Small MSP $3,000 to $8,000/yr, mid-size MSP $8,000 to $30,000/yr (combined tech E&O + cyber)

MSP E&O / Tech Errors Insurance Cost 2026

Managed Service Providers occupy the most underwriting-scrutinized seat in the professional liability market in 2026. The ransomware era changed MSP underwriting permanently: carriers now require documented security controls before they will quote, demand higher limits than ever, and price the line at multiples of what was common five years ago. This guide breaks down 2026 cost ranges by MSP size, the six exposures that drive premium, the underwriting requirements you will face at every quote, and the structural choices (bundled tech-cyber vs separate, primary plus excess) that decide your final spend.

Pricing by MSP Cohort

Annual premium ranges for combined technology E&O and cyber liability. Standalone tech E&O without cyber is typically 30 to 40 percent cheaper but increasingly rare as a structure.

Solo MSP, <50 endpoints managed

$1,500 to $3,500

Entry tier. Coterie, Vouch, Embroker all quote this band well.

Small MSP, 50 to 500 endpoints

$3,000 to $8,000

Combined tech E&O + cyber. The modal small MSP product.

Mid-size MSP, 500 to 2,000 endpoints

$8,000 to $30,000

Often layered: primary cyber + excess cyber + tech E&O.

Large MSP / MSSP, 2,000+ endpoints

$30,000 to $200,000+

Custom underwriting. Coalition, At-Bay, Resilience built for this segment.

MSP serving healthcare (HIPAA)

+25 to +50% load

BAA exposure, PHI penalty risk, HHS audit exposure all add premium.

MSP serving financial services

+30 to +75% load

SOC 2 requirements, financial-regulator notification rules, SEC cyber rule.

Sourced from Coalition, At-Bay, Resilience, Coterie Tech, Vouch, and Embroker public placements, cross-checked against ConnectWise IT Nation pricing surveys. As of May 2026.

The Six Exposures That Drive Premium

MSP underwriting starts with the question: how does an attacker get from your environment into your clients? The exposures below answer that question and rank highest to lowest by underwriter weight. Closed-claim data from Coalition and At-Bay (the two largest cyber MSGAs in the US) confirms that the first two patterns account for roughly 60 percent of MSP claim severity.

Client ransomware spread through MSP

The MSP's remote-management tools (RMM, PSA, EDR) become the attack vector. Kaseya 2021, Connectwise repeated incidents. Single MSP compromise propagating to dozens of clients is the worst-case event.

Failed backup leading to client data loss

Backup product or service the MSP managed did not actually run, or restore fails when called upon. Cyber and tech E&O both potentially respond depending on root cause.

Failed patch causing client downtime

Patch the MSP pushed broke client systems. Tech E&O responds for downtime damages; client SLA caps how much you owe contractually but defense costs accrue regardless.

Misconfigured firewall or access control

Allowed unauthorized access leading to data exfiltration or ransomware. Most common cyber claim against MSPs.

Compliance failure (HIPAA, PCI, SOX)

Client penalized for compliance failure the MSP was responsible for managing. Regulatory defense and indemnity both potentially apply.

Wrongful termination by an MSP technician

Tech accesses client systems after employment ends, downloads data, or sabotages systems. Coverage often disputed; insider-threat endorsements available from specialty markets.

Underwriting Controls You Will Need to Demonstrate

Cyber insurance applications for MSPs in 2026 are detailed technical questionnaires, not the lightweight forms of five years ago. Carriers expect documented evidence of specific controls and increasingly scan public-facing infrastructure (Coalition Active Insurance, At-Bay Stance) before binding. Seven controls are effectively required for competitive pricing:

Multi-factor authentication everywhere. Email, RMM, PSA, remote access, admin accounts, cloud consoles. Carriers consider MFA the single most important control.
Endpoint Detection and Response (EDR). CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, or comparable. Traditional anti-virus is no longer accepted.
Immutable or air-gapped backups. Backups attackers cannot delete or encrypt. Documented testing of restore procedures, not just backup execution.
Privileged Access Management (PAM). Separate admin credentials from daily-use accounts. Just-in-time elevation where possible.
Email security and phishing training. Modern email security gateway (Mimecast, Proofpoint, Microsoft 365 E5) plus quarterly phishing simulation with documented results.
Patching cadence. Critical CVEs patched within 30 days, ideally 14. Documented patching reports per client.
Incident response plan with retained IR vendor. Written IR plan, contact details for retained third-party IR firm, tabletop exercise within last 12 months.

Each missing control adds 15 to 40 percent to premium or triggers a coverage condition that excludes claims related to the missing control. Several carriers (Coalition, At-Bay) actively monitor insured environments post-bind and notify the insured when controls degrade. Misrepresentation on the application can void the policy at claim time, which is the single worst outcome.

Client MSA Coverage Flow-Down

MSP client MSAs in 2026 increasingly specify minimum coverage requirements that flow down from the client's own risk and compliance program. Standard provisions include:

Technology errors and omissions coverage of $1M to $5M per claim and aggregate
Cyber liability coverage of $1M to $5M per claim, often with notification, forensics, and credit monitoring sub-coverages explicit
Client named as additional insured on cyber and tech E&O for the term of services
Indemnification by MSP for breaches arising from MSP negligence, often uncapped or capped at multiple of fees paid
Compliance with specific security frameworks (NIST CSF, ISO 27001, SOC 2) with right of audit
Notification requirements: MSP must notify client of breach within specified hours (often 24 to 72)
Subprocessor due diligence: MSP must conduct security review of any subcontractor with access to client data

Practical advice: maintain a contract register tracking each client's coverage requirements. Buy to the highest contract requirement across the client base. Re-read each MSA annually at renewal; client requirement creep is the most common reason MSPs are silently in breach.

