Managed service providers are one of the most targeted business types in cybersecurity — and one of the most underinsured. Attackers go after MSPs deliberately: compromise one MSP and you get a trusted backdoor into dozens or hundreds of client networks simultaneously. The 2021 Kaseya attack hit over 1,500 downstream businesses through a single MSP supply chain exploit.
Standard cyber policies weren't written with that blast radius in mind. Here's what MSP-specific cyber coverage needs to look like, and where most policies leave dangerous gaps.
When an MSP is compromised and that compromise spreads to clients, the clients typically have legal standing to sue. Your managed services agreement almost certainly has indemnification language — and even if it doesn't, negligence claims are common.
This means your cyber policy needs to cover not just your own incident costs, but the downstream damages your clients suffer because of something that happened on your watch. That's a fundamentally different exposure than a company that only manages its own data.
If you manage 40 clients and a compromised RMM tool pushes ransomware to all of them, you could be facing 40 separate third-party claims — each one potentially exceeding your annual revenue from that client. Your liability limit needs to reflect aggregate exposure, not per-client revenue.
These coverages are non-negotiable for an MSP. If a policy is missing any of them, keep shopping:
Tech E&O covers claims that your service didn't work — not that you were hacked, but that you failed to deliver what you promised. For MSPs, this includes failing to catch a threat your monitoring was supposed to catch, missing a patch that led to an exploit, or a backup that turned out to be corrupted when a client needed it.
Many cyber policies exclude Tech E&O entirely, or bundle it with a sublimit far lower than the main cyber limit. Read your policy carefully: the word "technology" appearing in the policy name doesn't mean Tech E&O is actually included.
Ask your broker or carrier: is Tech E&O written on the same limit as my cyber coverage, or is it a separate sublimit? If it's a sublimit, what is it?
MSPs face tougher underwriting scrutiny than almost any other tech segment. Carriers know the risk profile. The controls they'll ask about:
Missing MFA on your RMM or PSA will get you declined outright at most carriers. There's no workaround — fix it before you apply.
The right limit depends heavily on your client base composition and contract terms, but here's a practical framework:
| MSP Profile | Recommended Limit | Key Consideration |
|---|---|---|
| Under 20 clients, SMB-only | $1M–$2M | Check Tech E&O sublimit |
| 20–75 clients, mixed market | $2M–$3M | Aggregate third-party liability exposure |
| 75+ clients or any healthcare/legal | $3M–$5M | HIPAA/regulatory fines, strong indemnification clauses |
| MSP with MSSP / SOC services | $5M+ | Security service failures carry heightened liability |
If you have clients in healthcare, legal, or financial services, assume their contracts have meaningful indemnification language even if you haven't read it closely. Those industries are litigation-prone and your limit should account for it.
A generic cyber policy bought for a mid-size retailer is not the same as a policy built for an MSP. The liability profile, the blast radius of a single incident, and the underwriting requirements are all materially different.
Shop for a policy that explicitly includes Tech E&O on a full limit — not a sublimit — and that doesn't carve out claims arising from client network compromises. If your broker can't explain how those two things work in your current policy, that's a sign you need a second opinion.
CoverCompete™ surfaces carriers with MSP-appropriate Tech E&O, third-party liability, and RMM-related coverage — side by side with real pricing. Free comparison. No obligation. Most eligible businesses receive results within one business day.
Get your free comparison →