How do you negotiate MSA indemnification and insurance minimums without handing the economic loss to the vendor?
Brief
Three negotiation caps prevent MSA liability bleeding: cap at annual contract value (ACV), carve-outs for IP indemnity, and insurance floor tied to risk profile.
Detail
MSA liability is the #2 reason deals stall in legal (after data processing). Vendors often propose unlimited indemnity or 2-3× ACV caps; buyers counter with vendor-absorbing $25M liability floors. The settlement is typically 1-2× ACV with defined carve-outs.
Enterprise Indemnification Standard
Mutual Indemnity Baseline
| Indemnity Type | Standard Cap | Carve-Out |
|---|---|---|
| IP infringement (vendor's code violates patent) | Unlimited | Only for unmodified code; excludes custom builds |
| Data breach (vendor fails security) | 2× ACV | Only breaches from vendor negligence, not force majeure |
| Service failure (vendor breaks SLA) | 1× ACV | Only for direct damages; excludes consequential damages |
| Breach of confidentiality | 1× ACV | Excludes disclosure required by law/court order |
Negotiation Playbook
Red Flags (Reject Immediately)
- "Indemnity capped at 10% of ACV" = Vendor accepts almost no risk
- "Indemnity unlimited for any reason" = Vendor accepts existential liability
- "Buyer liable for any IP claim regardless of vendor's use of code" = Buyer bears vendor's IP risk
- "Insurance required: $10M general liability" = Unrealistic for mid-market vendors
Negotiation Anchors
Anchor 1: IP Indemnity (Usually Unlimited, With Carve-Outs)
- Vendor starting position: "We'll defend against IP claims if someone sues because of our code."
- Your opening: "Acceptable. But IP indemnity applies only to unmodified vendor code. For your custom integrations, IP risk is shared."
- Settlement: "Unlimited IP indemnity for core product. Custom build IP indemnity capped at 2× ACV or project cost, whichever is smaller."
Anchor 2: Data Breach / Security (2× ACV Typical)
- Vendor starting position: "We maintain SOC 2 Type II. Any breaches are covered by insurance."
- Your opening: "Insurance backs claims; MSA caps liability. Data breach liability capped at 2× ACV, but applies only to breaches caused by vendor negligence (not 3rd-party hacks)."
- Settlement: "2× ACV for breaches caused by vendor failure to maintain reasonable security controls. Vendor provides proof of insurance for cybersecurity liability ($[amount] minimum)."
Anchor 3: Consequential Damages (Always Exclude)
- Vendor starting position: "Consequential damages, lost profits, business interruption excluded."
- Your opening: "Agreed. But direct damages from service outage are not consequential—they're direct. We want direct damages capped at 1-2× ACV."
- Settlement: "Vendor not liable for lost profits, lost revenue, reputational harm. But vendor IS liable for direct costs (e.g., emergency alternate solution, remediation labor) up to 1.5× ACV."
Insurance Minimums (Tied to Deal Size)
| Deal Size | General Liability | Cyber Liability | Errors & Omissions |
|---|---|---|---|
| <$500K | $1M | $1M | $1M |
| $500K-$2M | $2M | $2M | $2M |
| $2M+ | $5M | $5M | $3-5M |
Carve-Out Language (Protects Vendor From Unrealistic Claims)
``` Vendor indemnity excludes claims arising from:
- Customer's modification of vendor code (unless vendor approved)
- Customer's use of product in manner not documented in SOW
- Customer's failure to apply security patches within 30 days of vendor release
- Acts of God, war, natural disaster, cyber attack by external parties (not vendor's fault)
- Claims by third parties that customer created
```
Buyer Indemnity (Protects Vendor, Often Overlooked)
- Buyer indemnifies vendor for IP claims arising from buyer's data provided to vendor
- Example: "If customer's data includes stolen IP and vendor is sued, customer defends vendor"
- Typical cap: 1× ACV (lower than vendor indemnity because buyer data risk is buyer's responsibility)
Escalation Ladder If Vendor Won't Move
| Demand | If Vendor Resists | Escalation |
|---|---|---|
| IP indemnity carve-out for custom code | Vendor wants unlimited IP on custom | "We'll cap custom IP at 2× project cost. Is that workable?" |
| Data breach cap at 2× ACV | Vendor wants unlimited | "Insurance covers excess. You carry $2M cyber liability; we take anything above that." |
| Direct damages = Service outage (not consequential) | Vendor lumps all outages as consequential | "If you take service down 72 hours, we lose $X. That's direct. We need it capped at 1× ACV." |
TAGS: MSA,indemnification,insurance,legal,liability-cap,enterprise-deals,negotiation,risk
FAQ
What are the three negotiation caps that prevent MSA liability bleeding? Cap general liability at annual contract value (ACV), use carve-outs for IP indemnity, and set an insurance floor tied to the risk profile. Vendors often propose unlimited indemnity or 2-3× ACV caps while buyers counter with $25M floors, and the settlement typically lands at 1-2× ACV with defined carve-outs.
How should IP infringement indemnity be structured? IP indemnity stays unlimited for the core, unmodified product, since that's where real risk sits. For custom integrations and builds, the carve-out caps IP indemnity at 2× ACV or project cost, whichever is smaller, so the vendor doesn't absorb risk from buyer-driven modifications.
What insurance minimums does the article tie to deal size? For deals under $500K, it sets $1M each for general liability, cyber liability, and E&O. The $500K-$2M band moves to $2M across the board, and $2M+ deals require $5M general and cyber liability with $3-5M E&O.
How do you handle the consequential damages exclusion without giving away service-outage costs? You agree to exclude lost profits, lost revenue, and reputational harm as consequential, but argue that direct costs from a service outage are direct damages, not consequential. The settlement makes the vendor liable for direct costs like emergency alternate solutions and remediation labor up to 1.5× ACV.
Why include a buyer indemnity clause, and at what cap? Buyer indemnity protects the vendor from IP claims arising from the buyer's own data, for example if the customer's data includes stolen IP and the vendor gets sued. It's typically capped at 1× ACV, lower than vendor indemnity because the buyer's data risk is the buyer's responsibility.