Will liability waivers help when clients won’t pay for cybersecurity?
IT sales is a straightforward proposition. You build a portfolio or pitch a specific set of solutions to address a prospective client’s specific needs and negotiate to close the deal. You spend time and make adjustments – and it still may not result in a sale – but that dance has not changed much in the past couple of decades. Other than shifting from primarily a break-fix business to a managed services/cloud model, the client acquisition process was fairly simple to follow (though never easy).
Yet cybersecurity, one of the most critical areas of IT ecosystems today, is forcing many MSPs to change up their sales games. The misperception of what a business actually needs to protect its employees, customers, and others in the current threat environment can complicate the discussions. Conflicting opinions, often fueled by inexperienced and non-credentialed “experts” on the topic, are causing confusion and apprehension for organizational leaders.
Are their businesses really at risk and, if so, how much do they really need to spend? The cost versus benefit discussions can be tricky. Business leaders accustomed to investing a set amount on security each year may be uncomfortable doubling or tripling their budgets to address issues they can not see.
Ransomware attacks and hacking incidents still seem like remote possibilities to many business owners. Those not paying close attention to industry statistics and general cybersecurity alerts, or talking openly with peers and tech professionals, tend to think differently about the threats than those more knowledgeable about that topic. The too-small-to-matter mindset can be a hard objection for MSPs to overcome.
The scared straight approach for cybersecurity
Liability waivers are an option that some industry experts are strongly advocating for the IT services community. It works like this: if a client pushes back on your recommended cybersecurity measures, which may include technologies, policies, and training programs, you ask them to absolve your firm of responsibility if something goes wrong. These agreements are typically specific to incidents your suggested solutions could have prevented, including ransomware, social engineering, and other security-related attacks.
Liability waivers are meant to spur clients into doing the right thing. Asking a decision-maker to sign the bottom line after reading the document is that scared straight moment, where they are forced to realize the situation's urgency. The hope is that action will spur a deeper conversation, after which they will agree to upgrade their cybersecurity tools and protocols.
A big reason for these waivers is to limit your liability due to the inaction or, in some cases, the frugality of a business client. Whether the owner declines to use standard protocols like multi-factor authentication or refuses to invest in email encryption and cybersecurity training, these agreements essentially serve as their wake-up call. By signing these documents, they acknowledge responsibility for deviating from your recommended solutions and best practices.
These waivers can be an alternative to walking away from organizations that won’t meet your minimum cybersecurity standards. Not everyone agrees that these agreements will totally absolve an MSP of any part of its responsibilities, though. In other words, if you continue to manage and/or protect any aspect of their systems, networks, and data, your firm may be on the hook if they get hacked, hit with ransomware, or suffer any other cybersecurity failures.
Protect your MSP
Presenting reluctant clients with a liability waiver emphasizes the importance of data and network protection. While the purpose of this process is to scare them straight and encourage business decision-makers to approve cybersecurity recommendations and upgrades, you have to be prepared for them to call your bluff. What happens when cybercriminals launch a successful attack on that client’s poorly protected system?
You may be fined for compliance violations or sued for negligence. The law around liability waivers is pretty clear in many states, but typically around life-threatening stunts like bungee jumping or skydiving – not IT services. The best advice is to consult a reputable and industry-experienced attorney who can provide solid advice for your specific MSP and client situations, including all applicable local, state, and federal regulations.
Cybersecurity-related laws can be complex, and the issues around risk assignment may be difficult for a general legal practitioner to understand. Cutting corners when creating liability waivers – downloading free online templates or relying on inexperienced attorneys – can increase your own business risk.
The risk/cost factor
Business owners may cloud their cybersecurity discussions with objections that are unrelated to data protection. Their apparent lack of knowledge on this complicated subject and misperceptions may actually be a smokescreen for budgetary concerns. Many decision-makers cannot fully comprehend the financial and operational ramifications of poor cybersecurity.
Liability waivers may or may not help MSPs overcome those objections. Asking for a signature could stimulate the conversation, encouraging current or prospective clients into sharing risk and pricing concerns, allowing your sales team members to take a shot at neutralizing those issues. Waivers can force more productive conversations.
On the flip side, the client could just sign the waiver to end the discussion – or simply walk away from the deal. Both routes create walls that can be hard for an MSP to break through and may significantly weaken the relationship. Neither option furthers your business goals (or theirs).
Signing a document will never solve your clients’ potential cybersecurity problems. While they can put off spending money for basic protection tools and support, and your team can continue servicing their infrastructure, the risks will remain.