Most firms have $500,000 or more in coverage gaps, and don’t know it.
Here’s why: You’re not like other businesses. You hold admin credentials to dozens of client networks. You’re the guardian of their data, their security posture, their entire infrastructure. When something goes wrong, you don’t face one lawsuit, you face dozens.
Whether you’re a pentesting firm in California, an MSSP in Texas, or a security consultancy in New York, standard business insurance treats you like any other company. But your risk profile is fundamentally different.
Standard policies, even “cyber insurance,” fail to account for the professional weight of what you do. Here are four critical reasons why.
1. Why Cyber Liability Isn’t Enough: You Need Tech E&O
Most businesses buy Cyber Liability to protect their own data. But for MSPs, the biggest threat is a claim that your professional services failed, leading to a client’s loss.
- Cyber Liability: Covers your firm if your systems are hacked.
- Technology Errors & Omissions (Tech E&O): This is the “Professional Liability” of the tech world. It covers you if a client sues because your advice was wrong, you missed a critical vulnerability, or your managed service went down and cost them revenue.
The Gap: Many standard E&O policies exclude "Professional Services" like pentesting or SOC operations. If your policy excludes the very thing you do for a living, you have a massive exposure gap.
2. Downstream Liability: One Breach, Dozens of Lawsuits
When an accountant gets hacked, only their firm is at risk. When an MSP gets hacked, every one of their clients is at risk. This is known as “downstream” or “vicarious” liability.
- Aggregated Risk: Because you have “the keys to the kingdom” (admin access), a single breach at your firm could lead to dozens of lawsuits from your clients.
- Third-Party Coverage: Your policy must cover lawsuits from clients whose networks were breached due to your oversight. Most standard policies don’t.
Standard policies cover breaches of your network, not breaches of client networks caused by your services.
3. MSA Compliance: When Your Coverage Doesn’t Match Your Contracts
Enterprise clients and government entities now have strict insurance requirements. If you sign a Master Service Agreement (MSA) that requires $5M in coverage but you only carry $1M, you’re in breach of contract before you even start work.
- Indemnification Clauses: Most MSAs require you to indemnify the client for any losses caused by your work. If your policy excludes “liability assumed under contract,” you could be left paying a $300K+ claim out of pocket.
- Additional Insured Status: Enterprise clients often require being named as an “Additional Insured” on your policy. This ensures your insurance helps defend them if they’re sued due to your work.
4. The Contractor Problem: When Your 1099s Aren’t Covered
Many MSPs use 1099 contractors or offshore developers for specialized tasks like pentesting.
- The Risk: Many professional policies only cover “W-2 employees.” If a contractor makes a mistake that leads to a $400K claim, your policy might deny it entirely.
- The Solution: You need a policy that explicitly extends “Insured” status to independent contractors working on your behalf.
These four reasons explain why specialized coverage matters. But knowing the specific gaps in your current policies is what protects your business. I cover the 5 most common coverage gaps in detail in my next article.