I was having dinner with the CEO of an MSP last night. He looked like he’d just walked out of a war zone. One of his clients—a water treatment plant—had been dragging its feet for years on a basic cybersecurity upgrade.
Let’s break this down.
This plant controls water purity for thousands of people. This is the kind of place where a cyberattack doesn’t just result in downtime—it results in sick kids, lawsuits, and Congressional hearings.
And the crown jewel of their defense? Their SCADA network was secured behind a firewall-router combo with the password set to “password.”
That’s not negligence. That’s a loaded gun sitting on the kitchen table.
The Illusion of the Proposal
The MSP CEO told me he’d “done the right thing.” He had written a proposal to fix it. He had followed up. He had warned them. But here’s the truth that most MSPs don’t want to hear: proposals don’t protect you.
They’re sales documents. Optional. Non-binding. They’re soft.
When something goes wrong—and it will—you can’t wave a proposal in front of a courtroom and say, “See? I told them.” You’ll get laughed off the witness stand.
Because in legal terms, unless you had a signed Risk Acceptance document, your client never refused the risk—they never even acknowledged it.
That means you still own it.
The Dangerous Myth of “Firing the Client”
At this point, you might be thinking, “Well, if the client refuses to fix it, I’ll just fire them.” Let me introduce you to reality.
We recently saw an MSP get sued after they terminated a client relationship. Why? Because the client suffered a breach—months later—and their lawyers traced the exposure back to issues the MSP had identified before the split.
The MSP thought they were safe. They weren’t.
Without documentation showing they made clear, urgent, risk-based recommendations and had the client formally decline to take action, their exit meant nothing. The plaintiff’s attorneys framed it like this:
“You knew the patient was dying. And instead of getting them to a hospital, you walked away because they didn’t want to pay the bill.”
That’s how negligence cases get won.
Risk Acceptance Isn’t About CYA—It’s About Forcing the Decision
A signed Risk Acceptance Document does three things:
- It transfers the risk—clearly, visibly, and legally—to the client’s leadership.
- It creates urgency—this isn’t a “we’ll get to it someday” issue. It’s a flashing red light with consequences attached.
- It proves your due diligence—so when the lawyers come calling, you’re not caught stammering about what you “meant” to do.
And that’s the point: it’s not enough to recommend the fix. You have to prove you made them choose.
How to Avoid Getting Sued for Doing the Right Thing
Here’s your playbook:
- When you identify a critical issue—especially in high-risk sectors like utilities or healthcare—document it immediately.
- Draft a clear, plain-English risk acceptance form that outlines the exposure, the possible consequences, and the proposed remediation.
- Get the decision maker to sign it. Not “review” it. Sign it.
- If they won’t? Send a final notice in writing. Keep that record permanently—it may be the only thing standing between you and a subpoena.
If you do walk away, you walk away with evidence. Because walking away without it just means you’ve set yourself up to be the ghost defendant in the lawsuit when their new MSP finds the wreckage.
Bottom Line
If you’re still relying on proposals and emails to protect your business, you’re not running an MSP—you’re walking a legal tightrope without a net. And the only thing standing between you and the fall is a piece of paper that says, “I warned them. They refused. Here’s their signature.”
Still think a weak password is just a small oversight? It’s not. It’s the thread that unravels your entire defense. Get it documented. Get it signed. Or get ready to explain it in court.
