never signed an MSA? Both the company and the owner were sued for over $1 million (no specified amount). Neither the company nor the owner is protected by a signed agreement.

Get An Advisor Who Understands The MSP Industry

Who should advise you and create your contract?

I am not an attorney but I know from owning multiple MSP businesses that having a good attorney doesn’t mean you have a good attorney who specializes in MSPs.

I have worked with great attorneys who handled business deals, real estate transactions, and other legal matters without a hitch. But I never considered having them write my MSA because they didn’t understand the nuances of our business.

Your advisor must understand:

  • The technology you support
  • The security tools you use
  • The concept of Shared Responsibility
  • The terms SIEM, SOC, MDR, EDR, MFA, etc. 
  • How to protect you if your RMM tool gets hacked or if a client suffers a data breach of a system outside of your scope of work
  • Ransomware, email scams, or hacking
  • How to make sure you get paid for out-of-scope work.

You want someone who can reference any lawsuits in our industry or how they helped other MSPs successfully keep themselves out of court. Isn’t that who you want to write the words that protect your assets?

That doesn’t mean that insurance isn’t important.

Even if you have a bulletproof contract that will stand up in court, do you want to pay $100,000 or more in legal fees to prove you are right?

That’s why I made sure that legal fees are covered in my E&O insurance.

Share:

Author:

Mike Semel

Mike Semel, “The Complianceologist,” is president of Semel Consulting. He is a CMMC Certified Assessor, CMMC Certified Professional, CMMC Registered Practitioner, Certified Security Compliance Specialist, Certified HIPAA Security Professional, Certified Business Continuity Professional, and a Certified Cyber Resilience Professional. semelconsulting.com

RELATED ARTICLES

Get The #1 Media Source For MSPs!
Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends And Business Growth Strategies. Subscribe now!
 

Upcoming Events

Stay Up To Date

Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends and Business Growth Strategies

Never Miss An Update