If My Business Gets Hacked, Who's Liable – My Company or the MSP?

If your organization is working with — or considering working with— a managed IT service provider (MSP), you're probably wondering: 

If a breach happens, who’s responsible — your business or the MSP? 

The answer isn’t black and white.  

Using Intelligent Technical Solutions’ (ITS’) years of experience as a leading provider of managed IT, cybersecurity, and compliance services, we want to guide you through this question.  

In this article, we’ll explore: 

• liability in the event of a cyberattack 
• how your contracts play a role, and, 
• what you can do to protect your business.  

We invited Sean Haris, ITS’ VP for Cybersecurity, to share real situations he’s seen involving liability in the IT field.  

By the end of this article, you’ll know who is liable for a data breach and how to protect your company from future liability.  

Who is liable for a data breach?  

When a business suffers a data breach, you need to ask: “Who dropped the ball?” 

Legally speaking, liability hinges on several factors: 

• Who owns the data? 
• What do the contracts say? 
• What security measures were (or weren’t) in place? 

“In most of the U.S., liability generally falls to the data owner—the company,” Harris explained. “Regulators will come after the company first. Then insurance companies will look for other liable parties based on contracts and negligence.” 

That means even if you're working with a competent MSP, your business may still be held responsible if the breach affects sensitive data you control. 

To determine legal responsibility, start by reviewing your Service Level Agreement (SLA) or Master Service Agreement (MSA). These contracts define the scope of services the MSP provides—and often include clauses around breach responsibility and liability limitations. 

Many MSP contracts contain disclaimers that exclude responsibility for breaches caused by: 

• Employee negligence (e.g., falling for phishing scams) 
• Outdated systems or unpatched software 
• Failure to follow recommendations 

“If the MSP clearly failed to deliver a contracted service—say, endpoint protection—and that led to the breach, then they could be liable,” Harris says. “But the onus is still on the business to document, enforce, and verify their agreements.” 

When a breach happens, here’s how the liability flow typically works: 

1. Regulators or victims will first hold your company responsible, especially if you control the compromised data. 
2. Your insurance carrier investigates and may cover damages. 
3. The insurer (or your legal team) may pursue the MSP if they failed to meet contractual obligations. 

What are MSPs vs. Companies liable for? 

Partnering with an MSP doesn’t mean handing over all accountability. In most client-provider relationships, security is a shared responsibility: 

Your Business Is Often Responsible For: 

• Managing and protecting sensitive data 
• Ensuring employees follow cybersecurity best practices 
• Approving and funding necessary security tools 
• Responding to MSP recommendations in a timely manner 

The MSP Is Responsible For: 

• Monitoring your network for suspicious activity 
• Deploying and maintaining security solutions 
• Alerting you to potential risks or vulnerabilities 
• Assisting in incident response and recovery 

An MSP can offer the tools, visibility, and expertise—but they don’t control your employees’ clicks or your company’s security culture. 

Can You Sue Your MSP for a Cyberattack? 

It’s your right to sue anyone you like. Winning is the tough part.  

You could take legal action if the MSP failed to meet their contractual obligations or were grossly negligent of their responsibilities. For example, if they neglected to install promised security software, or if their technician misconfigured a firewall that left you vulnerable. 

But if the breach was due to weak internal controls or human error in your business? The liability will likely fall on your business. 

“You can’t fully offload liability to another entity,” Harris said. “What you can do is reduce exposure through good partners, insurance, and structure.” 

Can You Avoid Liability Completely? 

No. 

“If you don’t want to be liable, don’t run a business,” Harris quipped. “There’s no such thing as zero risk. But there is such a thing as smart risk management.” 

Business owners are always accountable for protecting their data and choosing trustworthy partners. You can’t sign away your risk. But you can insulate yourself. 

“If any organization tells you’ll be 100% not liable [for a possible data breach] — run the other way,” says Harris. “You can only reduce risk, not eliminate it.”

How to Minimize Cybersecurity Liability 

While you can’t eliminate risk completely, there are proven ways to reduce your exposure. 

1. Choose an MSP With Strong Security Capabilities 

Not all MSPs are created equal. Quality providers will: 

• Offer multi-layered security solutions 
• Proactively monitor and respond to threats 
• Have documented incident response protocols 
• Hold cybersecurity certifications 

ITS, for example, offers managed security services under its ITS Secure solution, combining endpoint detection, email security, firewall management, and more. 

2. Create and Enforce a Cybersecurity Policy 

Human error remains the top cause of data breaches. Mitigate this risk with: 

• Cybersecurity awareness training 
• Strong password policies and MFA 
• Role-based access controls 
• Regular phishing simulations 

These steps demonstrate due care, which could reduce your liability if a breach occurs. 

3. Invest in Cyber Liability Insurance 

Cyber liability insurance can help offset costs from legal claims, notification requirements, data recovery, and business interruption. ITS even offers a cybersecurity warranty under ITS Verify that can cover deductibles and gaps in your policy. 

READ: How Much Cyber Insurance Does Your Business Need? 

4. Regularly Review and Update Your Agreements 

Review your SLAs and MSAs annually. Make sure: 

• Responsibilities are clearly defined 
• You’re aligned on breach response expectations 
• Liability limits are understood and mutually agreed 

5. Conduct Risk Assessments and Compliance Audits 

A thorough cybersecurity assessment can identify vulnerabilities before attackers do. Great MSPs provide regular risk evaluations to help you align with the NIST (National Institute of Standards and Technology) Framework, HIPAA (Health Insurance Portability and Accountability Act) Regulations, CMMC (Cybersecurity Maturity Model Certification), and other compliance frameworks. 

Ready to lessen your cybersecurity liability? 

Ultimately, cybersecurity is a team effort but liability in a cyberattack is determined by how the breach occurred, what security measures were in place, and what the contracts say.  

This makes choosing the right MSP more important than ever.  

If you’re looking for a reliable partner who can help you reduce your legal and financial risk —without the false promises — schedule a free cybersecurity consultation with ITS today. 

If you want more information about cybersecurity liability, check out these free resources:  

• How Much Cyber Insurance Does Your Business Need? [Updated in 2023] 
• Cost of Cybersecurity (Factors to Consider) 
• The Whys and Hows of an Engaging Cybersecurity Awareness Training Program [EBOOK]