How to increase revenue by providing compliance to your customers

Hi Guys

First time ever Governments around the world started to put a minimum guideline recommendation for Cybersecurity .
What this says in summary is you need to provide MDR (Managed Detection & Response) and IR (Incident Response) services to your customer.

Will not providing this service put you in legal jeopardy?

It will if you haven’t done your MSA properly or got a “Waiver” from the customer.

So here are some ideas about what to do: (I am not a lawyer, please get your own legal advice)

-offer every customer your MDR & IR services as a standard
-have your MSA cover:

  • Your MSA must tell your customer that you will provide/facilitate only those services listed in a quote.
  • Your quotes must specifically state that your services are limited to the scope of the quote, and all other services or projects are out-of-scope.\
  • Your declination notice should tell your customer about the declined service (what it is, what it does, etc.)
  • Your declination notice should provide an example of what could happen to the customer without the declined service (e.g., “you could irretrievably lose data,” “your IT environment could shut down without warning,” “you won’t learn of newer or better strategies,” etc.)
  • Your declination notice should tell the customer that the declined service will not be provided unless both you and the customer agree to the service in a separate, written, mutually accepted quote in the future.

Make sure your MSA is written correctly, and then when your customer declines a service, deliver a declination notice–and don’t ask your customer for permission to not deliver that service.

This way, if a customer suffers a breach and they have previously declined to use your MDR service you should not suffer from “Corporate Negligence”.

(Please take your own legal advice, I am not a lawyer, just providing this information so that any MSP who is new will know what questions to ask)

Clearly define the scope of services in your MSA. Your MSA should specify the services provided, including MDR and IR. * When providing quotes, explicitly state that services are limited to the scope outlined in the quote. Any additional services or projects fall outside that scope. * Use declination notices to inform customers about declined services. Explain the impact of not opting for specific services. * Provide examples of potential consequences without the declined service (e.g., data loss, IT environment instability, missed strategies). * If a customer declines a service, document this decision. The declination notice should clearly state that the declined service won’t be provided unless both parties agree in writing (via a separate, mutually accepted quote) in the future.