Cyber Insurance for MSPs & IT Service Providers

Why MSPs are the ultimate target

MSPs have become the prime targets for sophisticated cyber attackers, and for good reason. One MSP compromise equals access to dozens—or hundreds—of client networks simultaneously.

Consider the 2021 Kaseya attack. Kaseya supplies RMM (Remote Monitoring and Management) software to thousands of MSPs. When Kaseya's systems were compromised, the attackers didn't just get one network—they got access to tens of thousands of downstream client networks. MSPs that had Kaseya installed found themselves pushing ransomware to all their clients at once. Hundreds of businesses were impacted from a single attack on a single vendor.

That's the nightmare scenario. Your RMM tools (ConnectWise, Datto, Itarian) are the keys to the kingdom. You have admin credentials for every client's servers, workstations, and networking equipment. Your PSA (Professional Services Automation) platform contains client billing data, passwords, and contact information. Your remote access tools (TeamViewer, AnyDesk) are installed on critical infrastructure.

For attackers, compromising an MSP is a force multiplier. One breach yields hundreds of downstream compromises. The return on investment is enormous—they can encrypt hundreds of companies' data simultaneously, demand massive ransoms, or exfiltrate client data at scale.

MSPs are also attractive because they're often smaller, with fewer security resources than enterprises. A 20-person MSP managing 200+ client networks likely has one part-time security person (if any). Enterprise attackers know they can move faster against MSPs than against Fortune 500 companies with dedicated SOCs.

The supply chain liability problem: Your clients' losses become your problem

Here's the critical difference between MSP cyber insurance and standard cyber insurance: the liability problem is inverted.

When your systems are breached and your clients' data is exposed, you don't just have your own losses. You're liable to every affected client simultaneously. One incident can trigger dozens of lawsuits from different clients, each claiming damages for their operational losses, regulatory fines, and breach notification costs.

Your MSP agreement probably contains limitation of liability clauses—but insurers note that those clauses often fail when clients can argue gross negligence or willful misconduct. If your RMM tool is publicly known to be vulnerable and you didn't patch it, clients will argue you were negligent. The liability cap may not hold.

Even worse: your clients' own cyber insurance may subrogate against you. If a client gets breached through your network, their insurer may investigate, determine you were partially at fault, and sue your policy to recover their claim costs. Now you're facing claim subrogation on top of direct client lawsuits.

Multiple concurrent lawsuits across different jurisdictions (if your clients are spread geographically) mean multiple regulatory investigations. Your breach hits one client in the UK, another in California, another in Australia. Each jurisdiction has its own breach notification and regulatory reporting rules. Defense costs multiply.

What MSP cyber insurance covers

Specialist MSP cyber insurance is built to address these unique supply chain risks. Here's what you need:

• Technology E&O (Errors & Omissions): This is essential. Standard cyber policies don't always cover professional services failures. If your misconfiguration, failed patching, or system design causes a client breach, that's a professional services failure. Tech E&O covers your legal costs and settlements when clients sue for negligent service delivery.
• Network security liability: When your breach impacts your clients' networks and operations, this covers their third-party claims against you. Includes legal defense, settlements, and damages.
• Business interruption (your own): If you're successfully attacked and ransomed, or your systems are encrypted, you can't service clients. This covers your revenue loss during downtime.
• Dependent business interruption: If a major client is breached through you, they may be forced offline, and they stop paying your managed services invoices. This covers revenue loss from clients who become unable to operate.
• Client notification at scale: If hundreds of your clients' customers have data exposed, the notification costs are massive. This covers notification services, call centre staffing, and credit monitoring for affected individuals across multiple client bases.
• Regulatory defence across multiple jurisdictions: You'll face investigations from UK ICO, US state AGs, potentially Canadian and Australian regulators if you have clients there. Each investigation requires separate legal counsel and experts. This covers those costs.
• Forensic investigation: You need investigators who understand MSP infrastructure—RMM platforms, PSA systems, backup architectures. Standard cyber policies may limit forensic spend. You need unlimited or high coverage.
• Reputation management and public relations: A breach that affects hundreds of your clients will generate negative press. Crisis PR, media training, and reputation repair services are critical to business survival.

Tech E&O is essential—don't skip it

Many standard cyber insurance policies don't cover the E&O component. That's a dangerous gap for MSPs.

Standard cyber insurance typically covers "costs of a breach"—forensics, notification, credit monitoring, incident response. What it often excludes is negligent service delivery. If your configuration was faulty, your patch management was inadequate, or your security recommendations were below industry standard, and a client gets breached as a result, standard cyber may not cover it.

Tech E&O insurance (also called Technology Professional Liability) is specifically designed for IT service providers. It covers claims arising from your professional services—configuration, maintenance, recommendations, and support. It's critical for MSPs because clients will sue claiming your negligence caused their breach, not just that you failed to prevent a sophisticated attack.

