Are You Liable If Your Clients Get Hacked?

Over the last decade, we have seen MSPs become ever more integral to the IT infrastructure of a growing number of businesses. This raises one pretty big question: Where does our liability begin, and where does it end?

A few years ago I had a conversation with a friend of mine, and the question of whether or not MSPs would be liable if their clients got hacked came up. He said that unless there’s some gross negligence going on, the MSPs would probably not be held liable.?

But, in my opinion, the truth is a bit more complicated than just saying they would not be held liable. If, as an MSP, your client got hacked then they would feel the costs of litigation, suffer a stain on their reputation, and would probably be in the center of a whirlwind of negative press - which could in turn reflect back on you.?

Plus, a business will want to blame someone, and even if they may not be able to succeed then they may still try and take you to court. Even if you aren’t held liable, you could still face the full brunt of court (and do you really want to suffer through that?)

The heart of the matter lies in the assumptions our clients harbor. They think you are their cyber knight, safeguarding every digital nook. They presume total coverage because, well, "You're the IT guy!"

This critical misunderstanding could spell disaster, which leads us to some actionable considerations every MSP should ponder.

1. Examine Your Master Services Agreement (MSA)

Your MSA is your shield – it outlines the boundaries of your services. Are you articulating clearly enough whether you're covering cybersecurity initiatives, or are you not? Seek legal counsel. Ensure these terms are unambiguous and legally sound.

2. Get It Signed Without Exception

A signed MSA should underpin every interaction with a client. No exceptions. Whether it's break/fix, contract, or block hours, a signature is mandatory prior to any form of engagement. Consider it as fundamental as the obligatory paperwork at a doctor's office.

3. Adequate Errors & Omissions Insurance With Cyber Liability

Protect yourself. Ensure your coverage is robust enough to shield your enterprise against cyber calamities. Consult with a reputable, preferably IT-centric, insurance provider. For instance, TechRUG comes highly recommended – feel free to drop my name with Justin Reinmuth.

4. Educate Your Clients, Regularly

Ignorance is not bliss, at least not in the realm of cybersecurity. Conduct regular business reviews with all clients, regardless of their contractual agreement with you. Emphasize the dire need for cyber vigilance, the gravity of cybercrime, and why their insurance matters as well. And importantly, delineate in no uncertain terms, what your services encompass and exclude.

Erring on the side of assumption is a recipe for disaster. As MSPs, we are more than service providers; we are educators, guides, and sometimes, the bearers of hard truths. It's not a question of if a breach will occur but when. And when it does, let it not be the interpretation but the clear, written terms that determine the aftermath.

Not sure how to educate your clients on this or have that conversation? Join our ITMSP group that is chock full of conversations like this and so many more: https://www.facebook.com/groups/ITMSPBOG/ ?