Phase 06: Protect

MSP Cyber Liability and Tech E&O Insurance: Coverage, Costs, and Providers

9 min read·Updated April 2026

Insurance is not optional for IT consulting and MSP businesses — it is the financial backstop that keeps a single client incident from destroying your company. A ransomware attack at a client site where you manage the backup, a data breach involving client-stored employee records, or an SLA failure that results in business interruption losses can all generate claims that exceed your annual revenue. This guide covers the specific insurance types MSPs need, real coverage amounts and annual costs from leading providers, and the contractual requirements that make adequate coverage essential.

READY TO TAKE ACTION?

Use the free LaunchAdvisor checklist to track every step in this guide.

Open Free Checklist →

Why MSPs Have Elevated Insurance Needs

Most small businesses need general liability and property insurance. IT consulting firms and MSPs need those plus several layers of technology-specific coverage, because the nature of your work creates unique liability exposures: you have privileged access to client systems (meaning you are liable if that access is compromised); your service failures can directly cause client data loss or business interruption; clients' MSA limitation of liability clauses cap their contractual remedies but do not prevent third-party claims; and you are a prime target for supply chain attacks — threat actors compromise MSP tools to gain access to all MSP clients simultaneously (a documented attack vector used in the Kaseya and SolarWinds incidents). Your insurance portfolio must address each of these exposures, and the combination of policies typically costs $2,000–$5,000/year for a new MSP — a cost that should be embedded in your pricing model.

Cyber Liability Insurance: First-Party and Third-Party Coverage

Cyber liability insurance covers losses arising from data breaches, ransomware attacks, and cyber extortion — both losses you suffer directly (first-party) and losses you cause to clients (third-party). First-party cyber coverage pays for: incident response costs (forensic investigators, breach coaches, legal counsel), notification costs when client data is breached (legally required in all 50 states), credit monitoring for affected individuals, ransomware ransom payments (controversial but often covered), and business interruption losses during recovery. Third-party cyber coverage pays for: client claims that your security failure caused their data breach, regulatory fines and penalties from data protection authorities, and defense costs for lawsuits alleging your MSP's negligence enabled a client attack. Policy limits for new MSPs: $1M per occurrence is the minimum; $2M–$5M is recommended if you manage more than 5 clients or handle regulated data (HIPAA, PCI-DSS). Annual premiums for a new MSP with $500,000 revenue and $2M cyber limit: $800–$3,000/year depending on security controls in place.

Tech E&O Insurance: Your Professional Liability Coverage

Technology Errors and Omissions (Tech E&O) insurance covers claims arising from mistakes, omissions, or failures in your professional IT services — distinct from data security incidents. Tech E&O pays for: a client suing you because a server migration you performed caused application downtime and business losses, claims that you failed to implement the security controls specified in your MSA, disputes over whether your SLA response was adequate during a critical outage, and professional negligence claims from improper advice (recommending a product that failed). Tech E&O and cyber liability are often bundled by insurers, but confirm that your policy clearly covers both categories separately — some bundled products provide inadequate limits for one or the other. Annual premiums for tech E&O for a new MSP: $500–$1,500/year for $1M limit, $1,200–$2,500/year for $2M limit.

Leading Cyber Insurance Providers for MSPs

Coalition Insurance is one of the most MSP-friendly cyber liability providers in the market. Coalition provides active monitoring as part of the insurance relationship — they scan your public attack surface and notify you of vulnerabilities before they become claims. This active risk management approach has made Coalition popular with security-focused MSPs. Premiums for small MSPs typically range from $800–$2,500/year for $1M–$2M limits. Corvus Insurance uses an AI-based underwriting model and provides a complementary cybersecurity scan of your business during application. Corvus policies are well-regarded for broad coverage definitions and responsive claims handling. Cowbell Cyber specializes in small and mid-sized businesses and offers flexible coverage with standalone cyber policies starting at $400–$600/year for minimal coverage, scaling to $1,500–$4,000/year for comprehensive MSP coverage. Embroker is a digital insurance brokerage that provides access to multiple cyber carriers simultaneously, making it useful for comparing quotes efficiently. All of these providers require detailed security control questionnaires — your answers directly affect pricing.

