IT services and managed service provider businesses operate with two layers of liability that most trades don't face: service failure liability and data breach liability. When you manage a client's network, backup systems, cloud infrastructure, or security monitoring, your negligence doesn't just cost you time and reputation — it costs your client downtime, data loss, ransomware payments, and regulatory fines. And when your client's business is compromised because of your service failure or a breach of your systems, they file a claim against you.
Standard general liability insurance covers bodily injury and property damage. It does not cover professional negligence, service failures, data breaches, or cyber incidents. For IT services businesses, those exclusions eliminate coverage for most of the claims you'll actually face. You need technology errors and omissions insurance (tech E&O) for professional liability and cyber liability insurance for data breach and network security incidents.
This guide covers what IT services and MSP businesses need to know: why tech E&O and cyber liability are the core coverage lines, what client contracts typically require, what these policies cost, and where gaps appear in standard coverage forms.
Technology Errors and Omissions Insurance
Technology E&O is professional liability insurance for IT service providers. It covers financial losses your clients suffer because of your negligent acts, errors, or omissions in providing technology services. This includes service failures, configuration errors, missed security patches, failed backups, botched migrations, and advice that turns out to be wrong.
What tech E&O covers
- Failed backup or disaster recovery: You manage a client's backup system. The backups fail silently for three months. The client's server crashes, and they discover there's no usable backup. They lose critical business data and file an E&O claim for the cost of data recovery, business interruption, and lost revenue.
- Configuration errors causing downtime: You misconfigure a firewall rule during a network upgrade, and the client's entire office loses internet access for two days. The client files a claim for lost revenue and the cost of emergency IT support to restore service.
- Missed security patches leading to a breach: You're responsible for patch management on a client's server environment. You miss a critical security update. The unpatched server is compromised in a ransomware attack. The client files an E&O claim alleging your negligence caused the breach.
- Failed migration or implementation: You migrate a client's email system to Microsoft 365. The migration corrupts mailbox data, and the client loses years of email history. The client files a claim for the cost of recovery efforts and business disruption.
- Bad advice or design decisions: You recommend a cloud infrastructure solution that turns out to be inadequate for the client's workload. The system fails under load, causing client downtime. The client claims you provided negligent professional advice.
What tech E&O doesn't cover
Tech E&O policies typically exclude intentional acts, criminal conduct, bodily injury, property damage (covered under GL), and first-party losses (your own business interruption — that's covered under a business owner's policy). Most tech E&O policies also exclude cyber incidents unless cyber liability is added as an endorsement or purchased as a separate policy.
Cyber Liability Insurance
Cyber liability insurance covers financial losses arising from data breaches, network security failures, ransomware attacks, and privacy violations. For MSPs and IT services businesses, cyber liability has two components: coverage for incidents affecting your own business and coverage for incidents affecting your clients because of your service failure or breach.
First-party cyber coverage
First-party cyber covers losses your business suffers directly from a cyber incident:
- Ransomware payments and negotiation: Your systems are encrypted by ransomware. The policy covers the ransom payment (subject to legal and ethical review), negotiation costs, and cryptocurrency transaction fees.
- Breach response costs: Your client database is breached. The policy covers forensic investigation, notification costs, credit monitoring for affected individuals, public relations support, and legal counsel.
- Business interruption from a cyber event: A cyberattack takes your systems offline for a week. The policy covers lost revenue during the downtime and the cost of restoring systems.
- Data restoration: A breach or attack corrupts or destroys your data. The policy covers the cost of restoring data from backups or reconstructing it if no backup exists.
Third-party cyber coverage
Third-party cyber covers claims by your clients or other third parties arising from a cyber incident you caused or failed to prevent:
- Client breach caused by your negligence: You manage a client's network security. Your failure to implement multi-factor authentication allows an attacker to compromise the client's system. The client's data is breached, and they incur forensic, notification, and regulatory response costs. They file a claim against you for those costs.
- Your breach spreads to your client: Your MSP systems are breached, and the attacker uses credentials stored in your system to access your client's environment. The client suffers a data breach as a result. They file a claim against you for the damages.
