Your managed service provider (MSP) looked different two years ago. Maybe you were a break-fix shop that added managed security services. Maybe you acquired a smaller firm and inherited their client contracts. Maybe you landed your first enterprise deal and signed an MSA with indemnification language you’d never seen before. Your insurance policy doesn’t know any of that happened.
Whether you grew organically or through acquisition, the pattern is the same. Policies are underwritten based on the information you provided in the application at the time. Revenue, headcount, services offered, client types. If those change and your insurance policy doesn’t, you’re carrying coverage designed for a business that no longer exists.
New services, same policy definition
This is the most common mismatch I find. An MSP starts offering security assessments, vCISO services, or managed detection and response. The Tech E&O policy still defines “professional services” based on what was listed on the original application: IT consulting, network administration, help desk support.
If a claim comes from a service that isn’t in your policy’s definition of covered services, the carrier can argue it falls outside your coverage. It doesn’t matter that you’ve been providing the service for a year.
The fix is straightforward: review your policy’s professional services definition against your current service catalog. If there’s a mismatch, request an endorsement that explicitly names the new services. Especially for security services: make sure penetration testing, vulnerability assessments, incident response, and managed security are all listed. These are the services most likely to generate claims and least likely to appear in a standard Tech E&O definition.
Bigger contracts, bigger promises
Growth usually means bigger clients with more sophisticated contracts. Enterprise MSAs include indemnification clauses, minimum coverage requirements, and sometimes a requirement that the client be listed as an Additional Insured on your Tech E&O policy.
Here’s where the coverage breaks down:
The indemnification promise. Your MSA says you'll indemnify the client for losses caused by your services. Your policy includes a contractual liability exclusion that says the carrier won't pay for obligations you assumed under a contract. You signed the MSA thinking your insurance backs the promise. It doesn't.
The coverage minimums. The MSA requires $5M in Tech E&O coverage. You carry $2M. That's a breach of contract on day one, and most MSPs don't catch it until renewal.
The Additional Insured request. The client's legal team requires Additional Insured status on your Tech E&O. Most Tech E&O policies don't offer it, or the endorsement is so narrow it doesn't work the way the client expects. The client thinks they're protected. You think you've checked the box. Neither is true.
Every new enterprise contract should trigger a quick check against your current coverage. Match the MSA’s insurance requirements against what your policy provides. If there’s a disconnect, you need to know before you sign, not after a claim.
More clients, same aggregate limit
An MSP with 15 clients and a $2M aggregate limit has a different risk profile than the same MSP with 40 clients and the same $2M aggregate.
Aggregate limits are shared across all claims in a policy period. One breach that hits multiple client environments can eat the entire aggregate in a single incident. If a second claim comes in, there’s nothing left.
The math is simple. If your client count has doubled but your aggregate limit hasn't moved, your per-client coverage has effectively been cut in half. Growth without a corresponding limit increase is a shortfall that doesn't show up until you need it most.
The question to ask: does my aggregate limit still make sense for the number of clients and the size of contracts I’m managing today?
Acquisitions bring inherited risk
Acquiring another MSP is the fastest way to grow and the fastest way to inherit blind spots you didn’t know existed.
The acquired firm’s client contracts are now your contracts. Their indemnification obligations are now your obligations. Their clients expect continuity of coverage.
But your policy was underwritten for your firm, not the combined entity. The acquired firm’s services may not be in your professional services definition. Their client contracts may require coverage terms your policy doesn’t include. And if there’s a claim from pre-acquisition work, your policy may not cover it. Prior acts coverage has specific start dates, and an acquisition can create a gap if they don’t align.
Before you close the deal, ask these questions:
- Does your Tech E&O policy’s professional services definition cover the acquired firm’s full service catalog?
- Do the acquired firm’s client contracts require coverage terms (limits, Additional Insured, specific endorsements) that your policy doesn’t currently include?
- Is there prior acts coverage that extends back to the acquired firm’s work before the acquisition date?
- Has your aggregate limit been adjusted for the combined client count?
If you can't answer all four questions, the acquisition likely created gaps in your insurance coverage.
The growth audit
These gaps are predictable as your business evolves while your insurance stays static. The problem is that most MSPs only review their coverage at renewal, and even then the review is usually “same limits, same terms, how much?”
Has your MSP gone through any of these changes?
☐ Added new service lines (security services, compliance, cloud management)
☐ Signed enterprise contracts with indemnification requirements
☐ Acquired another firm or merged operations
☐ Doubled (or more) your client count
☐ Moved into regulated verticals (healthcare, finance, government)
Pull out your policy and check: does the professional services definition match what you do today? Does your aggregate limit reflect your current client count and contract sizes? Are your MSA obligations backed by actual coverage terms? If any of these three don’t line up, you’re sitting on significant exposure that growth created and your renewal didn’t catch.
If reading your own policy feels like translating a foreign language, that’s not a personal failing. These documents aren’t written to be readable. That’s where having someone who reads these for a living can help. My Risk Intelligence Report covers all of this and more. Or just get in touch.