I am looking to engage clients in a maintenance agreement (managed IT) starting Jan 2019. I'm curious if it's common to include ransomware attacks/resolution in the flat monthly maintenance agreement with the client. Where are the boundaries with flat monthly maintenance agreement vs charging for add/removes/changes (projects) to the environment? A recent 12 user ransomware attack encrypted 2 out of 5 server and 7 out of approximately 20 workstations. This was easily 30 hours worth of recovery time. I obviously would like to exclude these catastrophic events out of the maintenance agreement and provide best effort security as we continue to make improvements to secure these environments against future attacks. Time, money, staff constraints on both sides limit these things from being expedited. Anyway, any advice on the legalese disclaimer? Any other liability that I should be concerned that is or isn't cover with a related legal statement here? Does a business associate agreement protect the IT individual from these disasters?