In September 2025, researchers linked a Qilin ransomware campaign to a likely upstream service-provider compromise that affected 28 South Korean financial-sector victims and involved over 2 TB of stolen data (Bitdefender; AhnLab ASEC). One IT provider. Twenty-eight firms were affected. The attackers didn’t need to break into each company individually. They used the MSP’s access as a shortcut.
For heavily regulated businesses, switching IT providers is one of the highest-stakes vendor decisions you’ll face. Adelia Risk helps regulated companies, from SEC-registered investment advisors and hedge funds to healthcare practices, law firms, and defense contractors, evaluate MSPs and manage the transition.
One pattern comes up in every engagement: the biggest barrier to switching IT providers isn’t the technical cutover. It’s knowing what to look for in a new provider, what to demand in the contract, and how to avoid the common contract gotchas in MSP agreements.
We built a free checklist that walks you through the full process, from recognizing the warning signs to executing a clean transition. This article explains the thinking behind each section of that checklist.
How to Know When It’s Time to Switch
CHECKLIST EXTRACT
Signs You Need a New IT Provider
❏ You’re paying managed service prices for break-fix service: If your MSP handles helpdesk tickets but drags its feet on projects like security upgrades, software deployments, or infrastructure changes, you may be overpaying or working under a contract with unclear scope.
❏ Look for a pattern of “project” invoices on top of your monthly fee: If you’re regularly surprised by extra charges for work you assumed was included, your MSP’s scope boundaries are either unclear or deliberately vague.
❏ Check whether your MSP has pushed back on security recommendations: If an independent advisor or your own compliance team has recommended security improvements and your MSP called them “overkill” or agreed but never followed through, that pattern is unlikely to change.
❏ Determine if your MSP understands your regulatory requirements: An IT provider serving a financial services firm should be comfortable with SEC Regulation S-P expectations. One serving a healthcare practice should understand HIPAA Business Associate obligations. If they can’t speak to the basics, you’ll end up filling the gaps.
The Real Reason Companies Start Looking
Across the regulated businesses Adelia Risk advises, the most common signs you need a new IT company aren’t slow helpdesk response or high monthly fees. The real trigger is a pattern: surprise project bills, chronically slow project delivery, and an MSP that struggles to deliver work beyond basic ticket resolution. You’re paying for managed services but receiving break-fix support.
That gap between what you’re paying and what you’re getting is usually what pushes companies past the tipping point. The MSP proposal promised proactive management. In practice, you have reactive ticket handling and a monthly invoice that keeps climbing.
The Security Gap Most Business Owners Can’t See
The bigger risk for regulated companies is a gap that isn’t visible from the helpdesk experience. When Adelia Risk audits MSP-managed Microsoft 365 environments in financial services and healthcare, we regularly find the same configuration failures: conditional access policies not configured, MFA not enforced for admin accounts and other privileged access, no mobile device management deployed, and tenant security settings left at insecure defaults.
The MSPs responsible aren’t malicious. They built their practices around desktop support and printer troubleshooting. Cloud security configuration is specialized work, and many haven’t made that transition. If your firm has financial services or healthcare compliance obligations, those missing configurations aren’t just IT issues. They can show up as audit or compliance findings.
Secure Your Assets Before You Give Notice
CHECKLIST EXTRACT
Before You Start Looking, Prepare Your Exit
❏ Verify who owns your domain names: Log in to your domain registrar and confirm your company is listed as the registrant and administrative contact. If your MSP registered domains on your behalf, transfer ownership now, before the relationship gets contentious.
❏ Verify who owns your Microsoft 365 (or Google Workspace) tenant: Confirm your company is the tenant owner of record, with the MSP set up only as delegated/admin access where needed.
❏ Secure all administrative passwords in a vault your MSP doesn’t control: Document every admin credential, MFA recovery method, and management portal login. Store them in a password manager only authorised staff can access.
❏ Review your current MSP contract for termination terms: Find the exact notice period required, any early termination fees, and whether transition assistance is included.
Why Ownership Matters More Than Anything Else
For companies switching IT providers, this is the section of the checklist we tell every client to complete first, even before they start evaluating replacements. If your current MSP registered your domain name or created your Microsoft 365 tenant under their partner account, it can slow down or complicate the handover. We’ve seen transitions stall for months because the outgoing MSP controlled assets that the client assumed they owned.
