Limitation of Liability Clause: What MSPs Need to Know

A client's insurance carrier paid out a seven-figure breach loss, then came after the MSP to recover it. The language in the MSP's own contract decided the dispute. Here is what your limitation of liability clause has to say before that day.

I recently worked on a dispute that put a number on what a limitation of liability clause is worth to an MSP. An MSP's client suffered a breach, and the client's insurance carrier paid the loss the way the policy said it would. Then the carrier turned around and pursued the MSP to recover the money. The demand ran to seven figures.

Insurance carriers are allowed to do that using what's called subrogation. Once an insurer pays its policyholder's loss, it can step into the policyholder's shoes and go after whoever it believes caused the loss.

So the party across the table on your worst day may not be your client at all. It is your client's insurance company, holding a paid claim and under no obligation to go easy on you.

A demand that size does not go away on its own, and with more than a million dollars at stake, the carrier filed. So the first thing we did was read the MSP's agreements, because the whole case turned on one question: did those agreements, and their exact language, govern the claim?

They did, and that reshaped the case immediately. The client was using an MSA drafted by Monjur, and that agreement waived the carrier's right of subrogation and excluded liability for the criminal acts of third parties. In plain terms, the client's own contract had already given up the carrier's right to come after the MSP for this loss, so the demand ran straight into language the carrier's own insured had agreed to.

On our first working call, my co-founder reduced it to one line: "The Monjur agreement waives the right to subrogation." The size of the loss decided nothing. The language decided everything.

A seven-figure demand, the kind that puts most MSPs out of business, was turned aside by a handful of clauses that were already in the agreement before anyone knew a claim was coming. That is what a limitation of liability clause, and the language around it, is for. This article walks through the exact language that made the difference, so you can build the same protection into your own agreements and find out whether what you have today would hold up.

For a plain-language overview of the MSA itself, start with the MSA Legal Guide for MSPs.

What a limitation of liability clause does

A limitation of liability clause caps what you can be forced to pay when something goes wrong. If a client claims a million dollars in damages, the clause decides how much of that million can actually reach you.

The cap can point at three kinds of numbers, and they behave differently under pressure:

  1. A flat dollar figure, say $10,000, fixed the day the contract was signed. It never moves, no matter how the claim or your business grows.
  2. A fee window, meaning some number of months of the fees that client pays you. It scales with the relationship, so a small client means a small cap.
  3. The proceeds of insurance, meaning what a liability policy would pay out on the claim. This is the number that scales with the coverage you actually carry.

The strong version combines them and ties your exposure to the greater of your insurance proceeds or a stated fee window. Which of these structures you have, fee-based or insurance-tied, is the single largest variable in your MSA.

Reading a real liability cap

I read liability caps for a living, and earlier this year, on a live MSA review, I hit a cap that used all three of those numbers at once. In substance:

Three months of fees, or $10,000, or the proceeds of insurance.

To be fair, that is a modern cap. It references insurance, which is the piece a flat-dollar cap misses, and whoever drafted it was thinking about the right problem.

It still fails in three places:

  1. It does not say whose insurance the proceeds come from.
  2. It does not say who has to fight the carrier if the carrier denies the claim.
  3. Its fee window is three months, which is below market.

Take them one at a time.

Whose insurance funds the cap?

"Proceeds of insurance" means what your own professional liability policy would pay on the claim. Your policy, not the client's. The phrase is obvious to the attorney who drafted it, and in one review I ran, the buyer had read it as a reference to his own coverage. If the contract does not spell out whose policy funds the cap, you have left a definitional argument sitting inside the one clause that exists to end arguments.

The carrier-denial clause

A cap that points to the proceeds of available insurance assumes the carrier pays. Carriers deny claims.

When that happens, the clause above is silent on who has to dispute the denial, and silence runs against you, because your client can argue the insurance would have been available if only you had challenged your carrier's determination. Suddenly you are funding a coverage fight against your own insurer as the price of reaching your own cap.

The fix is a carrier-denial clause, which says that if your carrier declines coverage, you are not obligated to fight the denial, and the cap simply falls back to the fee window. In the reviews we run, we see insurance-tied caps that never address a denial at all. The whole clause rests on the assumption that the carrier will pay, and it has no plan for the day the carrier will not.

How long should the fee window be?

Three months of fees is below market. When I say market, I mean what clients and their attorneys will accept without a fight, the place where these negotiations actually settle. In the agreements that come across my desk, that settling point is six months of fees.

