IT companies and MSPs have a unique liability profile: they hold the keys to their clients' digital infrastructure. An MSP that manages 80 client networks is not just exposed for its own data — it is the potential attack vector for all 80 clients simultaneously. Tech E&O and cyber liability must be structured together, from a single carrier, with language that covers both the professional error of failing to prevent a breach and the breach itself. The supply-chain attack exposure through RMM tools, the regulatory data obligations for healthcare and financial clients, and the BEC crime exposure all require specific underwriting attention.
Technology Errors and Omissions (Tech E&O)The foundational professional liability product for IT service companies and managed service providers (MSPs). Tech E&O covers claims arising from errors or omissions in the performance of technology services — a security configuration error that allows a client's network to be breached, a backup system failure that results in data loss, a software deployment that causes system downtime, or a managed security failure that allows ransomware to propagate across a client's network. Tech E&O is often packaged with cyber liability in a combined technology liability policy, which is the preferred structure for most IT service companies.
Cyber LiabilityCovers first-party and third-party cyber losses. For IT companies and MSPs, cyber liability is both a first-party exposure (their own systems being breached) and a third-party exposure (a breach of a client's systems for which the MSP is responsible as the network manager). MSP cyber exposure is particularly severe because an MSP that is compromised gives attackers access to the MSP's remote management tools — which then provide access to every client network the MSP manages. This supply-chain attack vector has produced some of the largest cyber claims in recent years.
Commercial General LiabilityCovers premises and operational liability for IT companies — a client who visits the IT company's office and is injured, property damage caused by an IT technician working at a client site (spilling coffee on server equipment, for example), or advertising injury claims. Tech GL must be reviewed for technology-related exclusions — some carriers add broad technology exclusions to standard GL that can create gaps when GL and Tech E&O are not written with a coordinated endorsement structure.
Workers' CompensationIT company WC covers employees for work-related injuries — ergonomic injuries from prolonged computer use, slip-and-fall incidents at client sites during on-site service calls, vehicle accidents during client site visits, and physical injuries from equipment installation work (server rack installation, cable pulling, network equipment mounting). WC classification for IT companies varies between clerical (8810) for office-based staff and a tech services classification for field technicians.
Commercial Crime / Cyber CrimeIT companies are exposed to social engineering attacks — particularly business email compromise (BEC) attacks where an employee is tricked into wiring money to an attacker's account. Crime coverage for IT companies must specifically address social engineering/funds transfer fraud because standard crime policies exclude losses resulting from voluntary transfer of funds. Cyber crime coverage as part of the cyber liability policy often addresses BEC more comprehensively than standalone crime.
Media Liability / Intellectual PropertyIT companies that develop software, create websites, or produce marketing or content materials face intellectual property infringement claims — copyright infringement in code, trademark infringement in designs, or defamation/libel claims from published content. Media liability covers these claims, which standard GL advertising injury coverage may not fully address for technology products.
ACORD 125 — Commercial Insurance ApplicationPrimary submission document for IT company accounts. Capture type of IT services provided (managed services/MSP, break-fix, software development, cybersecurity consulting, cloud services, IT staffing), annual revenue, number of clients managed, whether the company has remote access to client systems, and whether the company handles any regulated data (PHI, PCI, financial data) as part of services.
ACORD 126 — Commercial General Liability SectionRequired for GL. Describe all services — the tech services description on the GL application directly affects which GL form the carrier uses and whether tech exclusions apply. The GL application for an IT company must specifically describe technology services to trigger the correct policy language.
→What specific IT services does the company provide — managed services (MSP), break-fix on-site support, software development, cybersecurity consulting, cloud infrastructure management, IT staffing?
→Does the company serve as a managed service provider with remote access to client networks and systems?
→What remote monitoring and management (RMM) tools does the company use?
→How many client networks does the company actively manage?
→Does the company handle any regulated data as part of services — PHI (healthcare), payment card data (PCI), or financial institution data?
→Does the company develop proprietary software products or sell licensed software?
→Does the company provide any cloud hosting or data storage services for clients?
→Does the company provide cybersecurity services — vulnerability assessments, penetration testing, SOC monitoring?
→Has the company had any data breach, ransomware attack, or client data loss incident?
→Has the company been named in a professional liability or tech E&O claim?
→What cyber security controls does the company maintain — MFA on all remote access, endpoint detection, patch management, privileged access management?
→Does the company maintain cyber insurance separately from client contracts?
→Does the company have client contracts with indemnification obligations — is it required to defend clients in data breach claims?
→What is the annual gross revenue?
→Does the company have employees in multiple states or remote employees?