Industry Guide

Commercial Insurance for IT Companies and Managed Service Providers

IT companies and MSPs have a unique liability profile: they hold the keys to their clients' digital infrastructure. An MSP that manages 80 client networks is not just exposed for its own data — it is the potential attack vector for all 80 clients simultaneously. Tech E&O and cyber liability must be structured together, from a single carrier, with language that covers both the professional error of failing to prevent a breach and the breach itself. The supply-chain attack exposure through RMM tools, the regulatory data obligations for healthcare and financial clients, and the BEC crime exposure all require specific underwriting attention.

Coverage IT companies and managed service providers typically need

Technology Errors and Omissions (Tech E&O)
The foundational professional liability product for IT service companies and managed service providers (MSPs). Tech E&O covers claims arising from errors or omissions in the performance of technology services — a security configuration error that allows a client's network to be breached, a backup system failure that results in data loss, a software deployment that causes system downtime, or a managed security failure that allows ransomware to propagate across a client's network. Tech E&O is often packaged with cyber liability in a combined technology liability policy, which is the preferred structure for most IT service companies.
Cyber Liability
Covers first-party and third-party cyber losses. For IT companies and MSPs, cyber liability is both a first-party exposure (their own systems being breached) and a third-party exposure (a breach of a client's systems for which the MSP is responsible as the network manager). MSP cyber exposure is particularly severe because an MSP that is compromised gives attackers access to the MSP's remote management tools — which then provide access to every client network the MSP manages. This supply-chain attack vector has produced some of the largest cyber claims in recent years.
Commercial General Liability
Covers premises and operational liability for IT companies — a client who visits the IT company's office and is injured, property damage caused by an IT technician working at a client site (spilling coffee on server equipment, for example), or advertising injury claims. Tech GL must be reviewed for technology-related exclusions — some carriers add broad technology exclusions to standard GL that can create gaps when GL and Tech E&O are not written with a coordinated endorsement structure.
Workers' Compensation
IT company WC covers employees for work-related injuries — ergonomic injuries from prolonged computer use, slip-and-fall incidents at client sites during on-site service calls, vehicle accidents during client site visits, and physical injuries from equipment installation work (server rack installation, cable pulling, network equipment mounting). WC classification for IT companies varies between clerical (8810) for office-based staff and a tech services classification for field technicians.
Commercial Crime / Cyber Crime
IT companies are exposed to social engineering attacks — particularly business email compromise (BEC) attacks where an employee is tricked into wiring money to an attacker's account. Crime coverage for IT companies must specifically address social engineering/funds transfer fraud because standard crime policies exclude losses resulting from voluntary transfer of funds. Cyber crime coverage as part of the cyber liability policy often addresses BEC more comprehensively than standalone crime.
Media Liability / Intellectual Property
IT companies that develop software, create websites, or produce marketing or content materials face intellectual property infringement claims — copyright infringement in code, trademark infringement in designs, or defamation/libel claims from published content. Media liability covers these claims, which standard GL advertising injury coverage may not fully address for technology products.

ACORD forms for IT company and MSP submissions

ACORD 125 — Commercial Insurance Application
Primary submission document for IT company accounts. Capture type of IT services provided (managed services/MSP, break-fix, software development, cybersecurity consulting, cloud services, IT staffing), annual revenue, number of clients managed, whether the company has remote access to client systems, and whether the company handles any regulated data (PHI, PCI, financial data) as part of services.
ACORD 126 — Commercial General Liability Section
Required for GL. Describe all services — the tech services description on the GL application directly affects which GL form the carrier uses and whether tech exclusions apply. The GL application for an IT company must specifically describe technology services to trigger the correct policy language.

Key underwriting questions for IT company and MSP accounts

What specific IT services does the company provide — managed services (MSP), break-fix on-site support, software development, cybersecurity consulting, cloud infrastructure management, IT staffing?
Does the company serve as a managed service provider with remote access to client networks and systems?
What remote monitoring and management (RMM) tools does the company use?
How many client networks does the company actively manage?
Does the company handle any regulated data as part of services — PHI (healthcare), payment card data (PCI), or financial institution data?
Does the company develop proprietary software products or sell licensed software?
Does the company provide any cloud hosting or data storage services for clients?
Does the company provide cybersecurity services — vulnerability assessments, penetration testing, SOC monitoring?
Has the company had any data breach, ransomware attack, or client data loss incident?
Has the company been named in a professional liability or tech E&O claim?
What cyber security controls does the company maintain — MFA on all remote access, endpoint detection, patch management, privileged access management?
Does the company maintain cyber insurance separately from client contracts?
Does the company have client contracts with indemnification obligations — is it required to defend clients in data breach claims?
What is the annual gross revenue?
Does the company have employees in multiple states or remote employees?

Common submission mistakes for IT company and MSP accounts

Separating tech E&O and cyber liability onto different policies with potential gap
The single most dangerous structural error in IT company insurance programs is splitting the tech E&O and cyber liability onto policies from different carriers without coordinating the exclusions and trigger language. A ransomware attack on a client network that the MSP manages creates a claim that is simultaneously a tech E&O claim (for the MSP's failure to prevent it) and a cyber liability claim (for the breach itself). If the tech E&O carrier says "this is a cyber claim" and the cyber carrier says "this is a professional error, not a cyber event," the insured faces a denial from both carriers. Combined tech E&O and cyber liability from a single carrier eliminates this gap.
Not asking about RMM tool access and MSP supply-chain attack exposure
Managed service providers use remote monitoring and management (RMM) tools — ConnectWise, SolarWinds, Kaseya, Datto, NinjaRMM, and others — to manage client networks remotely. An attacker who compromises the MSP's RMM tool gains the ability to push malware to every client network the MSP manages simultaneously. This is the supply-chain attack vector, and it has been used in multiple high-profile incidents (Kaseya VSA attack, SolarWinds SUNBURST) that affected hundreds or thousands of client organizations through a single MSP compromise. Cyber underwriters specifically ask about RMM tools, privileged access controls, and segmentation between the MSP's network and client networks. MSPs with poor RMM security practices face limited cyber market availability.
Missing the regulatory data handling exposure for healthcare and financial IT clients
An IT company that manages IT systems for healthcare providers is typically a HIPAA Business Associate — with the full array of HIPAA security rule obligations and breach notification requirements. An IT company that manages point-of-sale systems for retailers is handling PCI-scoped data. These regulatory exposures must be specifically addressed in both the tech E&O and cyber liability applications. An IT company that claims to have no regulatory data exposure but manages the IT infrastructure for a 50-physician medical group and two urgent care centers has materially misrepresented the risk.
Not including social engineering and funds transfer fraud coverage for BEC exposure
IT companies are valuable targets for business email compromise (BEC) attacks because they control critical systems and typically have established wire transfer relationships with vendors and clients. A BEC attacker who successfully impersonates a vendor and convinces an IT company's accounts payable staff to redirect a wire payment has caused a crime loss — but standard crime policies frequently exclude "voluntary transfer" of funds, meaning the company acted willingly (even if deceived). Social engineering fraud coverage, which specifically covers losses from deceptive instructions to transfer funds, must be confirmed as part of the crime or cyber program for any IT company.

Complete IT company and MSP submissions in one workflow

AgencyAssist captures service types, client network access, RMM tools, regulated data handling, cyber controls, and prior claim history through one intake link. ACORD forms generated automatically.

Start free trialSee live demo

Related

Commercial insurance for tech companiesProfessional liability insurance explainedCyber liability insurance explainedCommercial general liability explained