Most MSP disputes aren’t about who’s perfect. They’re about who looks reasonable on paper. When claims from a client, an insurer, or a subrogation suit hit, two things decide what you pay: where your conduct sits on the negligence-to-gross-negligence spectrum, and how your limitation of liability and risk-acceptance records are written.
Here’s how that plays out in real incidents.
The line between “careless” and “reckless”
- Negligence = you fell short of reasonable care.
Example: a deployment job fails and endpoint detection and response (EDR) does not install on roughly 10% of endpoints. There is no post-deploy coverage check, the RMM alert sits for 48 hours, and one of those unprotected machines becomes patient zero in a phishing-led compromise. - Gross negligence = reckless disregard of a known, significant risk.
Example: you know EDR is off across a large slice of the fleet, your RMM and audit findings have warned you for weeks, you neither fix it nor notify the client, and the breach starts on one of those unprotected hosts.
The same framing applies to incident response: having an outdated incident response (IR) plan that you are in the middle of updating is sloppy (negligence). But if you’ve acknowledged in writing that a plan is required (by contract or regulation), repeatedly deferred it, and then bungled notice, containment, and evidence preservation during an event, that reads as reckless (gross negligence).
Many contracts and state laws treat gross negligence differently than ordinary negligence. The higher it looks on that spectrum, the less protection you get from your contract caps.
How contract caps and policy terms actually work in cyber incidents
Two guardrails usually set the money: your contract cap (limitation of liability) and your policy terms (per-claim limits, sublimits, coinsurance, notice/consent, and panel-vendor requirements). A good limitation of liability clause often caps damages at the amount paid in the last 12 months or a stated dollar cap, and excludes certain categories (lost profits, etc.). In a ransomware or BEC dispute, the contract cap becomes the negotiation anchor and the policy conditions decide how much the insurer will actually reimburse.
Two things to keep in mind:
- Carve‑outs. Most LoL clauses won’t protect you from gross negligence or willful misconduct. If the fact pattern smells reckless, plaintiffs will argue you’re outside the cap.
- Comparative negligence. Many states split fault by percentage. If you can show you acted reasonably and the client ignored key recommendations, your percentage of fault could fall, reducing your capped exposure.
Translation: the surest way to keep the cap is to look reasonable. That’s evidence, not eloquence. Remember that contract caps govern litigation exposure, while policy terms and conditions govern reimbursement.
Risk acceptance is your best friend, when it’s accurate and documented
Risk acceptance (a signed refusal of controls like MFA, EDR, privileged access management, immutable backups) does three things for you:
- Shifts the narrative: It proves the client knew and declined protections, cutting against “reckless MSP” claims.
- Reduces your share: In comparative negligence, clear refusals move more fault to the client.
- Tamps down subrogation: When a cyber insurer pays and sues vendors to recover, your signed waivers become Exhibit A that you weren’t the bottleneck.
It also aligns with insurance applications and security questionnaires; when your recommendations match what is attested to the carrier, you reduce coverage disputes: But it only works if you live by it. If your Statement of Work says, “we maintain EDR,” a waiver about EDR won’t help. You assumed the duty. If your renewal questionnaire says, “MFA everywhere,” but you allowed exemptions without documenting them, you invite both coverage disputes and gross negligence arguments.
Tighten your posture without lawyering your emails
- Scopes that fit reality. Say what you do and don’t do. Name client responsibilities. Tie “security outcomes” to controls in scope.
- Risk acceptance with teeth. One page. Plain language. Lists the control, the risk of declining, and a renewal cycle reminder. Reobtain when facts change (new app, new threat, new incident).
- Truthful questionnaires. Insurers and big clients rely on these. If you say “MFA everywhere,” you have to either mean it, or list exceptions and the date you’ll close them.
- IR plan + notice muscle memory. Name roles, put carrier/broker/IR counsel numbers in the plan, and rehearse. The fastest way to look reckless is to improvise.
- Evidence habits. Tickets for alerts, deployment coverage screenshots, restore‑test logs, meeting notes with decisions and owners. You don’t need novels, just timestamps that tell a coherent story.
- Policy alignment. Keep a one-page coverage snapshot (per-claim limit, sublimits, BI trigger/waiting period, coinsurance, panel rules, notice/consent steps) and attach it to your IR playbooks so the team acts inside policy conditions during incidents.
Bottom line:
Negligence is about imperfect care; gross negligence is about ignored certainty. Your contracts, risk acceptance records, truthful questionnaires, and incident documentation are what keep you on the right side of that line and inside both your contract cap and your policy limits when the lawyers and adjusters enter the chat.
(If you want a practical starting set risk‑acceptance one‑pager, scope clauses, and a first‑day IR checklist, we keep them lightweight and ready to drop into your stack.)
