The One Assumption Clients Are Making About You Right Now

Posted by cchahine On January 9, 2026

A few weeks ago, I had dinner in New Orleans with a family friend.

He owns a small law firm in Texas. Smart. Successful. A great client by any MSP’s standards. The kind of client I would have gladly built a book of business around when I ran my MSP. Long-term relationship. Pays on time. Trusts his vendors.

Because I work in cyber, he wanted to share a story with me. It started the way these stories often do, with what he casually called a “security issue.” The reality was much heavier. A ransomware attack happened a few years ago, and the anger is still very real.

Not at the hackers.

Not even at the ransom payment.

At his MSP.

“I Thought I Was as Protected as I Could Be”

The firm was hit with ransomware. The bad kind. Systems locked. Data inaccessible. Phones ringing. Clients asking questions he did not have answers for.

He said the stress probably took five years off his life.

Negotiations with the hackers dragged on. Every hour felt like a gamble. Every decision felt irreversible. This was not a tabletop exercise or a war story. This was his business, his reputation, and his livelihood on the line.

They paid the ransom.

And then, in the middle of that chaos, one sentence changed everything.

One of the MSP’s engineers said something like:

“If you would have had us install our advanced security tools, this never would have happened.”

That sentence was worse than the ransomware.

Why That Sentence Was the Real Failure

From the engineer’s perspective, it may have been factual.

From the client’s perspective, it sounded like this:

“You could have avoided this. We just never told you.”

He waited until the incident was over. Until systems were restored. Until the adrenaline wore off.

Then he called the MSP owner and used words he could not repeat at the dinner table.

Not because the MSP caused the attack.

Not because they disappeared during the incident.

But because no one had ever explained what “good security” actually meant.

This Is the Gap That Is Getting MSPs in Trouble

The client assumed he was protected as well as he could be.

Why would he not?

He paid for security.

He trusted his MSP.

He did not know there were “levels” of protection.

He assumed that if something critical was missing, someone would tell him.

That assumption is everywhere right now.

And it is becoming dangerous.

At the Same Time, Attacks Have Only Gotten Better

Fast forward to today.

Phishing infrastructure has evolved into real-time attack platforms like the Spiderman phishing kit.

Pixel-perfect login pages.

Live interception of credentials and two-factor codes.

Attackers watching sessions unfold in real time.

Users will click.

Credentials will be stolen.

Attackers will get in.

That part is no longer shocking.

What matters is what happens next.

Tools Alone Do Not Decide the Outcome Anymore

EDR matters.

Email security matters.

Firewalls matter.

But none of those things decide what happens during an insurance claim, a lawsuit, or a post-breach investigation.

Insurance carriers ask for evidence.

Incident response plans.

Security awareness training records.

Acceptable use policies.

Proof that reasonable steps were taken before the incident.

If those things do not exist, it does not matter how good the tools were.

And here is the uncomfortable part for MSPs.

When those things are missing, clients do not blame the attacker first.

They ask why no one told them.

This Is Why MSP Liability Is Quietly Rising

Clients assume MSPs are handling security.

They assume MSPs are handling insurance requirements.

They assume MSPs are handling whatever needs to be handled.

Even when none of that was clearly defined.

When a breach happens, those assumptions turn into expectations.

And expectations turn into anger.

The law firm owner was not upset that ransomware happened.

He was upset that the first time he heard about “advanced security” was while his business was on fire.

This Is the Conversation MSPs Need to Lead Early

Not during the incident.

Not during negotiations.

Not when emotions are high.

Before anything happens.

This is not about fear.

It is not about upselling tools.

It is about explaining reality.

Modern security is about preparation and proof, not perfection.

Insurance already expects this.

Courts already expect this.

Clients just do not know it yet.

And they are assuming you do.

Start With Your Own Program

Before you take this conversation to clients, get your own house in order.

Document your program.

Validate it.

Make it defensible.

Know exactly what you are recommending and why.

Then go back to your clients and change the conversation.

Stop leading with tools.

Start leading with outcomes.

Start talking about what happens after the breach.

The Next Stressful Call Should Not Be This One

Ransomware is not new.

Phishing kits will keep improving.

Incidents will keep happening.

The only question left is whether your clients hear about their gaps before the worst day of their career.

Because if they hear it during the incident, the damage lasts a lot longer than the outage.

Cyber Liability