That is a benchmark from practice rather than a rule of law, but the difference between the two is money you can count, because a fee window is measured in your own invoices. If a client pays you $5,000 a month, a three-month window puts $15,000 in front of a claim that may ask for a million dollars.

What's the market standard for an MSP liability cap?

So what should a strong cap actually say? The version we treat as the market standard, and build into our own agreements, ties the cap to your insurance. If a client brings a claim, they can recover up to whichever is greater: what your liability insurance would pay on the claim, or a set number of months of the fees they pay you, which should be six. Tying the cap to insurance rather than to a flat number is deliberate, and it protects you in a direction most owners do not expect.

Every MSP carries errors and omissions insurance, the policy that pays out when your own mistake costs a client money. Here is the trap: if your contract sets a low, fixed cap, your own insurer can point at that number and argue it only owes that small amount, not the real limits of your policy. Tie the cap to insurance instead, and your client's recourse runs to the coverage you already carry, so your exposure scales with the policy instead of with a number someone picked years ago.

This is also why we hold a single standard cap across every client rather than negotiating custom language account by account. A different cap for every client is how you end up with the low, flat numbers that let an insurer off the hook, and that undercuts the protection the whole structure depends on.

There is an opposite temptation, too: drafting the cap for maximum protection, as low and as airtight as you can make it. That overreach costs you twice.

  1. It introduces friction in the sales process. More customers push back, ask for changes, and raise questions before they sign.
  2. It presents an enforceability risk. Terms that reach too far are the ones most likely to be challenged, and a cap a court throws out protects no one.

A defensible cap even helps you sell. When a prospect's own attorney reads your contract and sees terms that are fair and standard, that counts in your favor, and it cuts down the back-and-forth before anyone signs. That is the balance we draft for: an agreement a client will sign without a fight, and one that holds up if it is ever tested. The best agreement is the one that never has to be enforced in court at all, because language this clear usually settles the dispute before it gets there.

What happens when a limitation of liability clause is tested?

A cap is theoretical until someone tests it, and the test comes in two forms:

  1. A client claims your work caused a loss and fights you over what is owed.
  2. A client's carrier pays the loss and comes for you through subrogation, the way that seven-figure matter began.

We serve more than a thousand MSPs and field 30 to 90 legal support tickets a day, so both forms come through my team's queue, and the heavy end of that queue is customer disputes and breach incidents.

What a written cap is actually worth

When the cap is finally tested, what does it actually buy you? Leverage. No attorney can promise you how a dispute will end, but the number your contract names sets where the fight begins, and a claim that opens at your cap is a very different negotiation than one that opens at a million dollars. Most disputes settle rather than go to trial, and the number they settle at is anchored to what your contract says you owe, so that opening figure does much of the work.

None of this is theory for us. We stand behind the agreements we draft, in court and in arbitration, and every case we take teaches us where the language holds and where it can be sharpened.

The first hours of an incident

What you do in the first hours of an incident matters as much as what you drafted. When a client takes a ransomware hit, the instinct is to dive in and start fixing. Resist it.

Call the client's insurance carrier first and ask permission to remediate before you start any work, even if that call happens at four in the morning. MSPs have gotten into serious trouble remediating ransomware for clients in good faith, when the right move was a letter telling the client to call its carrier. Remediation is not part of the base engagement, so if the client's carrier wants to pay you to do that work, take the engagement on the carrier's bill. Step in ahead of the insurer, though, and you can end up owning a loss their policy was built to pay.

The subrogation waiver and the criminal-acts exclusion

Go back to the carrier's demand. The cap alone did not carry that defense; two companion clauses did the decisive work.

The first is the subrogation waiver. The client's agreement waives the insurer's right of subrogation, so a carrier that pays the client's loss gives up the right to chase you for the same money. Without that waiver, a carrier payout does not end the loss; it just moves the loss to your side of the table, with a professional claims department behind it.

The second is the exclusion for the criminal acts of third parties. Ransomware, a data breach, a business email compromise, a supply-chain attack. Each of those is a crime committed against your client by someone else, and you are not the insurance company for every criminal actor who targets your clients. The exclusion says so before anyone is angry.

