risk bearing/calculation for security service provider


I have some questions related to the security service that security SP offers.
Is it common for SP to include risk related calculation into the
security service (in contract/SLA) they offer?
The question or problem might arise when some incident happened even
the customer got secure hosting service from security SP.
The customer might complain that SP doesn't protect them well and ask
for some penalty in this case. So how does SP protect themselves in
this case? Is there any best practice for that?

thanks a lot,