Your Cyber Policy Covers Your Network. You Operate Inside Dozens of Networks.
MSPs don't work like normal businesses. You have admin credentials to 20, 50, sometimes 100 client environments. Your cyber policy was designed for companies that protect one network: their own.
The Problem
A standard cyber liability policy covers breaches of your network and your data. That makes sense for a law firm or a retailer. It doesn't make sense for an MSP.
You have privileged access to client systems. You push patches, manage endpoints, control backups, and hold the keys to their entire infrastructure. When something goes wrong in a client environment, the lawsuits come to you.
The problem splits two ways:
The boundary problem. Your cyber policy covers first-party losses (your systems, your data) and third-party liability from breaches of your environment. But the breach happened in a client's environment, using your credentials. Your carrier says: that's not your network. That's their network. File against their policy.
The Front Door Problem. You carry both Cyber and Tech E&O. An incident happens: attacker compromises your RMM tool and uses it to deploy ransomware across three client networks. You file a claim.
- Your cyber carrier says: "This is a failure of your professional services. That's an E&O claim, not a cyber claim."
- Your E&O carrier says: "This was a cyber attack. That's a cyber claim, not an E&O claim."
Both carriers point fingers at each other. Neither pays. This is the most common coverage collision I see.
Where This Gap Hides in Policy Language
In the cyber policy: Look at the "Insured Network" or "Computer System" definition. It typically says something like:
"Operated by the Insured" might cover client networks you manage. Or it might not. Carriers interpret this differently at claim time. If the definition says "owned or leased," client networks are clearly excluded.
In the E&O policy: Check whether "Technology Services" or "Professional Services" includes remote management and monitoring. If you're denied on the cyber side, you need E&O to pick it up. But E&O policies often exclude claims "arising from a cyber event" or "network security failure." That's the Front Door Problem: each policy has an exclusion that points to the other.
Aggregate limits: Even if one policy responds, check whether your aggregate limit can handle a multi-client event. A $2M aggregate looks adequate until one breach affects 15 client environments. Each client files a claim. $2M is the total pool. Once it's exhausted, the carrier's duty to defend often ends. You pay the rest.
Real-World Impact
Scenario 1: RMM compromise
An attacker gains access to your RMM platform through a compromised technician credential. They deploy ransomware to 8 client networks in a single weekend. Each client suffers $100K-$500K in damages. Total exposure: $2M+. Your cyber carrier says the breaches happened on client networks, not yours. Your E&O carrier says this was a cyber attack, not a professional services error. You're stuck between two denial letters while 8 clients demand answers.
Scenario 2: Credential misuse
A former employee's VPN credentials weren't revoked. Someone uses them to access a client's financial system and initiates a fraudulent wire transfer. The client loses $180K and sues you. Your cyber policy covers breaches of your network. The breach was of the client's financial system, accessed through your credentials. Your carrier argues this falls outside the insured network definition.
Scenario 3: Multi-tenant data breach
A vulnerability in your PSA platform exposes client data across your entire book of business. 30 clients are affected. Notification costs alone run $300K. Your $2M aggregate limit covers forensics and notification for the first wave. By client 15, the aggregate is exhausted. The remaining 15 clients have no coverage from your policy. Their lawsuits come directly to you.
How to Fix This
1. Check the "Computer System" or "Insured Network" definition in your cyber policy. Does it include systems you manage for others, or only systems you own? The phrase "operated by the Insured" is better than "owned or leased by the Insured." Best case: the policy explicitly covers "managed client systems."
2. Look for the Front Door Problem. Read your cyber policy's exclusions for anything mentioning "professional services" or "technology services errors." Then read your Tech E&O exclusions for anything mentioning "cyber event," "network security failure," or "data breach." If both policies exclude the other's territory, you have a gap.
3. Check the aggregate limit in both your cyber and Tech E&O policies against your client count. Divide each aggregate by the number of clients you manage. That's your per-client coverage in a multi-tenant event. If the math doesn't work, you need higher limits or a different policy structure.
4. Ask about "shared limits" vs. "stacking." Some carriers pay only the highest single limit when multiple coverages are triggered (so $1M Cyber + $1M E&O = $1M payout, not $2M). Others allow limits to stack. This matters when a single event crosses both policies.
5. Consider excess coverage. If your client count or contract requirements demand more coverage than your current aggregate provides, an umbrella or excess policy sitting above both Cyber and E&O can close the gap.
Want to Check Whether Your Policies Have This Gap?
I can review your cyber and Tech E&O policies side by side and tell you whether the boundary problem or the Front Door Problem applies to you. No commitment required.
Get in Touch →