If you’re an MSP, there’s a good chance your Tech Errors & Omissions (E&O) insurance doesn’t actually cover some of your core revenue-generating services. I’ve seen it happen countless times: a claim gets filed, the insured reaches for their E&O policy, and discovers, too late, that penetration testing, vulnerability assessments, or managed security services are explicitly excluded.
Whether you’re in California, Texas, or New York, this problem exists in standard Tech E&O policy exclusions across the country.
This isn’t an accident. It’s by design.
In my previous articles, I explained why MSPs need specialized insurance and identified 5 common coverage gaps. This article digs deeper into the specific policy language that creates these gaps.
The Problem: Technology E&O Policies Were Built for “Builders,” Not “Breakers”
Traditional Technology E&O policies were designed for software developers, IT consultants, and system integrators, the “Builders.” When these policies were created, “cybersecurity services” as we know them today barely existed. The coverage was meant for companies that implemented networks, wrote code, or provided general IT consulting.
Fast forward to today: Many insurers still use these legacy policy forms. While you are identifying CVEs and probing zero-day vulnerabilities, your insurance policy is stuck in 2005. This creates dangerous coverage gaps for modern cybersecurity businesses.
Tech E&O Policy Exclusions That Kill Coverage
Here are the most common exclusions I find when reviewing Tech E&O policies for MSPs:
1. Security Services Exclusions
Many policies contain broad language excluding claims arising from “security services,” “security consulting,” or “security assessments.” Some carriers use language like:
“This policy does not cover claims arising from or related to penetration testing, vulnerability scanning, security audits, or security assessments of any kind.”
The irony? That’s precisely what you do for a living. If your SOW includes these terms but your policy excludes them, you are effectively self-insuring your primary book of business.
2. Intentional Acts Exclusions
This is where it gets technical. Penetration testing involves intentionally probing systems for vulnerabilities. Standard policies exclude coverage for “intentional acts.”
I’ve seen claims denied because the insurer argued that finding and exploiting a vulnerability, even when authorized by the client’s Rules of Engagement, was an “intentional act.” Without specific language that recognizes professional “ethical hacking,” you’re relying on an adjuster’s interpretation.
3. The “Cyber Event” Gap
Increasingly, Tech E&O policies include “cyber event” exclusions to push claims toward standalone Cyber Liability policies.
The scenario: If your vulnerability scan accidentally crashes a client’s production server or triggers a massive system lockout, is that a Tech E&O claim (Professional Error) or a Cyber Liability claim (System Failure)? If your E&O and Cyber policies aren’t perfectly synced, both carriers might point the finger at each other, leaving you with the bill.
Why Carriers Include These Exclusions
Insurance companies aren’t trying to be difficult, they’re trying to manage their risk. From an underwriter’s perspective, security services present unique challenges:
Higher Claim Frequency: Security assessments directly interact with sensitive production environments. More touchpoints mean more opportunities for a script to go sideways.
Severity Potential: A mistake during a pen test or security audit can expose an entire network, leading to data breaches with massive financial consequences.
Rapidly Evolving Exposure: The threat landscape changes monthly. Underwriters struggle to price risks involving technologies (like AI-driven threat hunting) that they don’t fully understand.
| Service Type | Standard Tech E&O | Specialized Cyber Pro Policy |
|---|---|---|
| Software Development | Covered | Covered |
| Penetration Testing | Often Excluded | Explicitly Covered |
| Vulnerability Scans | Gray Area | Explicitly Covered |
| Incident Response | Excluded | Explicitly Covered |
What You Need Instead
If you provide pen testing, vulnerability assessments, security consulting, or managed security services, you need a policy that provides:
1. Affirmative Security Services Coverage
The policy should explicitly list penetration testing, ethical hacking, vulnerability scanning, and security audits as covered professional services.
2. No Cyber Event Exclusions
Your E&O should work in coordination with your Cyber Liability policy, ensuring no “gap” exists when a professional error causes a digital disruption.
3. Appropriate Limits
Don’t accept a $250,000 sublimit for your primary service offering. Your security services coverage should match your overall E&O limit.
4. Defense Outside the Limits
Legal defense for complex technology claims can easily exceed $100,000. Ensure your defense costs don’t “eat” the limit available to pay the actual claim.
How to Protect Your Firm
1. Audit Your Policy Now
Open your policy PDF and hit Ctrl+F. Search for the words “Security,” “Penetration,” “Vulnerability,” and “Cyber.” If these appear in the “Exclusions” section, you have a problem.
2. Get a Coverage Gap Analysis
Have an insurance professional who understands the difference between an MSP and an MSSP review your policy against your actual SOWs.
3. Document Your Risk Management
Strong security protocols and clear client agreements help you qualify for specialty markets that offer better coverage at competitive prices.
The Bottom Line
You wouldn’t deliver a security assessment without understanding the scope. Don’t accept insurance coverage without understanding the exclusions. If your Tech E&O policy has a “security services exclusion,” you’re paying for a safety net that isn’t there.
Don’t wait to discover these exclusions when you file a claim. Review your current policy now, or request a Risk Intelligence Report to identify exactly what’s covered and what’s not.