Do this while the relationship is still cooperative. Verify ownership of your domain, your email, and cloud storage tenant, and every other cloud service your business relies on. If anything is registered under the MSP’s account, start the transfer process now. Once you give notice, it’s common for responsiveness to drop.
What Every MSP Proposal Must Include
CHECKLIST EXTRACT
Evaluate Proposals With a Consistent Scoring Method
❏ Confirm every security tool is named with vendor and product: The proposal should say “SentinelOne Complete” or “CrowdStrike Falcon,” rather than “enterprise-grade EDR.”
❏ Confirm the proposal includes a clear Inclusions and Exclusions section: Look for specific examples of what is covered under the monthly fee and what gets billed as a project.
❏ Confirm SLAs include priority tiers with response AND resolution targets: A strong SLA defines priority levels (Critical, High, Medium, Low) with objective criteria, states response times for each level, and states resolution time targets for each level.
❏ Check what “24/7 monitoring” actually means: If a critical security alert fires at 2 AM on a Saturday, what happens? Automated alerts that create tickets which aren’t reviewed until Monday morning aren’t 24/7 monitoring.
Named Security Tools, Not Marketing Language
When Adelia Risk evaluates MSP proposals for clients hiring a managed service provider, we look at the security tooling section first. “Enterprise-grade EDR” could mean anything from a consumer antivirus with a business label to a legitimate endpoint detection platform. “SentinelOne Complete” or “CrowdStrike Falcon” tells you exactly what’s being deployed, and you can verify whether it’s actually running on your machines.
The same principle applies to every security tool in the stack: email security, backup, vulnerability scanning, DNS filtering, SIEM, log management, security awareness training, and MFA. If the MSP won’t name the products, you can’t verify what you’re buying or compare proposals on a like-for-like basis.
An MSP Service Level Agreement That Actually Means Something
A useful MSP service level agreement does more than quote a response time. It breaks issues into clear priority tiers (for example, “Critical” when the whole business can’t work, versus “Low” for a single-user, non-urgent request). Each tier should include both a response time and a resolution target.
We see proposals regularly that offer a single response time for all issues and no resolution commitment. That means the same urgency whether your entire network is down or one person can’t change their default printer. For regulated teams, including healthcare, financial services, and professional services, that lack of prioritization creates real compliance risk when a security incident sits in the same queue as a password reset.
Contract Terms That Will Protect You or Trap You
CHECKLIST EXTRACT
Review Contract Terms Before Signing
❏ Be cautious with 3-year initial terms for a new MSP relationship: You’re committing to 36 months with a vendor you haven’t worked with. A 1-year initial term is ideal.
❏ Require all Terms and Conditions in the proposal document itself: If the proposal references T&Cs hosted at an external URL, it can be hard to prove which version you agreed to later.
❏ Negotiate early termination provisions: “Early termination requires payment of the remaining contract value” is one of the most expensive terms in MSP agreements.
❏ Negotiate a cap on annual price increases: Strong contracts specify something like “annual increases limited to CPI or 5%, whichever is lower.”
The External Terms and Conditions Trap
One of the most common contract patterns we find when reviewing MSP proposals for regulated clients: a signature page that references Terms and Conditions hosted at the MSP’s website. This creates a version-control problem: the vendor can update the webpage, and it becomes harder to prove which terms you actually agreed to. Adelia Risk reviewed one proposal where the buyer would have been bound to contractual language they may never have actually read.
Insist that every binding term appear in the signed agreement. Not linked. Not floating on a webpage. Included.
Why Three-Year Contracts Are a Red Flag for New Relationships
A three-year commitment with a company you’ve never worked with is a gamble, regardless of industry. But for regulated businesses switching IT providers, the stakes are higher. If the MSP’s engineering talent doesn’t match what the sales team promised, or if they can’t handle your industry-specific compliance needs, your options are limited.
A one-year initial term gives both sides time to prove the relationship works. If things go well, renewing is easy. Two years is acceptable if you’re working from a strong referral. Three years before you’ve seen them deliver a single project is a red flag.
Compliance Obligations Stay With You, Not Your MSP
CHECKLIST EXTRACT
Compliance Checkpoints by Industry
Financial Services (SEC, FINRA)
❏ Confirm the MSP understands SEC Regulation S-P requirements: Including incident response programs, 30-day customer notification deadlines, and written policies for service provider oversight.
