Smallest Clients Are ‘Biggest Risk’ For MSP Cyber Liability: Galactic Advisors CEO

MSPs’ need for evidence proving they took the right security actions is greater when it comes to their smaller clients, according to Galactic Advisors CEO and Chief Security Officer Bruce McCully.

MSPs’ need for evidence proving they took the right cybersecurity actions for a client only rises for clients on the smaller side, according to Bruce McCully, CEO and chief security officer of cybersecurity assessment and consulting firm Galactic Advisors.

For MSPs facing the potential for surging legal liability amid intensifying ransomware attacks and data breaches, the most important question to ask clients now after they claim they are adequately protected is, “Can you show me?” McCully (pictured) said during a keynote session Sunday at XChange March 2026, an event hosted by CRN parent The Channel Company being held this week in Orlando.

If a client claims they are protected and do not need any security upgrades, MSPs—for the sake of protecting themselves—must require their clients to provide the evidence for that, he said.

“Show me the documentation. Show me the results of analysis that prove that you’re actually protected,” McCully said. “That’s where most security programs fall apart today.”

There’s no question that McCully’s remarks would resonate with many MSPs in this environment, according to Jason Fenoglio, director of information security at High Touch Technologies, a Wichita, Kans.-based MSP with operations in multiple states.

Simply put, there’s a “lot of liability” associated with clients that don't adopt a full security program, he said. As a result, High Touch now requires clients to adopt a full security program before they can sign up with the MSP, according to Fenoglio.

“You have to have the entire suite—we don’t do a la carte,” he said.

What the MSP has found, however, is that clients do eventually recognize that the costs associated with adopting security solutions are entirely worthwhile, Fenoglio said.

“They realize that the costs of the solutions themselves outweigh the repercussions of actually getting hit,” he said.

High Risk From SMBs

Notably, liability risks for MSPs—and the need to assemble documentation and evidence for security measures taken on behalf of clients—can vary based on how large the clients are, according to McCully.

“Do you have those things at your fingertips for all of your clients? Especially your smallest clients,” he said during the session Sunday. “Because your smallest clients—they’re your biggest risk.”

A recent lawsuit that impacted an MSP, for instance, had been brought by a small client of the MSP rather than a large one, McCully noted.

“They’re not being sued by their largest client. It’s a 16-person organization,” he said. “The smallest clients are the ones that say things like, ‘We don’t have the budget [to implement full-scale cybersecurity solutions].’”