What liability do MSPs have for client compliance failures?

MSPs providing compliance services have contractual liability (what the MSA promised), professional liability (errors and omissions in advice), and potential regulatory liability (as business associates under HIPAA or data processors under GDPR). Liability can be limited through clear scope documents, refusal waivers, appropriate insurance, and shared responsibility matrices.

Do I need special insurance for compliance services?

Yes. Standard E&O policies may not cover compliance advisory services. Verify that your policy explicitly covers technology consulting and compliance services, and that it includes coverage for regulatory proceedings. Recommended minimum coverage is $2 million per occurrence for MSPs offering compliance services.

What is a shared responsibility matrix?

A shared responsibility matrix documents who is responsible for what in a compliance engagement. It specifies which controls and activities are the MSP's responsibility, which are the client's, and how shared responsibilities are divided. For CMMC, it's required. For all compliance services, it's essential for limiting liability.

How do I protect myself when clients refuse recommendations?

Use refusal waivers. Document the specific risk, your recommendation, the consequences of non-implementation, and the client's decision to decline. Get the client's signature acknowledging they understand the risk and accept responsibility. This provides evidence for your defense if the risk materializes.

MSP Compliance Liability Guide: Protecting Your Business When Things Go Wrong

Your client got breached. Or failed their audit. Or had a regulator come knocking.

Now they're looking for someone to blame.

You provided their compliance services. You're in the conversation whether you want to be or not.

This isn't hypothetical. MSPs are getting sued for client security incidents with increasing frequency. The MSP who helped with "compliance" is an easy target when things go wrong, even when the failure had nothing to do with the MSP's work.

Here's how to protect your business before that conversation happens.

The Liability Reality

When you provide compliance services, you create liability exposure in four categories:

Contractual liability: What did your agreement actually promise? If your MSA says you'll "ensure compliance" or "maintain security," you've made promises that can be enforced. Vague language creates broad exposure.

Professional liability (E&O): Did you give advice that was wrong? Did you miss something you should have caught? Did your recommendations cause harm when followed? This is errors and omissions territory, and it's the most common source of compliance-related claims.

Regulatory liability: Under frameworks like HIPAA, you may have direct regulatory obligations as a "business associate." Under GDPR, you may be a "data processor" with specific legal requirements. You're not just helping clients comply. You may be subject to compliance requirements yourself.

Reputational liability: Even if you're legally protected, a client publicly blaming you for a compliance failure damages your business. Word travels fast in MSP communities. One angry client with a LinkedIn account can cost you prospects you'll never even know about.

The uncomfortable truth: you cannot eliminate this liability. You can only manage and limit it.

Contract Language That Protects You

Your Master Service Agreement is your primary liability protection. Most MSPs use generic templates that don't address compliance services specifically. That's a problem.

Scope Definition

Vague scope creates broad liability. Specific scope limits exposure.

Bad language:

"Provider will deliver compliance services to support Client's regulatory requirements."

What does "support" mean? Which regulatory requirements? What's included? This language invites disputes.

Better language:

"Provider will deliver the following HIPAA compliance services: (a) annual Security Risk Assessment in accordance with 45 CFR 164.308(a)(1)(ii)(A), (b) policy documentation review and recommendations, (c) evidence collection and organization for Security Rule requirements, (d) quarterly compliance status reporting. Services are limited to technical safeguards. Administrative and physical safeguards are Client's responsibility unless specifically included in a Statement of Work."

Limitation of Liability

Your limitation of liability clause caps your financial exposure. Without it, you're exposed to unlimited damages.

Cap amount options:

Fixed amount ($100,000, $500,000)
Fees paid in prior 12 months
Insurance policy limits
Multiple of monthly fees (6x or 12x)

Compliance-specific consideration: Some clients will push for higher caps or carve-outs for "compliance failures" or "data breaches arising from Provider's services." Resist this. If you accept unlimited liability for compliance failures, you've undermined your entire limitation of liability structure.

Disclaimer of Warranties

Compliance services involve uncertainty. You're providing expertise and recommendations, not guarantees.

Include language establishing that you're providing advice, not guarantees, and that compliance outcomes depend on the client, not just you. Services should be provided on an "as is" basis.

The Shared Responsibility Matrix

A shared responsibility matrix (SRM) documents who is responsible for what in a compliance engagement. It's not just a best practice. For CMMC, it's required.

