How do I check if my MSP services are covered by my Tech E&O policy?

Pull your Tech E&O policy and go to the declarations page. Find the Professional Services definition and read it word for word. Then compare it to every service you sell. If a service isn't listed in the definition, it may not be covered.

Your Policy Covers "IT Consulting" — You Do Security Services

Q: Does Tech E&O cover penetration testing?

Most Tech E&O policies do not cover penetration testing by default. Pen testing is intentional by design, and most policies have an intentional acts exclusion. Without a specific carve-out for authorized security testing, the carrier can argue your pen test is an excluded intentional act. Look for language like 'authorized security testing' or 'penetration testing performed with written client consent.'

Q: Can my broker fix a professional services definition gap?

Yes. Your broker can request an endorsement from your carrier to expand the professional services definition. This is usually straightforward and sometimes costs nothing. The key is asking before you need it, not after a claim is filed.

The most common coverage gap I see in MSP policies: the professional services definition doesn't match the services you actually deliver.

The Problem

Your Tech E&O policy has a "Professional Services" definition. It's usually on the declarations page or in a schedule. It describes the work your policy covers.

For most managed service providers, it says something like "information technology consulting services" or "computer consulting and support." That definition was written for break-fix IT shops in 2010.

If you do any of the following, your policy may not cover it:

Managed security services
Penetration testing or vulnerability assessments
Incident response
Cloud migrations
vCISO or security advisory work
Compliance assessments

The carrier doesn't need to prove you did something wrong. They just need to show the service wasn't listed. If it's not in the definition, they argue it's not covered.

Where This Gap Hides in Policy Language

Look at your Tech E&O declarations page. Find the definition for "Professional Services" or "Covered Services". It's usually one paragraph.

Here's what a typical definition looks like:

"Professional Services means information technology consulting, network design and installation, software development, and related technical support services as described in the application."

Notice what's missing: no mention of security testing, incident response, managed detection, or cloud services.

Some policies add:

"as described in the application."

This ties coverage to whatever you wrote on the original application. If you added pen testing after you applied, it may not be covered even if you told your broker.

The pen testing gap is particularly dangerous. Pen testing is intentional by design: you're deliberately trying to break into systems. Most policies have an "intentional acts" exclusion. Without a specific carve-out for "authorized security testing," the carrier can argue your pen test is an excluded intentional act. You authorized the test. The damage was intentional. Claim denied.

Real-World Impact

Scenario 1: Managed security failure

You manage EDR for a client. An attacker bypasses the tool and encrypts their network. Client sues you for negligence. Your carrier reviews the claim, checks the professional services definition in your Tech E&O policy, and finds "IT consulting and network support." No mention of managed security or EDR management. They deny the claim. You're covering legal defense out of pocket.

Scenario 2: Pen test goes wrong

Your team runs an authorized pen test on a client's production environment. Something breaks. Client's e-commerce platform goes down for 24 hours. They claim $200K in lost revenue. Your carrier invokes the intentional acts exclusion: you intentionally attempted to compromise the system. Without a pen testing carve-out, they deny coverage.

Scenario 3: Cloud migration failure

You migrate a client from on-prem Exchange to Microsoft 365. Data loss during migration wipes three months of email archives. Client sues you. Your policy covers "network installation and technical support." But cloud migration isn't network installation. Carrier disputes the claim.

How to Fix This

1. Pull your Tech E&O policy and go to the declarations page. Find the Professional Services definition. Read it word for word. Does it describe what you do today, not what you did when you first applied?

2. Compare the Professional Services definition to your service catalog. List every service you sell. Check each one against the definition. If it's not there, it's a gap.

3. Ask about pen testing specifically. If you do any security testing, check for an intentional acts carve-out. The phrase you are looking for: "authorized security testing" or "penetration testing performed with written client consent."

4. Update the definition, if needed. Your broker can request an endorsement from your carrier to expand the professional services definition. This is usually straightforward and sometimes costs nothing. The key is asking before you need it.

5. Review after adding new services. Every time you add a service line, e.g., vCISO, compliance, IR retainers, check whether your policy definition covers it. Don't assume your broker updated it.

← Back to Coverage Gaps Framework Read: Tech E&O Exclusions →

Not Sure What Your Policy Covers?

I can review your professional services definition against the work you do and tell you where the gaps are. No commitment required.

Get in Touch →