The exclusion keeps one deliberate limit, and that limit is what makes it fair. Your own negligence is carved back in, meaning it stays your responsibility, so you still answer for your own mistakes. That is by design: your negligence is exactly what your errors and omissions policy exists to cover, and your willful misconduct cannot be waived by law no matter what a contract says. That carve-back adds very little to your actual risk, and it is what lets the exclusion hold up when a client or a carrier pushes on it.

In that dispute, those two clauses were what decided it. Because the agreements applied, subrogation was waived and the criminal acts of third parties were excluded, and a seven-figure claim had to argue with the contract before it could argue with the MSP.

We built those agreements for this.

How to check your own liability cap

You now know what the language has to do, so put your own agreement on the desk and read the liability section against this list.

The cap structure A complete cap is tied to the greater of your insurance proceeds or a stated fee window; a flat dollar figure or a fee window alone is incomplete. Find the cap and confirm your insurance proceeds are in it.

The fee window Six months of fees is market and three months is below it, so count the months in your window.

A plain definition of "proceeds of insurance" The phrase means what your own professional liability policy would pay, and an undefined version invites a client to read it as their coverage, or however a dispute requires. Confirm the contract says plainly whose policy funds the cap.

The carrier-denial clause If your carrier denies coverage, this clause says you are not obligated to fight the denial, and the cap falls back to the fee window. Look for language about a denial of coverage; silence here is the gap.

The subrogation waiver Stops your client's insurer from paying the client and then pursuing you to recover the same loss. Search the agreement for the word "subrogation." If the word is missing, the protection is too.

The criminal-acts exclusion, with the carve-back Establishes that you are not liable for third-party crimes like ransomware or business email compromise, while keeping you responsible for your own negligence. Confirm the exclusion exists and that the carve-back sits inside it.

If one of these is missing, you do not yet have the language that decided that dispute.

Where the cap sits in your MSA

The cap leads the core protections we check in an MSP agreement, and the full set, with what to check in each, is in the MSA Legal Guide for MSPs.

As you read your own contract, keep one boundary straight. The cap limits how much you can be made to pay, while indemnification decides who pays when a third party sues you or your client. That is a separate clause with its own mechanics, and we cover it in a separate article on the indemnification clause for MSPs. The cap also assumes real coverage sits underneath it. That includes the client's own obligation to carry insurance, which the Legal Guide walks through.

Key takeaways
  • A limitation of liability clause sets the maximum a client, or a client's carrier, can force you to pay. Whether it is fee-based or insurance-tied is the single largest variable in your MSA.
  • Tie the cap to the greater of your insurance proceeds or a fee window. Six months of fees is market; three is below.
  • Define "proceeds of insurance" as your own policy, and add a carrier-denial clause so a coverage denial does not put you at war with your own insurer.
  • A subrogation waiver and a criminal-acts exclusion, with your negligence carved back in, were the case-dispositive clauses against a seven-figure carrier claim.
  • A written cap is leverage and a starting position in a dispute. Draft it defensible and enforceable rather than maximal.

The fastest way to find out where yours stands is to have an attorney who reads these clauses every day read yours. We review the cap along with the rest of the core protections and tell you whether it is insurance-aligned, whether the fee window is at market, and whether the carrier-denial, subrogation, and criminal-acts language is in place, in one conversation, at no charge.

The carrier that comes after you will read your contract line by line. Read it first.

Find out whether your cap would hold Get a free MSA review →

By Rob Scott, CEO and attorney, Monjur.

Rob Scott
About the author

Rob Scott

CEO & Co-Founder, Attorney

Attorney with 25+ years of MSP legal experience. Co-Founder of Scott & Scott, LLP and Monjur. Has overseen contracting for 1,000+ MSPs.

Rob Scott is an attorney with more than 25 years of experience in MSP and technology law, and the co-founder of both Scott & Scott, LLP and Monjur. He has overseen customer contracting for more than 1,000 managed service providers and built Monjur to bring attorney-supervised contract intelligence to the MSP industry.

Licensed in Texas since 1999, Rob earned his J.D. from the Maurice A. Deane School of Law at Hofstra University and his B.A. in Economics and Philosophy from Austin College. His practice focuses on software licensing, software audit defense, data privacy, and vendor risk, representing MSPs and enterprise clients in transactions and disputes with major software publishers.

Stop worrying about contracts

See exactly where your MSA stands.

Send us your agreement and an MSP attorney will highlight the gaps, in as little as 48 hours.

Get a free MSA review → Prefer to talk it through? Speak with our team →