2025Q1 Tech E&O Guide for MSPs
This guidance was put together by one of our owners who also still has ownership in an MSP and is in the middle of renewing that MSP’s insurance.
TL;DR - Cheat Sheet
Your agent should present multiple quotes if possible. Sometimes you can only get one quote, in which case the agent should tell you which carriers declined. Tech E&O for MSPs is still one of the most turbulent areas of insurance, so it is not unusual to switch carriers annually. On a recent quote for a $4mm/yr MSP we saw pricing of $7k, 9k, 14k and 22k, all for similar coverage.
Would you ever file a claim for $20k? If not, then raise your retention (deductible) to $25k or even $50k. That is the level where you start seeing substantial discounts on pricing, oftentimes 10%+.
Make sure your policy covers first party cyber, third party cyber, and services (often written as Tech E&O or Professional liability).
If crime / financial coverages (fraud, invoice manipulation, etc.) is important to your MSP, $250k is probably not enough and adds substantial cost to your policy. Instead, get a Tech E&O policy without, and add a standalone crime policy. The crime policy can go above $250k, and covers more such as employee theft.
The traditional MSP industry focused policies have gone up significantly in price. The last few years if you qualified for one of these MSP-only Tech E&O policies, it was significantly cheaper and still had better coverage 99% of the time. This is no longer the case as of 2024Q4, and we are seeing the normal cyber carriers such as CFC and AtBay start to offer better options.
========================
Full Guide
It has been a rough couple of years as an MSP for insuring yourself. Rates have skyrocketed while coverage options have been reduced. Luckily this year we are seeing multiple new carriers willing to insure MSPs, rates are staying flat in many cases, and better coverage is becoming available. What should you watch out for?
An MSP needs Tech E&O Coverage, not just cyber.
A proper Tech E&O covers three things:
First party cyber: direct damage to your MSP
Most policies will offer $250k of financial coverages for fraud, invoice manipulation, phishing and similar claims.
Third party cyber: damage to other businesses via your MSP
Services coverage - the Errors & Omissions part: damage to other businesses due to (or due to failure of) services provided by your MSP
Common problems with Tech E&O policies:
Lack of first or third party cyber coverage. A ransomware attack directly on your MSP would not be covered. This is the biggest mistake we see, and frequently the reason for an MSP having such a cheap policy.
A cyber only policy that does not cover your services.
Business interruption being limited to malicious acts only, which would exclude “system interruption” such as the Crowdstrike incident.
Sublimits on key aspects of coverage. One common example is dependent business interruption loss. Dependent means services provided by a third party. Using a hosted RMM solution? Azure/AWS? Hosting in a datacenter? All of those could result in this sublimit being used, and suddenly your shiny insurance policy is worth substantially less.
Bodily injury and property damage are usually limited or not covered at all. If your MSP performs lots of physical work such as structured/low voltage cabling, camera installations, or other similar tasks, you likely want a secondary policy for that type of work.
How do you get the best coverage for your MSP?
Start your renewal process early. If your agent is not reaching out 60 days in advance, reach out to them (or find a new agent!) Tech E&O takes much longer to work on versus other types of commercial insurance. If you are submitting your application the week before renewal, you will likely not get the best rate or coverage.
Ask your agent to present multiple options (even if some carriers decline to offer a policy.) While regular cyber insurance policies are starting to converge on price, Tech E&O is still experiencing drastic price differences. Beltex recently quoted multiple options for a $2mm/year MSP and was able to provide quotes for $3300, $3700, and $5130 vs their existing quote from a big name carrier for …$16k.
Data centers/“private cloud” and in-house SOC are the highest risks perceived by insurance carriers. If you are able to eliminate or minimize those offerings, your rates will likely go down and coverage options go up.
Insurance is calling 2024 “The year of MDR” even though as MSPs we have been using it for years…but if you are not, now is the time to add it. All your endpoints should be covered, not just servers. Do not forget to protect identity as well (M365, Google, etc.)
Financial controls are important, make sure you have robust policies around changes to invoicing accounts, wire transfers, etc. that are documented in writing.
You’re always using a written contract right? Your contracts (MSA) should:
Not have any significantly large customers (such as 25%+ of your total revenue with one customer).
Always have a limitation of liability. Many MSPs will use 3 to 12 months of previous payments or 3-12x MRR.
Mandate cybersecurity controls such as MFA and backups, and have further consequences for customers who do not.
Struggling with contracts? Two of the best lawyers in the MSP industry are Brad Gross and Eric Tilds, we highly recommend engaging someone to help write and maintain your contracts on an annual basis.
How much coverage do I need?
The easy answer is “as much as you can afford.” Being more realistic, there are two schools of thought:
If all your customers were breached in a Kaseya style attack, what would your total liability based off your contracts? This approach tends to be very expensive, and is a real world but extreme worst case.
If an event such as systemically/massive failed backups impacted multiple customers at once, what would the financial impact from your top 10-20% of customers?
Only the smallest MSPs are sufficiently covered by $1mm.