What insurance policies does my Managed (Security) Services Provider need?
A recent Reddit post on r/msp asked this question. This is generalized advice for MSPs under $10mm/year revenue. Your situation may be different, consult a licensed insurance agent for recommendations specific to your MS(S)P.
General liability (GL) is a great starting point. Often required to meet regulations or customer requirements. This covers bodily injury (ex: slips and falls) and property damage, but not your services delivered. Typically a cheaper policy, most often $1k/year for $2mm coverage. If you are providing other services such as low voltage/structured cabling, this is a much more expensive and complex conversation. GL is very standard and there is typically not a major savings switching between carriers. These policies are almost all admitted.
A business owners policy (BOP) will include general liability and add some combo of nonowned auto, business property (i.e. your equipment) and other coverage (that you may never need, such as fine art!) This is usually what an MSP will want vs plain general liability. Same as GL, very standardized when it comes to pricing and coverage.
Workers Compensation (WC) is mandatory in every state except Texas. This covers employee injury. For MSPs that are mostly remote, this is not an expensive policy. The more on-sites, the more expensive it becomes. Yet another policy that is standard on pricing and coverage.
If your MSP has multiple owners or investors, Directors and Officers (D&O) helps protect the business if there is a dispute.
Employers Liability (ELI or EPLI) covers HR situations such as harassment, wrongful termination accusations, and other headaches. (Consider a PEO, you can often offload liability and get better benefits this way.)
Cyber insurance covers first party (i.e. damage to your business) claims, and third party claims (damage to others - such as a phish coming from your compromised account, or breached HR records.) It does not cover your MS(S)P services delivered to your customers.
The most important policy for your MSP
Tech errors and omissions (Tech E&O) covers your services delivered and is the most important coverage for an MSP. A good Tech E&O policy will cover the traditional cyber insurance part as well, but some carriers like USLI and Hartford offer services coverage only. In that case, if your email was compromised and used to attack someone else for example, it would not be covered. Generally for a full (services + cyber) policy we are seeing a floor of $4000 right now in early 2025, even for small MSPs (talking <$500k/yr revenue). Ideally get a full policy, but if you have to choose, at least get your services covered since that is where most claims happen. You probably are doing a great job protecting your own house.
How is insurance priced?
The majority of pricing is based off three factors:
Annual revenue (most important)
State (adjusts the rate due to penalties and requirements on the state level)
Industry
Tech E&O also has two specific situations that make your rates skyrocket in many cases:
In-house SOC
Hosting services
Both of these add substantial risk, liability, and result in expensive claims. Avoid unless you absolutely have to, we have seen rates cost 2-3x as much for those MSPs.