❏ Confirm the MSP can support FINRA Rule 4370 (Business Continuity Planning): Their backup and disaster recovery capabilities are central to your BCP.
Healthcare (HIPAA)
❏ Confirm the MSP will sign a Business Associate Agreement as part of the contract: A BAA should be included in the MSP contract, not treated as an afterthought.
All Regulated Industries
❏ Confirm the MSP’s security stack meets cyber insurance requirements: Most carriers now mandate MFA on all remote access and email, EDR on all endpoints, regular patching, backup with tested recovery, security awareness training, and incident response planning.
Regulators Hold You Accountable, Not Your IT Provider
When an MSP’s security gaps contribute to an incident, the regulatory fallout lands on the regulated entity. The SEC’s May 2024 amendments to Regulation S-P require a written incident response program (including service provider oversight) and customer notice as soon as practicable, but no later than 30 days after becoming aware of unauthorized access or use, or a reasonably likely incident (SEC Press Release 2024-58). “Our MSP handles that” is not a response SEC examiners will accept.
For healthcare organizations, HIPAA’s business associate rules mean your MSP has direct obligations too. But the covered entity can still be out of compliance if it knew of a pattern of activity or practice by the business associate that materially breached the agreement and didn’t take reasonable steps to fix it or end it (45 CFR). OCR has repeatedly emphasized the Security Rule’s risk analysis requirement in enforcement actions, including its Risk Analysis Initiative settlements (HHS OCR press release). If you want a practical view of how we set up vendor oversight and security governance in healthcare environments, here’s how our vCISO team approaches it.
Government contractors face another version of the same problem. If your MSP accesses, processes, stores, or transmits Controlled Unclassified Information (CUI), their services and systems can fall into your CMMC assessment scope. At a minimum, you need a clear customer responsibility matrix and evidence that they meet the relevant requirements (CMMC scoping checklist).
Cyber Insurance as a Practical Minimum Standard
In practice, cyber insurers and underwriters set a practical minimum bar for MSP security. Coalition’s 2024 claims reporting shows how often losses start with email-based fraud, which is why underwriters focus so heavily on basics like MFA and secure remote access. If your MSP isn’t deploying the controls that carriers require, you face both coverage gaps and potential claim denial during an incident.
Before signing with a new provider, compare their security stack against your cyber insurance carrier’s requirements. If there’s a mismatch, address it during contract negotiations, while you still have leverage.
Your Timeline for Switching IT Providers
Here’s how to prioritize the work, regardless of where you are in the process of switching IT providers.
Do Today
Log in to your domain registrar and confirm your company is listed as the owner
Confirm your company is the tenant owner of record for Microsoft 365 or Google Workspace
Move all administrative passwords to a vault that your MSP cannot access
Find your current MSP contract and note the termination notice period and any auto-renewal notice window
Do This Week
Write a list of every system, tool, and cloud account your MSP manages
Identify 3-5 MSP candidates with experience in your regulatory environment
Send each candidate a technical RFI asking for named security tools, cloud security hardening process, and incident response procedures
Do This Month
Score proposals from your finalists using the same evaluation criteria for every vendor
Have legal counsel review all contract documents, including any referenced Terms and Conditions
Negotiate transition plan details: timeline, parallel support period, credential rotation, and success criteria
When Independent Oversight Makes the Difference
Switching IT providers is one of the few vendor decisions that can directly affect your cybersecurity compliance posture, your cyber insurance coverage, and your exposure to regulatory penalties. The checklist covers the mechanics, but some situations call for an independent perspective.
This is especially true if you’re in a regulated industry, whether that’s an investment advisory navigating SEC rules, a healthcare practice under HIPAA, or a defense contractor working toward CMMC. Having an independent advisor who isn’t selling MSP services review your proposals and help verify the new provider is meeting the standards you agreed to is worth the investment.
In March 2024, NSA and CISA noted that malicious actors, including nation-state groups, are known to target MSPs and may use their privileged access to pivot into customer environments. The agencies recommend due diligence assessments and ongoing monitoring of MSP security practices (CISA/NSA Cloud Security).
Adelia Risk’s Virtual CISO service helps regulated businesses evaluate MSP proposals, verify security claims, and provide ongoing oversight once the new relationship is in place. If you’re considering a switch and want a second set of eyes on scope, controls, or contract terms, we’re happy to talk.
