“We’re Not Offering Cyber Liability Essentials to Our Clients…”

That’s what one of our MSP partners told me this week. Said it would make it “too easy” for their clients to not invest in real security. 

I almost choked on my coffee. 

Listen—I get the logic. You want your clients to take the full plunge. Go all in. Fork over the cash for the shiny stack, the 24/7 SOC, the next-gen MDR with all the acronyms. 

But here’s the thing: they’re not going all in. They’re not even dipping a toe in. They’re frozen. Paralyzed. Sitting in their boardrooms with a half-baked firewall and a prayer. 

Why? 

Because to your client, compliance feels like climbing Everest in flip-flops. It’s hard. Confusing. Expensive. Overwhelming. 

So what do they do? 

Nothing. Not a thing. No incident response plan. No risk register. No documentation. Nada. 

 

Meanwhile, You’re Playing Security Therapist 

You think you’re safe because you didn’t promise them a compliance program? 

That’s cute. They already assume you’re doing it. 

Of course you are—you’re the “IT guys.” You handle their backups. Their antivirus. You reboot their printer. Surely, you’ve written and tested their incident response plan too, right? 

Wrong. But they think you did. And that’s where the lawsuits begin. 

Because when they get breached—and they will—their attorney will say, “Where’s your incident response plan?” 

They’ll look at you. And you’ll say, “We never agreed to that.” 

And the attorney will say two words that will send a chill down your spine: Negligence and contract breach. 

 

Cyber Liability Essentials: Not A Your Bulletproof Vest 

This isn’t a full HIPAA program. It’s not PCI-compliant magic fairy dust. It’s step one. 

It’s a baseline—a documented, defensible program you can recommend that: 

• Shows your clients you’re serious about protecting them 

• Gives them the opportunity to accept or decline critical controls 

• And—here’s the part you should really care about—covers your butt 

If you haven’t told your client they need a customized, documented, tested IR plan… 

If you haven’t priced it… 

If you haven’t gotten a signed risk acceptance document… 

You’re already on the hook. They don’t need to prove you said you’d do it. They just need to say they believed you would. They don’t have to provide evidence that you were negligent – they have the data breach – that is their evidence. Now you have to defend yourself. 

 

MSPs Are Getting Sued—And You’re Next 

Let me be clear: If you don’t have a system to document what you’ve recommended, what they’ve declined, and where they stand… 

You’re the fall guy. Not because you’re evil. Because you’re silent. 

And silence, in the eyes of a court, looks a whole lot like guilt. 

 

Want to Fix That? 

Join us for the Cyber Liability Live Cast. We’re going to walk through: 

• The lawsuits already taking down MSPs 

• The dumb mistakes that make you legally liable 

• And the simple, scalable way to offer Cyber Liability Essentials to every client 

 

This isn’t just about protecting your clients anymore. 

It’s about protecting you. 

Cyber Liability Live Cast – Save Your MSP 

If you don’t start building evidence now, you’re not just exposed. You’re negligent. That’s not me calling your baby ugly, that is what the demand letter is going to say.