MSPs and ransomware: liability, contracts and what to do upfront
What an MSP risks when a customer gets encrypted. Useful contractual clauses, cyber insurance, operational playbook for the first 24 hours.
TL;DR
When an MSP customer gets encrypted, the customer's lawyer asks first: who is responsible? Three contract clauses, an E&O cyber policy and a 24-hour runbook are the defensive minimum.
Liability in practice
The MSP managing customer backup and DR is considered professionally responsible for the services provided. In a ransomware case with data loss the customer can:
- challenge SLA compliance;
- claim damages;
- trigger the MSP's professional insurance.
Risk grows exponentially with the size of the encrypted customer.
The 3 essential contract clauses
1. Liability cap
Cap on total liability (e.g. 12 monthly fees). Without, unlimited exposure.
2. Targeted-attack exclusion
Ransomware with documented nation-state attribution is out of scope. Write it down.
3. Customer obligations
Mandatory MFA, patch application within N days, prohibition on disabling backups. If the customer violates, the warranty falls.
E&O cyber insurance
Every MSP managing DR for more than 10 customers should have Errors & Omissions cyber insurance. Typical caps: €1-3 million. Italian annual premiums: €4-12k for a medium MSP.
Policies require DR drill evidence. Without, premiums 30-50% higher.
The 24-hour post-incident runbook
What to do in the first 24 hours when a customer calls "We are encrypted":
Hour 0-2: containment. Disconnect the customer from the network, save logs, identify the variant (tools like ID Ransomware).
Hour 2-6: assessment. Which clean backup date? Which systems compromised? Customer notification, legal review.
Hour 6-12: decision. Restore or pay? The decision is the customer's, you recommend (and document).
Hour 12-24: execution. Restore in an isolated environment, validation, progressive ramp-up.
Document everything. You will need it.
Mistakes that lose the case
- touching the system without forensics: destroys evidence;
- negotiating with criminals on the customer's behalf: puts you in AML risk territory;
- not notifying the authority: for NIS2 entities mandatory within 24h.
FAQ
Can I restore immediately without forensics?
Only if the customer requests it explicitly in writing. Explain that you destroy evidence.
Does insurance cover customer mistakes?
No. That requires the customer's policy.
Do I notify the data protection authority?
If personal data is involved, yes, within 72 hours. Coordinate with the customer's DPO.
For SLA structure, DR SLA to propose. For service differentiation, Differentiate with managed DR.
Want to see Sefthy in action?
Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.