The Ransomware Question Specifically

Ransomware has reshaped MSP underwriting. Cyber policies still cover ransomware in 2026 (with some carriers reducing sub-limits and others maintaining full primary limits). What has changed is the conditional coverage: most policies now exclude ransom payments to entities on OFAC sanctions lists, require notification within 24 to 72 hours of detection, require use of an approved IR vendor, and require demonstrated pre-incident controls.

For MSPs the practical implication is two-fold. First, your IR plan must be tested and your retained IR firm pre-approved by your carrier; calling an unapproved firm can void the IR-cost coverage. Second, your client contracts should clarify which party makes the ransom-payment decision and who authorizes IR firm engagement. Most modern MSP MSAs require the client to decide and authorize; this protects the MSP from the legal and reputational exposure of paying a ransom without client consent. The CISA StopRansomware framework at https://www.cisa.gov/stopransomware/ is the canonical reference for incident response.

Frequently Asked Questions

Why has MSP insurance gotten so much more expensive since 2020?

Three things converged. First, ransomware became the dominant cyber claim and MSPs were specifically targeted because compromising one MSP gives attackers access to many clients. The Kaseya 2021 event and several Connectwise compromises produced individual claim payments above $30M and changed underwriter perception of MSP risk fundamentally. Second, ransom demand inflation: average demand rose from roughly $300K in 2019 to $2M to $5M in 2024. Third, MSP-specific underwriting requirements tightened. Carriers now require documented EDR deployment, MFA on RMM tools, segregated admin credentials, immutable backups, and tested incident response plans before binding coverage at competitive rates. The result: an MSP carrying the same client base pays 200 to 400 percent more in 2026 than it did in 2019 for equivalent coverage.

What is the difference between cyber liability and tech E&O for MSPs?

Cyber liability covers data breaches and their incident response, regulatory exposure, and third-party claims (breach notification, credit monitoring, fines, class actions). Tech E&O covers professional services failures (failed deliverable, breached SLA, design errors, downtime). For an MSP, the typical claim involves both: a breach incident (cyber) caused by an MSP service failure (tech E&O). Modern MSP policies bundle both under a single tech-cyber product (Coterie Tech, Vouch, At-Bay) or as two policies from the same insurer with shared limits. The key question is whether the policies coordinate cleanly when a single event triggers both. Multi-carrier setups can produce coverage disputes; single-carrier bundles avoid this.

What underwriting requirements should I expect?

Standard MSP underwriting requirements in 2026 include: (1) Multi-factor authentication on all administrative accounts, RMM tools, email, and remote access. (2) Endpoint Detection and Response (EDR) deployed across managed endpoints (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint). (3) Immutable or air-gapped backups with documented testing. (4) Documented incident response plan with named third-party IR vendor on retainer. (5) Patching cadence within 30 days for critical CVEs. (6) Privileged access management for admin credentials. (7) Annual penetration testing or vulnerability scanning. Some carriers require additional controls (24/7 SOC, threat intelligence subscriptions) for higher limits. Failure to maintain stated controls can void coverage at claim time, so represent your environment accurately at bind and update insurer on material changes.

What limit should an MSP carry?

$1M per claim / $2M aggregate is the floor for most small MSPs. $2M/$5M is common for MSPs above 50 clients or 500 endpoints. $5M/$10M and excess layers above that are standard for MSPs serving regulated industries or those with single clients large enough that a breach event could exceed primary limits. The math: the typical mid-size ransomware event in 2024 to 2025 produced $1.5M to $4M in total cost (ransom plus IR plus business interruption plus notification plus third-party claims). A single client breach that produces $3M in costs can exhaust $1M primary cleanly. Underwriters frequently push MSPs toward $2M to $5M as a base, with excess layers if client portfolio exposure justifies. The marginal cost of $5M vs $2M is usually $2,500 to $7,000 additional premium, often worth it relative to the alternative of personal exposure if primary is exhausted.

Does my client MSA flow my coverage requirements down?

Yes, and this is the most-missed aspect of MSP risk management. Standard client MSAs in 2026 commonly require: (1) MSP carries technology E&O at $1M to $5M, (2) MSP carries cyber liability at $1M to $5M, (3) client is added as additional insured on the cyber and tech policies, (4) MSP indemnifies client for breaches arising from MSP negligence (often with carve-outs for client own-act exposure), (5) MSP commits to specific security controls (NIST CSF, ISO 27001, SOC 2) sometimes with audit rights. Review every client MSA at signing and at renewal. If your largest client has updated their MSA to require $5M coverage and you carry $2M, you are in breach even if no claim has occurred. Most MSPs are surprised at renewal by client requirement creep.

Are MSP insurance premiums tax deductible?

Yes. MSP technology E&O, cyber liability, and any related business insurance premiums are deductible ordinary and necessary business expenses. The IRS treats professional liability and cyber insurance like other business insurance: fully deductible in the year paid. For high-premium MSPs, the deduction can materially reduce taxable income. Cost-allocation across clients (whether to bill insurance cost separately to clients or absorb it in margin) is a separate question with no single right answer.

Related Cost Guides

IT Professionals E&O

Existing guide for IT consultants

Software Developer E&O

Freelancers and SaaS founders

E&O vs Cyber Insurance

How they overlap and where to bundle

$1M / $2M Coverage Cost

Floor MSP coverage tier

$3M / $5M Coverage Cost

Common mid-size MSP tier

2026 Premium Benchmarks

Median rates across professions

This guide is informational, not insurance advice. MSP cyber and tech E&O wordings vary significantly; the underwriting questionnaire and control conditions deserve close attention before binding. Updated 17 May 2026.