- Failure to detect or respond to an incident: You provide security monitoring services. An attacker compromises a client's system, and your monitoring fails to detect the intrusion. The client suffers data loss and regulatory fines. They claim you were negligent in your monitoring obligations.
The line between tech E&O and cyber liability
Tech E&O covers professional negligence. Cyber liability covers data breaches and network security failures. The line blurs when a professional service failure causes a cyber incident. Example: you misconfigure a firewall (tech E&O), and the misconfiguration allows an attacker to breach the client's network (cyber). Many insurers now offer combined tech E&O and cyber policies to eliminate coverage gaps at the boundary between professional negligence and cyber incidents.
General Liability for On-Site Work
Even though most IT services work is virtual, you still need general liability for the physical exposures your business creates: on-site visits to client offices, equipment installation, cable runs, and property damage from accidental acts.
Standard GL claim scenarios for IT services
- Property damage during installation: You're installing a server rack in a client's office. You accidentally drill through a wall and sever electrical wiring, causing property damage and a power outage. The repair cost is a GL property damage claim.
- Damage to client equipment: You're upgrading a client's workstation and accidentally drop a monitor, shattering the screen. Replacing the monitor is a GL property damage claim.
- Slip and fall at a client site: A client's employee trips over your equipment bag during an on-site visit and suffers an injury. This is a GL bodily injury claim.
Standard GL limits are $1 million per occurrence and $2 million general aggregate. Most client contracts require these limits as a minimum. Some enterprise clients require $2 million per occurrence, which typically means adding an umbrella policy above your base GL.
Who Asks for Your Certificate of Insurance
IT services and MSP contracts are heavily insurance-focused. Clients are entrusting you with access to their network, data, and business-critical systems. The certificate of insurance requirements reflect that trust and risk transfer.
Enterprise clients and contracts
Enterprise clients — businesses with formal procurement processes, IT departments, and legal review — require certificates showing tech E&O, cyber liability, GL, and often umbrella coverage. The certificate needs to name the client as an additional insured on the GL policy and sometimes on the cyber policy. They may also require a waiver of subrogation endorsement on all policies.
Co-managed IT and vendor agreements
If you're working alongside another MSP in a co-managed IT relationship or integrating with a larger vendor's platform, the vendor agreement will require you to carry tech E&O and cyber liability at specific limits — often $1 million or $2 million per claim. The vendor wants assurance that if you cause a service failure or breach affecting their client, you have coverage to respond to the claim.
Compliance-driven clients (healthcare, finance, legal)
Clients in regulated industries — healthcare (HIPAA), finance (GLBA, SOX), legal (attorney-client privilege) — impose heightened insurance requirements because of the regulatory exposure they face if you cause a breach. These clients often require cyber liability limits of $2 million to $5 million, tech E&O at similar limits, and contractual language confirming that your policies cover regulatory fines and penalties (which not all policies do).
Certificate turnaround time matters
You close a contract with a new client. They need a certificate naming them as additional insured on your GL and showing tech E&O and cyber coverage by tomorrow morning or the contract is void. Can your broker deliver? We issue certificates of insurance on a published 15-minute SLA, around the clock. When a delayed certificate costs you the contract, speed matters.
Workers' Compensation
If you have employees — technicians, helpdesk staff, engineers — you need workers' compensation insurance. IT services work is generally low-risk from a workers' comp perspective, but repetitive motion injuries (carpal tunnel from keyboard work), slip and fall incidents during on-site visits, and vehicle accidents during client visits generate claims.
Texas workers' comp: optional but required in practice
Texas is the only state where workers' compensation is optional for most private employers. You can operate as a non-subscriber, meaning you don't carry workers' comp and employees sue you directly if they're injured. For IT services businesses, this is usually not viable if you work with enterprise clients or government contracts. Those clients require proof of workers' comp as a condition of the contract. Without it, you're limited to small business clients who don't scrutinize insurance.
Commercial Auto
If your technicians drive to client sites in company vehicles, you need commercial auto insurance. Standard limits are $1 million combined single limit. Make sure your policy includes hired and non-owned auto coverage if employees use personal vehicles for client visits or if you rent vehicles.