Security Controls That Lower Your Premiums

Cyber insurance underwriters now require — and reward — specific security controls with lower premiums. The controls most commonly asked about and most impactful to pricing: Multi-factor authentication (MFA) enabled for all email, remote access, and administrative accounts (required by most insurers — a policy can be voided if MFA is not in place and you suffer a breach). Endpoint Detection and Response (EDR) deployed on all managed endpoints (SentinelOne or similar — basic antivirus is no longer considered adequate). Privileged Access Management (PAM) — separate administrator accounts from daily use accounts, with MFA on admin accounts. Backup verification — documented monthly testing of backup restores with recovery time objectives defined. Patch management — automated patching with documented cadence (weekly for critical patches). Security awareness training for all employees — documented phishing simulation results. Insurers like Coalition provide a premium discount of 15–30% for MSPs that document all of these controls — worth thousands of dollars annually at scale.

MFA and SOC 2 Readiness for Your Own MSP Business

Beyond client-facing services, your own MSP business must implement the security controls you recommend to clients — insurers will ask, and enterprise clients will audit your posture before signing contracts. Essential internal controls: MFA on all employee email accounts (Microsoft 365 with conditional access policies), MFA on your RMM platform (NinjaRMM admin console), MFA on your PSA (ConnectWise Manage), unique strong passwords for all client system admin accounts stored in your IT Glue password vault (never shared or reused), separate technician accounts and admin accounts (principle of least privilege), and documented offboarding process for departing employees (credential revocation within 2 hours). SOC 2 Type II certification — an independent audit of your security controls performed by a licensed CPA firm — is increasingly requested by enterprise and mid-market clients as a vendor qualification requirement. SOC 2 readiness typically takes 6–18 months and costs $15,000–$50,000 for a small MSP, but the ability to produce a SOC 2 report is often the difference between winning and losing a $10,000+/month contract.

Insurance Requirements in Client Contracts

Many clients — particularly larger SMBs, healthcare organizations, and businesses with legal or compliance teams — will ask for proof of insurance (certificate of insurance, or COI) before signing a managed services agreement. Prepare your COI for distribution before your first client meeting. Standard client contract insurance requirements you should be ready to meet: general liability $1M per occurrence/$2M aggregate, cyber liability $1M–$2M per occurrence, tech E&O $1M per occurrence. Some enterprise clients require being named as an Additional Insured on your general liability policy — your insurer can endorse this for a small fee ($25–$50 per endorsement). Increasingly, sophisticated clients require evidence of your own SOC 2 compliance or completed security questionnaires (SIG Lite or CAIQ format). Build a security questionnaire response document proactively — it will be requested multiple times per year as you scale.

RECOMMENDED TOOLS

Coalition Insurance

Cyber liability insurance with active attack surface monitoring — MSP-friendly underwriting and competitive premiums for IT consulting firms

Top Pick

Embroker

Digital insurance brokerage for tech companies — compare cyber liability and tech E&O quotes from multiple carriers in one place

Some links above are affiliate links. We may earn a commission if you sign up — at no extra cost to you.

FREQUENTLY ASKED QUESTIONS

Do I need cyber liability insurance before I sign my first client?

Yes. Your MSA exposes you to liability from day one of your first managed services engagement. Purchase cyber liability and tech E&O coverage before you begin accessing any client systems. Most policies can be bound within 24–48 hours of application completion. Budget $1,500–$3,000 for your first year's combined cyber and E&O coverage and include this cost in your startup expense planning.

What happens if I don't have MFA enabled and I suffer a breach?

Increasingly, cyber insurance policies include a provision allowing the insurer to deny claims if basic security controls were not in place at the time of the incident — and lack of MFA on email and remote access systems is specifically cited in most policies as a condition of coverage. In a contested claim scenario, if you cannot demonstrate MFA was enabled on the compromised accounts, your insurer may deny the claim or seek to void the policy. Enable MFA on all systems before day one.

How much cyber liability coverage does a new MSP actually need?

Start with $1M per occurrence as a minimum, with a $2M aggregate. If you manage more than 10 clients, handle HIPAA-regulated data, or process any payment card data for clients, increase to $2M per occurrence. The cost difference between $1M and $2M limits is typically $400–$800/year — a small premium for significantly greater protection. As your revenue grows above $1M ARR, revisit coverage limits annually and consider umbrella policies.

Apply This in Your Checklist

Phase 8.1Get business insurancePhase 8.2Create your contracts and service agreements