Many specialist MSP cyber policies combine both cyber and Tech E&O in a single program. Some underwriters will write them as separate policies that must be coordinated. Either way: ensure your broker confirms Tech E&O coverage is explicitly included and doesn't have exclusions for cyber incidents.

Key risks for MSPs

These attack types are particularly dangerous for managed service providers:

• RMM tool compromise: Your RMM platform (ConnectWise, Datto, Itarian, Kaseya) is compromised or its API is exploited. Attackers use your RMM credentials to push ransomware to all connected client networks. Hundreds of clients are encrypted simultaneously.
• Credential theft: Attackers target your MSP staff with phishing, social engineering, or malware. They steal RMM credentials, VPN access, or PSA platform passwords. They then have God-mode access to every client network managed under those credentials.
• Supply chain attack through your software stack: You use third-party tools (backup, monitoring, patch management, security solutions). An attacker compromises one of those vendors. Your systems are exposed through the compromised tool.
• Ransomware with dual impact: Attackers encrypt your systems AND automatically push ransomware payloads to all connected client networks. You're offline, clients are offline, and clients blame you for both breaches.
• Insider threats: Your technicians and junior staff have legitimate access to all client networks. A disgruntled employee, a social engineering victim, or a staff member with financial incentive can exfiltrate data or sabotage client systems from the inside.
• Social engineering targeting your helpdesk: Attackers call your support line posing as a client and request privileged access. Your helpdesk staff, under pressure and not well-trained, provides credentials or remote access. Attackers are in the door.

Typical costs for MSP cyber insurance

MSPs are considered high-risk because of the supply chain liability and scope of potential claims. Expect to pay a premium multiplier of 1.5–2.5x compared to a non-service-provider of similar size:

• Small MSP (1–10 staff, 10–50 client networks): $3,000–$8,000 per year
• Mid-size MSP (11–50 staff, 50–200 client networks): $8,000–$25,000 per year
• Larger MSP (50+ staff, 200+ clients, significant revenue): $25,000–$100,000+ per year

Your premium depends on: annual revenue, number of client networks managed, whether you handle payment card data or highly regulated data, geographic scope (UK, US, both?), claims history, maturity of your security program, and controls you have in place (EDR, MFA, segmentation, SLA commitments).

What insurers want to see from MSPs

Underwriters scrutinize MSPs heavily because claims severity is high. Expect to document:

• MFA on all RMM and PSA tools: Multi-factor authentication on every tool that provides client network access. Non-negotiable.
• Privileged Access Management (PAM): Control and audit who has credentials to client networks. Credential vault, access logging, and regular rotation.
• Client network segmentation: Your network and tools are segregated from client networks. If attackers breach your internal systems, they can't automatically pivot to clients.
• Security stack on managed endpoints: EDR (Endpoint Detection and Response) on your own staff machines. Antivirus, firewall rules, and host-based intrusion detection. You must practice what you preach.
• Incident response plan: Documented IR procedures specifically for MSP scenarios. Defined escalation, communication plan, and client notification protocol.
• SOC 2 Type II compliance: Most underwriters will expect SOC 2 attestation showing your controls around access, data security, and availability. This may be optional for very small MSPs, but it's strongly preferred.
• Regular penetration testing: Annual or bi-annual pen testing of your RMM platform, PSA system, and external attack surface. Results must show remediation of findings.

Client contract considerations

Your MSP agreements with clients need to align with your insurance coverage:

• Limitation of liability clauses: Your MSP agreement probably caps your liability. Check that your insurance limits align with or exceed these caps. If you promise clients capped liability but your insurance only covers a fraction of the cap, you have a funding gap.
• Insurance requirements: Confirm your agreement requires clients to carry their own cyber insurance. This limits your exposure if a client is breached and claims you failed to protect them—their own cyber policy covers their losses.
• SLA commitments: What uptime or response time SLAs have you promised? If you're breached and can't meet SLAs, clients will claim damages. Ensure your BI insurance covers revenue loss from SLA breaches.
• Indemnification clauses: If clients' customers are harmed by your breach, does the contract require clients to indemnify you, or do you indemnify clients? These terms matter for claim scenarios.
• Compliance requirements: If clients are regulated (healthcare, finance, legal), their compliance obligations may flow through to you. Your cyber insurance should cover regulatory fines arising from client data breaches.

Next steps for MSP cyber insurance

MSP cyber insurance is specialist underwriting. You need a broker who understands RMM platforms, PSA systems, the attack surface unique to service providers, and the liability cascade when one MSP breach impacts hundreds of clients.

A broker familiar with your specific RMM stack (ConnectWise, Datto, Itarian, etc.), your compliance landscape, and your client base will architect a program combining cyber and Tech E&O that actually protects you.

Get connected with an MSP specialist broker today. They'll quantify your supply chain liability, identify the controls underwriters expect, and build a program that covers your operational and client-facing risks.