Risk To MSPs From Data Breach Lawsuits Is On The Rise: Galactic Advisors

Pointing to a recent case where an MSP has agreed to settle a class-action lawsuit over a 2023 breach, Galactic Advisors CEO Bruce McCully said there has clearly been a ‘change in how liability works for MSPs.’

MSPs are facing growing legal risk related to data breaches and ransomware attacks, exacerbated by cyber insurers who are increasingly denying claims due to insufficient documentation, according to the CEO of cybersecurity assessment and consulting firm Galactic Advisors.

Bruce McCully, who also serves as chief security officer (CSO) at the Nashville, Tenn.-based company, pointed to a case where an MSP recently agreed to settle a class-action lawsuit over a 2023 breach — even though the MSP “was not providing cybersecurity services.”

“There’s a change in how liability works for MSPs,” McCully told an audience of solution provider executives Sunday at XChange March 2025, which is hosted by CRN parent The Channel Company and being held this week in Orlando. “MSPs are getting sued right now, during and after data breaches.”

He cited the recent class-action lawsuit involving an MSP, Reliable Networks, and its client—accounting firm Berry, Dunn, McNeil & Parker—which together have reportedly agreed to a settlement totaling $7.25 million.

Cyber insurance firms have been implementing numerous changes including tougher underwriting standards, stricter risk management requirements and an increase in exclusions, according to McCully.

“What this means is you need to understand your clients' policies, just like any other vendor agreement,” he said.

Cyber insurers are also expecting a substantial amount of documentation before they approve a claim, McCully said.

As a result, “we’re seeing an uptick in denials,” he said.

In the current threat and legal environment, there’s no question that liability is a bigger problem than ever before for providers of managed services, said Travis Woods, CEO of Fort Point IT, a Novato, Calif.-based MSP.

“The risk that we're taking on now has legal precedent and is very, very tangible in our world,” Woods said.

It’s also clear that MSPs will need to find ways to offset the risk, such as by outsourcing the risk in some way or by ensuring that their own documentation and processes will shield them from liability, he said.

Undoubtedly, incidents such as the case mentioned by McCully “are going to be make-or-break moments for an MSP and their maturity,” Woods said.

“We'll see smaller MSPs probably struggle with this because they don't have the resources or the infrastructure in place to be organized, to recognize the risk, to document the risk, and also to mitigate the risk,” he said. “I see that the smaller MSPs are in the crosshairs of that problem.”

Ultimately, according to McCully, a top priority for MSPs should be to ensure they are thoroughly documenting the security measures they are implementing for their clients — both to meet the expectations of cyber insurers and to protect against the increasingly likely possibility of litigation over a cyberattack.

“The absence of evidence leaves you vulnerable,” he said. “If you don't have evidence, you have a problem.”