Running an MSP can be risky business. If anything goes wrong with your customer’s IT environment, you usually get the blame regardless of who messed up—you, a vendor, or the customer.
That’s why the start of the year is a great time to review all your MSP contracts and policies to find outdated clauses, loopholes, inadequate coverage, and other potential headache-inducing issues. Here’s a checklist to reduce risk, protect yourself, and limit liability.
1. Make Sure Your MSA Clearly Defines Deliverables and Liabilities
The master service agreement (MSA) is your business foundation. It should define the relationship with the client, specifying services, liabilities, termination clauses, and dispute resolution. It should also spell out which systems you manage for the client, what services fall under your scope of work, and what constitutes direct damages, says Mike Semel, president of Semel Consulting, a cybersecurity, business continuity, and compliance consultancy, and former MSP.
The MSA should also be very clear about what you don’t deliver to customers, says Ann Westerheim, founder and president of Ekaru, an MSP in Westford, Massachusetts. “Set very clear expectations about the services you’ll be providing, or the client may think you’re providing services that you’re not.”
And make sure the “Limitation of Liability” section does not contain language limiting your MSP’s liability “to the amounts paid under this agreement,” says attorney Bradley Gross, who specializes in IT and cyber law. “Why? Because the MSP’s liability limit keeps going higher the longer the MSP provides services under the agreement.”
Semel advises limiting exposure to direct damages. “If you make a mistake and bring down a law firm’s systems for two hours, and they bill $10,000 per hour, their direct damages would be $20,000.” But if they lose a $10 million-a-year client because of the outage, the consequential damages are much higher, so make sure you’re on the hook for only the $20,000, he says.
2. Check Your E&O Policy for Gaping Holes
Your E&O policy should have first- and third-party coverages, Gross says. If a hacker breaches your network and attacks your customers, first-party coverage pays your costs while third-party coverage deals with your customers’ claims.
And if you have a generic E&O policy, consider getting one tailored to managed services, advises Semel. Be aware, too, that a downloadable template or something you got from a peer might be an ill fit with your specific business and services.
Be sure to read the policy’s exclusions. A policy will cover you if a client suffers a breach after a faulty malware scan, but it won’t cover you for failing to run the scan, he says.
3. Review What Costs Your Cyber Insurance Covers
A cyber incident can be expensive, even with insurance. Your policy should cover things like the costs of lawyers, forensic experts, and other services you will require if you’re breached or sued, Semel says.
4. Use An Attorney Who Understands the MSP business
MSPs tend to operate on multiyear agreements, both with vendors and customers. Still, you should revisit them regularly.
“The contract that was perfect three years ago may not be perfect today. Have your contract reviewed at least every two years, even if it costs $1,000 [for an attorney] and there aren’t any changes,” says Semel.
Finally, it goes without saying: Never forego a contract. Not even for small projects, break/fix work, or unpaid demos, advises Gross.
Watch Gross’ webinar on The Top 5 Contract Mistakes MSPs Make That Put Their Business At Risk
