What insurance do enterprise contracts require from MSPs?

Enterprise contracts typically require specific insurance limits (often $5M or more for both cyber and Tech E&O), additional insured status for the client, waiver of subrogation, primary and non-contributory language, standalone cyber coverage separate from E&O, specific deductible caps, and 30-day cancellation notice to the certificate holder. Missing any one of these can block the deal.

Can I negotiate insurance requirements in a client contract?

Yes. Not every insurance requirement in a contract is non-negotiable. Some clients will accept lower limits, combined instead of standalone coverage, or modified endorsement language if you explain your coverage structure. But you need to understand what your policies provide before you can have that conversation.

Your Contract Requires a $5M Limit. Your Policy Has $2M.

Q: What is the MSA Mirage in MSP insurance?

The MSA Mirage is when an MSP signs a contract with an indemnification clause, assuming their insurance backs that promise. But most Tech E&O policies have a contractual liability exclusion: if you assumed liability by contract that goes beyond what you'd owe under negligence law alone, the policy won't cover it. The MSP thinks they're covered. They're not.

You're closing an enterprise deal. Procurement sends the master services agreement (MSA). Buried in the insurance requirements section: $5M cyber liability, $5M Tech E&O, additional insured endorsement, waiver of subrogation, primary and non-contributory language. Your policy has $2M limits and none of those endorsements. The deal stalls. Or dies.

The Problem

Enterprise contracts include insurance requirements. These aren't suggestions. They're conditions you must meet before work starts. Procurement teams audit certificates of insurance against the contract language, and they're getting more specific every year.

The typical MSP carries $1M-$2M in combined limits. That worked when your clients were 50-person companies with basic IT needs. It doesn't work when you're trying to close a deal with a company that has a legal team and a risk management department.

The gap isn't just about limits. Contracts require specific policy features that many MSP policies don't include:

Additional insured status for the client
Waiver of subrogation (prevents your carrier from suing the client)
Primary and non-contributory language (your policy pays first)
Standalone cyber coverage (not combined with Tech E&O)
Specific deductible caps (your $50K deductible may exceed their threshold)
30-day cancellation notice to the certificate holder

Missing any one of these can block the deal or put you in breach of the contract the day you sign it.

Where This Gap Hides in Policy Language

The indemnification trap. Most MSAs include an indemnification clause. You agree to "indemnify, defend, and hold harmless" the client from claims arising from your services. That sounds reasonable. But your Tech E&O policy may have a contractual liability exclusion: if you assumed liability by contract that goes beyond what you'd owe under negligence law alone (meaning, without the contract, a court would only hold you liable for your actual negligence, not the broader promise you made in the MSA), the policy won't cover it.

So you sign a contract promising to cover the client's losses. Then you file a claim. Your carrier says: you agreed to accept that liability by contract. We exclude contractual liability. Claim denied.

I call this the "MSA Mirage." The MSP thinks insurance backs the indemnification clause. It doesn't.

The certificate gap. Your broker issues a certificate of insurance (COI) that says you have a $2M limit. The contract requires $5M. The COI satisfies nobody. Worse, if the COI language doesn't exactly match what the contract requires (specific additional insured wording, primary and non-contributory endorsement), the client's risk team will reject it.

Some MSPs pressure their broker to issue a COI that says things the policy doesn't provide. This creates a separate E&O exposure for the broker, and it doesn't give you coverage. A COI only describes the coverage that already exists in your policy. It doesn't create coverage that isn't there.

Standalone cyber requirements. More enterprise contracts now require standalone cyber coverage, separate from your Tech E&O. Why? Because if you have combined limits and a large E&O claim exhausts the aggregate, there's nothing left for a cyber event. The client wants to know your cyber coverage can't be consumed by an unrelated professional liability claim.

Real-World Impact

Scenario 1: Deal dies in procurement

You've been working a large enterprise prospect for three months. Technical evaluation passed. Pricing agreed. Procurement sends the contract with insurance requirements: $5M cyber, $5M Tech E&O, additional insured, waiver of subrogation. Your policy has $2M combined limits and no endorsements. Your broker says increasing limits will take 2-3 weeks and cost $15K-$25K more annually. The prospect's timeline is 10 days. Deal dies.

Scenario 2: Breach of contract from day one

You sign a contract requiring $3M standalone cyber coverage and 30-day cancellation notice to the client. Your policy has $2M combined and no cancellation notice requirement. You're technically in breach of contract from the moment you sign. If a claim happens and the client discovers the mismatch, they have both a negligence claim and a breach of contract claim. Your contractual liability exclusion may block coverage for the breach of contract piece.

Scenario 3: Indemnification exceeds coverage

Your contract includes broad indemnification: you agree to cover "any and all claims, damages, and expenses" arising from your services. Your client suffers a $3M breach they attribute to your negligence. You file a claim. Your Tech E&O carrier reviews the indemnification clause and invokes the contractual liability exclusion. You assumed unlimited liability by contract. The policy excludes liability assumed under contract beyond what the law would impose. Your $2M policy may not respond at all.

How to Fix This

1. Read the insurance section of every contract before you sign. Don't leave this to your broker after the fact. Understand what's required so you can negotiate or plan.

2. Compare the insurance requirements in the contract to your current coverage. Make a simple checklist: required limits vs. actual limits, required endorsements vs. what you have, standalone vs. combined.

3. Check your contractual liability exclusion in your Tech E&O policy. Does it exclude "liability assumed under contract"? If yes, your indemnification clauses may not be insured. Ask your broker whether a contractual liability carve-back endorsement is available.

4. Plan for limit increases before you need them. Increasing limits takes time. If you're pursuing enterprise clients, get insurance quotes for higher limits now. Having a $5M option ready is better than scrambling during a procurement deadline.

5. Negotiate insurance requirements in the contract. Not every requirement is non-negotiable. But some clients will accept $3M instead of $5M, or combined instead of standalone, if you explain your coverage structure. You need to know what you have before you can negotiate.

6. Review your COI process. Make sure your broker issues certificates of insurance that accurately reflect your actual coverage. Don't ask for a COI that overstates what the policy provides. That creates more problems than it solves.

← Back to Coverage Gaps Framework Read: 5 MSP Coverage Gaps →

Not Sure If Your Coverage Meets Your Contracts?

I can compare your policy limits and endorsements against your contract requirements and tell you where the gaps are. No commitment required.

Get in Touch →