Managed Service Providers, or MSPs, are facing heightened scrutiny from their customers regarding cybersecurity, with 58 percent of MSP leaders believing their clients are at greater risk now than last year. Research from CyberSmart indicates that 84 percent of MSPs report their customers now expect them to manage their cybersecurity infrastructure, a significant rise from 65 percent in 2024. The second annual CyberSmart MSP Survey, which gathered insights from 900 MSP leaders across several countries, reveals that 77 percent of these leaders have seen increased scrutiny of their own security capabilities over the past year. The survey highlights that emerging threats, particularly those associated with artificial intelligence, are a major concern, with 38 percent of MSPs citing AI threats as significant risks.
Why do we care?
MSPs are under more pressure than ever to be their clients’ cybersecurity backbone.
Client expectations are climbing – 84% of MSPs say customers now expect them to manage cybersecurity end-to-end (up from 65% in 2024). That’s a significant shift in just one year.
MSPs themselves under scrutiny – 77% report heightened oversight of their own security practices. Clients and regulators increasingly recognize that a weak MSP is a threat multiplier.
But here’s the kicker: most cybersecurity vendors aren’t stepping up to share that risk.
While vendors talk endlessly about “partnership,” very few offer real shared-risk models. The burden of delivery and liability sits squarely on the MSP’s shoulders:
- Vendors supply tools, but MSPs are expected to integrate, monitor, and remediate—often without the resources of a full SOC.
- When breaches happen, it’s the MSP’s name on the line, not the vendor’s.
- Cyber insurance? Increasingly restrictive. Vendor indemnification? Almost nonexistent.
This exposes a growing accountability gap where MSPs are caught between rising customer demands and vendors’ unwillingness to co-own outcomes.
The market is forcing MSPs into a security-first approach, but the risk asymmetry is glaring. Cybersecurity vendors need to move beyond just selling licenses to sharing responsibility for outcomes with partners—whether through performance-based SLAs, indemnification, or embedded MDR/SOC services.
For MSPs, the takeaway is sobering:
- Don’t assume your vendor will bail you out in a breach.
- Vet vendors not just for features, but for their posture on risk-sharing and support in high-pressure scenarios.
- Decide if you’re going to build security in-house or align with MSSPs who can assume part of the load.
This isn’t about tools but trust, risk, and resilience.