You carry both cyber liability and Tech E&O insurance. Your broker told you that’s what you need, and your broker was right. But here’s the question nobody asks until a claim gets denied: do these two policies provide the protection I need?
I review insurance policies for managed service providers (MSPs) every week, and the single most common coverage failure I see isn’t a missing policy. It’s that two policies are not aligned and refuse to talk to each other.
When a claim hits, the cyber carrier says: this claim belongs to E&O. The E&O carrier says: no, it’s a cyber event. Both carriers are technically correct in their interpretation of their insurance policies. And the MSP pays the bill.
This post explains what cyber liability and Tech E&O insurance cover, and where the boundaries between these two policies are. If you’re an MSP who manages client networks for a living, this is the most important thing to understand about your insurance.
What Each Policy Is Designed to Cover
Before we go into the details, here’s a breakdown of what each of the two policies is designed to do. (For the full deep dive on each, see my posts on cyber liability and Tech E&O exclusions.)
Cyber Liability protects you against security events, such as data breaches and ransomware attacks. It covers costs for breach response, business interruption, extortion payments, and lawsuits from parties affected by the breach. A cyber liability policy is built around the question: what happened to your systems?
Tech E&O (or long: Technology Errors & Omissions) protects you against professional service failures. You gave bad advice, a cloud migration went wrong, your monitoring missed something critical, and your client suffered financial harm. A Tech E&O policy is built around the question: what did you do (or fail to do) for a client?
For a typical business, these two policies cover distinct risks with clean boundaries. However, for a managed service provider, these boundaries break down. Because your professional service IS managing technology. Your “error” IS a security failure. For an MSP, your work and your network are the same thing.
The Three Zones
Here’s how coverage works for an MSP. Every claim you could face falls into one of three zones.
E&O says "it's a cyber claim."
Neither pays.
The left and right zones are where your policies work as intended. A pure cyber event triggers cyber liability. A pure professional failure triggers Tech E&O. Straightforward.
MSPs live in the orange middle zone, in the Danger Zone. And that’s where coverage often breaks down.
Why the Danger Zone Exists
The danger zone isn’t a bug in insurance. It’s a structural problem with how policies are written.
Your cyber liability policy contains a “professional services” exclusion:
If the claim arises from your professional services, advice, or technology work product, it doesn’t belong here. Go file it under E&O.
Your Tech E&O policy contains a “cyber event” exclusion:
If the claim involves a network security failure, unauthorized access, or data breach, it doesn’t belong here. Go file it under cyber.
When a claim involves both policies, like most MSP claims do, you’re caught between two policies that each say the other one should pay. This is what I call the Front Door Problem.
How this plays out in practice
You manage 30 client networks through a remote monitoring tool.
A critical patch doesn't get applied for two weeks. An attacker exploits the vulnerability and deploys ransomware across most of your client environments.
Cyber carrier: "Failure to maintain your professional tools. That's E&O."
E&O carrier: "Damage caused by a cyberattack. That's cyber."
Both are technically right. You're stuck.
Your team sets up a firewall for a healthcare client. A rule gets misconfigured, leaving a port exposed. Three months later, an attacker exfiltrates patient records through that port.
E&O claim? Professional error. Cyber claim? Unauthorized access and data breach. The answer is both, and that's the problem.
You run a vulnerability assessment for a client. The scan triggers an unexpected cascade that takes down their production database for 24 hours.
No attacker involved. No breach. But the client lost revenue. Your cyber policy says no security event. Your E&O policy says the scan is a "cyber-related activity." Neither wants it.
How You Can Close the Gap
There are two ways to fix this, in order of effectiveness.
Option 1: Combined policy from one carrier.
Several carriers now write combined Tech E&O + Cyber policies designed specifically for technology companies and MSPs. When both coverages live in the same policy, there’s no finger-pointing. The carrier can’t argue with itself about which coverage applies. This is the cleanest fix.
Option 2: Coordinated policies with explicit overlap language.
If you carry separate cyber and E&O policies, make sure both policies explicitly address the overlap. Look for language like “failure to render professional services resulting in a network security event” in your cyber policy, and make sure your E&O doesn’t blanket-exclude “cyber events.” The two policies need to acknowledge that MSP claims will straddle both, and define who responds when they do.
What doesn’t work: carrying separate policies from different carriers and hoping it sorts itself out at claim time. It won’t.
Three Things to Check Right Now
My Risk Intelligence Report reviews your insurance policies in detail and flags exactly where the coverage gaps are. If you have questions about your insurance, get in touch with me.