Can Liability Waivers Protect MSPs when Clients ‘Pass’ on Security?Can Liability Waivers Protect MSPs when Clients ‘Pass’ on Security?
The evolution of cyber threats, lawsuits, chain-of-command concerns and related regulations have altered the IT liability waiver landscape.
June 22, 2021
Sponsored by Acronis
As one of today’s most critical areas of the IT ecosystem, the pressing need to deliver cybersecurity is forcing many MSPs to rethink their sales process. Often organizations don’t really understand what they need to protect their employees, customers and stakeholders. Are their businesses really at risk? If so, how much do they really need to spend for adequate protection?
While ransomware and other cyber attacks may seem like remote possibilities to business owners, anyone paying attention to industry statistics, talking with peers and tech professionals, and watching actual security alerts knows the threat is real. Cyber criminals are increasingly using automation in their attacks, so it takes no effort on their part to target organizations of any size–all of which have bank accounts. No business can rely on being too small or insignificant to escape the attention of attackers.
Unfortunately, MSPs often face an uphill battle if a client holds the misguided belief that they are too small to be targeted. Against that backdrop, the ability to protect their MSP business from liability caused by the decisions made by ill-informed or overly frugal clients is getting more difficult.
Scaring Clients into Smart Decisions
Liability waivers might be a good way to help guide those clients who push back on cybersecurity plans. Historically, MSPs have used waivers to protect their business from clients who only wanted break/fix services or would not invest in recommended, business-class equipment, such as a real firewall.
If a client won’t implement adequate cybersecurity measures–such as specific technologies, policies or training–an MSP can ask them to absolve the firm of responsibility if a security incident occurs that could have been prevented if the MSP’s recommendations were in place.
There are two ideas behind the liability waivers initiative.
Asking a decision-maker to sign on the bottom line about the risk they are accepting will force them to realize the seriousness of the situation. Hopefully, that action alone will lead to a more in-depth conversation about their exposure–which encourages them to upgrade their cybersecurity tools and procedures.
A waiver limits the MSP’s legal liability caused by a client’s refusal to do the right thing or invest in needed precautions such as multi-factor authentication, email security, etc. By signing the agreement, the client acknowledges the responsibility they are accepting for declining the recommended solutions and best practices.
The Changing Face of IT Liability Waivers
The challenge is that while the liability waivers used by IT service providers were relatively straightforward protection, the evolution of cyber threats, lawsuits, chain-of-command concerns and related regulations have altered the landscape. When it comes to cybersecurity, things have gotten incredibly complicated, and a simple waiver is no longer enough.
By managing and/or protect any aspect of a client’s systems, networks and data, an MSP may still be on the hook if they get hit with ransomware or suffer another cybersecurity failure.
Experience Matters When Creating Today’s Liability Waivers
MSPs who are considering the use of liability waivers in relation to their cybersecurity services should consult a reputable attorney in their region who has experience in the IT channel industry. That way, they can examine the MSP’s specific client situation in light of the applicable local, state and federal regulations.
Remember: Cybersecurity-related laws can be complex and difficult for a general legal practitioner to understand. To avoid increasing risk to their business, MSPs can no longer cut corners by downloading free online templates or relying on inexperienced attorneys.
Amy Luby is Chief Channel Evangelist at Acronis. A proven entrepreneur and pioneer in the IT services industry, she founded and built one of the first true Managed Services Providers (MSPs) in the United States, then expanded that into the first Master MSP, defining that business model in the process. Amy’s successes in the Channel have not gone unnoticed. She is the recipient of numerous Channel awards, including CRN’s Channel Chief and Women of the Channel Awards, MSP Mentor Top 250 Influencers, MSP Mentor Top 100 Global MSPs, SMB Nation’s SMB 150 and COMPTIA’s Industry Leadership Award.
This guest blog is part of a Channel Futures sponsorship.
Read more about:MSPs
About the Author(s)
You May Also Like