Why It Matters

Without an SRM:

Responsibilities are ambiguous
Finger-pointing happens after incidents
You may be blamed for things outside your scope
Litigation becomes more likely and more expensive

With an SRM:

Responsibilities are documented before anything goes wrong
Disputes can reference agreed-upon divisions
Your scope limitations are explicit
You have evidence of what was (and wasn't) your job

SRM Structure

An effective SRM covers three categories:

MSP Responsible: Controls and activities you own completely. You implement, maintain, monitor, and document. You're liable if these fail.
Client Responsible: Controls and activities the client owns. They implement, maintain, and document. You may advise, but they're accountable.
Shared Responsibility: Controls where both parties have roles. Document specifically who does what. "Shared" without specifics is ambiguous and dangerous.

Refusal Waivers

You identified a gap. You recommended a fix. The client said no. What happens next determines your liability exposure.

Why Refusal Waivers Matter

If a client declines your recommendation and later suffers harm related to that gap:

Without documentation: Your recommendation is hearsay. The client may claim they never received it, didn't understand it, or that you didn't explain the risk.
With documentation: You have evidence that you identified the risk, recommended mitigation, explained the consequences, and the client made an informed decision to decline.

Refusal Waiver Components

Specific identification of the gap or risk - Not "Security vulnerability" but "Multi-factor authentication is not enabled for administrative access to the Office 365 tenant, creating risk of credential-based compromise."
Your recommendation - Not "Enable MFA" but "Enable MFA for all administrative accounts immediately, and for all user accounts within 30 days, using Microsoft Authenticator or hardware tokens."
Consequences of not implementing - Include the specific compliance implications and potential business impact.
Client acknowledgment and decision - Client acknowledges the risk and accepts responsibility.
Signature and date - Get it signed. Email acknowledgment is acceptable but less robust than a signed document.

When to use them: Whenever the client declines a significant recommendation, the recommendation relates to compliance requirements, the gap creates meaningful security or regulatory risk, or the client chooses a different approach than you recommended.

Insurance Coverage

Your insurance is your financial backstop when liability protections fail. Most MSPs have inadequate coverage for compliance services.

Errors & Omissions (E&O) / Professional Liability

This covers claims alleging negligence in your professional services. For compliance services, it's essential.

What to verify:

Policy explicitly covers technology consulting and compliance advisory services
Coverage extends to compliance framework advice (HIPAA, SOC 2, CMMC, etc.)
Policy covers regulatory proceedings, not just lawsuits
Defense costs are covered in addition to (not deducted from) policy limits
Prior acts coverage extends back to when you started compliance services

Typical coverage amounts:

Minimum: $1 million per occurrence / $2 million aggregate
Recommended for compliance services: $2 million per occurrence / $4 million aggregate
Consider higher limits if serving healthcare, financial, or defense clients

Working with Your Broker

Most insurance brokers don't specialize in MSP coverage. Find one who does, or educate your broker about your specific needs.

Conversation points:

"I provide compliance advisory services for HIPAA, SOC 2, and CMMC. Is that explicitly covered?"
"If a client fails an audit after following my recommendations, am I covered?"
"If a client gets breached and claims my security recommendations were inadequate, am I covered?"
"If a regulator investigates me due to a client incident, are defense costs covered?"

Get answers in writing. Verbal assurances don't hold up when claims are filed.

When Claims Happen

Despite protections, claims may occur. How you respond matters.

Immediate Steps

Notify your insurance carrier immediately: Most policies require prompt notification. Delay can jeopardize coverage.
Preserve all documentation: Emails, contracts, SOWs, meeting notes, refusal waivers, deliverables. Do not delete anything, even if it seems unfavorable.
Don't admit fault: You can express concern without accepting responsibility. "I'm sorry this happened" is different from "We failed to catch this."
Don't discuss with the client without legal guidance: Your insurance carrier will assign counsel. Wait for their involvement before substantive discussions.
Document your own account: Write down what happened while it's fresh.

Proactive Risk Reduction

The best liability protection is avoiding situations that create claims.

Client Selection

Not every client is worth the risk. High-risk compliance clients:

Don't take compliance seriously (checkbox mentality)
Won't fund necessary controls
Have unrealistic expectations about outcomes
Blame vendors for their own failures
Operate in highly litigious industries without adequate insurance

Better to decline these engagements than manage the liability they create. For more on client selection criteria, see our guide on when NOT to offer compliance services.

Bottom Line

Compliance services create liability exposure you can't eliminate. You can only manage it.

The protection framework: Contract language that defines scope, limits liability, and disclaims guarantees. Shared responsibility matrices that document who owns what. Refusal waivers that protect you when clients decline recommendations. Insurance coverage that backstops your financial exposure. Proactive risk management that reduces the likelihood of claims.

Build these protections before you need them. When something goes wrong, it's too late to wish your documentation was better. Read our comprehensive guide to MSP compliance services for more on pricing for the risk you're taking.