One IT services-specific consideration: your vehicles may carry laptops, diagnostic tools, networking equipment, and client devices worth $5,000 to $20,000 per vehicle. Your commercial auto policy covers the vehicle, not the contents. You need inland marine coverage for tools and equipment in transit.
What IT Services and MSP Insurance Costs
Premiums depend on your revenue, the services you provide (helpdesk vs. full MSP vs. consulting), the industries you serve (healthcare and finance increase premiums), your claims history, and your cybersecurity practices. Here are realistic ranges for an IT services or MSP business with 2 to 15 employees and $500,000 to $3 million in annual revenue.
- Technology E&O ($1M limit): $2,500 - $8,000/year
- Cyber Liability ($1M limit): $3,000 - $12,000/year
- Combined Tech E&O + Cyber ($1M/$1M): $4,500 - $15,000/year
- General Liability: $1,200 - $3,500/year
- Workers' Compensation: $2,000 - $8,000/year
- Commercial Auto (2-5 vehicles): $2,500 - $7,000/year
- Umbrella ($1M - $2M): $1,000 - $3,000/year
- Business Owner's Policy (property + BI): $1,500 - $4,000/year
Total annual cost for a typical IT services or MSP business: $15,000 - $50,000. Smaller helpdesk or break-fix operations with clean loss histories and good cybersecurity practices will be toward the low end. Full-service MSPs serving healthcare or financial clients with higher revenue and prior claims will be at the higher end.
What drives premiums up
- Revenue and employee count: Higher revenue and more employees increase exposure and premium.
- Industries served: Healthcare (HIPAA), finance (GLBA), and legal clients significantly increase cyber and E&O premiums because of regulatory exposure.
- Services offered: Security monitoring, penetration testing, and compliance consulting increase premiums. Basic helpdesk and break-fix work are lower risk.
- Claims history: Prior E&O or cyber claims increase premiums. Carriers underwrite tech E&O and cyber more aggressively than GL because claim severity is high.
- Cybersecurity practices: Carriers ask detailed questions during underwriting: do you use multi-factor authentication, endpoint detection and response, security awareness training, encrypted backups? Strong controls reduce premiums. Weak controls increase them or result in coverage declinations.
What to Ask Your Broker
Does my tech E&O policy cover cyber incidents, or do I need separate cyber liability?
Some tech E&O policies include limited cyber liability as an endorsement. Others exclude cyber entirely. If your policy excludes cyber, you need a standalone cyber liability policy. Ask your broker to confirm in writing what is and isn't covered at the boundary between tech E&O and cyber.
Are regulatory fines and penalties covered?
Some cyber liability policies cover regulatory fines and penalties arising from a data breach (e.g., HIPAA fines, state attorney general penalties). Others exclude fines or only cover them in specific jurisdictions. If you serve healthcare or finance clients, verify whether your policy covers regulatory fines. If it doesn't, you may need a separate policy or endorsement.
Does my policy cover my liability for breaches of my clients' systems?
This is third-party cyber liability. Not all cyber policies include it. Some only cover first-party losses (your own breach response costs). If you manage client networks or have access to client systems, you need third-party cyber coverage. Confirm with your broker that your policy covers claims by clients for breaches you caused or failed to prevent.
What's the deductible on tech E&O and cyber?
Deductibles on tech E&O and cyber policies are typically $5,000 to $25,000. Higher deductibles lower your premium but increase your out-of-pocket cost per claim. For MSPs with stable revenue and cash reserves, a $10,000 or $15,000 deductible can meaningfully reduce premiums.
Does the policy include breach response services?
Many cyber liability policies include breach response services as part of the coverage: forensic investigation, legal counsel, notification services, credit monitoring, and public relations support. These services are often pre-negotiated by the carrier at discounted rates. Verify whether your policy includes these services or whether you're responsible for arranging and paying for them yourself (subject to later reimbursement).
Can I get coverage for social engineering and funds transfer fraud?
Social engineering fraud (an attacker impersonates a vendor or executive and tricks you into wiring funds) is not always covered under standard cyber policies. Some policies exclude it. Others offer it as an add-on sublimit. If your business processes wire transfers or handles client funds, ask whether your policy covers social engineering fraud and what the sublimit is.