Lawyer To MSPs: Make Your Master Services Agreement Your ‘Constitution’

“You don’t want services in your MSA because they change. You don’t want prices in your MSA. They change. And don’t tell me, ‘Well, we only have one level of service.’ No, you don’t. … Because that changes. Anything that is money- or service-dependent does not belong in your MSA,” says Bradley Gross, founding partner of the Law Office of Bradley Gross.

Most MSPs are making a big mistake in assuming the master services agreements they signed with customers will protect them should an issue arise.

That’s the word from Bradley Gross, founding partner of the Law Office of Bradley Gross, who told an audience of MSPs at this week’s XChange 2024 conference in San Antonio, that their master services agreements (MSAs) are more than wrong.

XChange is hosted by CRN parent The Channel Company.

Most master services agreements don’t work because they’re not rooted in reality, he said.

“Contracting in this industry has had a chronic problem,” he said. “You’re not dealing in reality. What’s reality? I’ll show you reality. Who here provides a backup solution? I don’t care which one it is. You’re all wrong. And you’re all doing something now by raising your hand that causes company-ending liability. Company-ending. Why? Because you don’t provide a backup solution. Datto does. Acronis does. Pick your poison.”

MSPs need to remember that they facilitate and resell backup solutions, but they don’t provide them, Gross said.

“But by raising your hand, you are putting yourself in the shoes of a provider,” he said. “And here’s the dirty little secret. Do you know what your providers do? They have you sign something that says, unless we do something maliciously or recklessly, our liability is way down low.”

Gross cited the recent Kaseya and ConnectWise hacks as cautionary tales. After the hacks, he said, he received calls from MSPs who were being sued by customers even after explaining that it wasn’t them who caused the hacks.

“The MSPs said, ‘We are trying to explain to them that it wasn’t us, it was Kaseya that didn’t issue a patch, or whatever it is,’” he said. “And I’ll tell you, the No. 1 response from their customers when they said it was Kaseya? The No 1 response ... was, ‘Who is Kaseya?’ No, seriously, that was it. ‘Who’s Kaseya? We’ve never heard of Kaseya.’

The time following a breach is not when an MSP should be explaining that it doesn’t provide the technology but instead only facilitates it and resells it, Gross said.

“That is not the time, for the first time, to explain to your customers, ‘Well, actually, we don’t provide most of what we offer. We facilitate and we resell. There are things we provide. We’ll take responsibility for those. But we’re not going to take responsibility for an upstream provider,’” he said.

In another example, an MSP calls a customer to tell it that it needs multifactor authentication to help protect multiple client devices, which are vulnerable to phishing attacks, but the customer declines perhaps because it feels MFA is not convenient when working on a plane or in a hotel room, Gross said.

Should such a customer get hacked, the MSP will likely remind that customer that it turned down MFA, he said.

“The MSP is going to say, ‘Well, I told you what to do. You didn’t listen to me,’” he said. “And the response will likely be from the client’s attorney who will say, ‘Show me where in your document it says they have to listen to you.’ Think about your documents. Where in your documents does it say your customer has to listen to you, because I’m sure it doesn't.”

Instead, that attorney will point out that the MSP on its website claims to be a trusted adviser, Gross said.

“’Why are you asking me if I want that? Why didn’t you just give it to me?’” he said. “In fact, it’s like an important surgery. The surgeon is not going to ask you, ‘Should I cut here or there? What do you think?’ Right? No, you’re the expert. Our customers don’t listen to us, do they? No, that’s reality.”

To head off such issues, MSPs need to look carefully at their MSAs, which Gross said should be considered an MSP’s constitution and a document that does not change.

“I don’t want your client’s name in your MSA. I don’t want anything changing. I want you to think about your MSA like the rules that the hotel posts at the pool outside. What does it say? It says, ‘No running. No glass bottles.’ It doesn't say, ‘Joe, if you’re here, no running, and Brad, no glass bottles.’ It just says no glass bottles. Who are they talking to? Whoever’s reading the sign.”

It should be the same with the MSA, Gross said.

“You don’t want services in your MSA because they change,” he said. “You don’t want prices in your MSA They change. And don’t tell me, ‘Well, we only have one level of service.’ No, you don’t. … Because that changes. Anything that is money- or service-dependent does not belong in your MSA. Your MSA is your constitution. Where do things that change go? In a quote, a Statement of Work, a service, or whatever you want to follow.”

The MSA should actually be posted, whether openly or via a password-protected website, Gross said.

“Why? Because it makes it your constitution,” he said. “Because people think that things that are posted can’t be negotiated. I don’t know why, but they do. So you’re going to post your MSA, and now each one of your Statements of Work, your quotes, and so on, will start off by saying, ‘This is governed by the terms of our MSA located here. By accepting this, you accept that.’

In this case, the MSP’s MSA is its constitution that does not change, Gross said.

“Everyone accepts it because theoretically, you wouldn’t be doing anything if you didn’t provide a quote, and every quote says it’s governed under the MSA now that you have an MSA.”

Another major mistake MSPs make that can lead to arguments between MSPs and their customers has to do with mismanaged expectations, Gross said.

As an example, a customer has an outage after 5:00 or 6:00 p.m. and calls the MSP, who responds that a technician can have it fixed by 9:00 a.m. the next day only to have the customer respond that its biggest client is waiting for service, he said.

“Did the MSP do something wrong? No,” he said. “The MSP didn’t want to overpromise and underdeliver. ‘But I have a problem with you, don’t I, because I don’t understand why you can’t get me my [systems] back in a half-hour.’”

The fix is in the MSA that governs legal and reality combined with a user manual that explains in detail the services the MSP provides, Gross said.

“It’s another document that explains what you do and how you do it in detail,” he said. “In detail. Explaining what you do, what you don’t do, what the limitations are of that issue, how you’re going to handle things, and what you will endeavor to do when you get a request for support. And you’re going to post it in the same way you’re posting your MSA, in non-public areas. And your quote will now start off by saying,‘This is governed in terms of our MSA located here. The services in this quote and the policies and procedures we implement in delivering our services are in our services manual. Any questions? Call us now. Here’s your quote. Two pages, good to go. That’s the process that works, that keeps you away from lawyers.”

Christie Marsteller, operations manager at Amarok MSP, an Issaquah, Wash.-based MSP, told CRN that her company currently focuses on month-to-month contracts and so doesn’t have an MSA, but after listening to Gross is ready to talk with her team about the potential benefits of having a well-written MSA.

“More importantly, I’ll be bringing up the specific point he mentioned about third-party providers and emphasizing what we facilitate versus what we directly provide,” Marsteller said.

“I think this is something, out of all the conventions and peer groups and stuff I’ve been a part of, that has never come up,” Marsteller said. “I think that it’s important to have those conversations before a disaster strikes.”

Marsteller said having a good MSA to protect her business is important.

“I think this presentation has better equipped me to go back to our owner and have specific conversations addressing those pain points and things that Brad has seen in his experience that we may run into,” she said.

Month-to-month contracts have been a good business model until now, and Amarok MSP doesn’t lose clients often, Marsteller said.

“But I would say I personally think that it hinders us more than it helps us as we’re always being very reactive, rather than proactive,” she said. “That is something we’re starting to move forward with and trying to go the other route.”