IT and technology services companies — managed service providers (MSPs), software developers, IT consultants, and cloud service firms — face disproportionate cyber exposure because a single breach in their own systems can cascade to dozens of client networks. Cyber liability insurance for IT firms covers first-party breach response costs and third-party claims from affected clients. Who this is for: Any technology services business that manages, touches, or stores client data or systems.
TL;DR — Key Takeaways
- Cyber liability for IT firms is almost always written on a claims-made basis; the retroactive date and tail coverage terms matter as much as the limit.
- IT and MSP firms typically need both cyber liability and technology E&O (tech professional liability) — many carriers now offer combined policies that close the gap between the two coverages.
- Premium for a $1M cyber policy ranges from roughly $2,000 to $15,000+ per year depending on revenue, client base, and your security controls (MFA, EDR, backups).
- Underwriters scrutinize multi-factor authentication (MFA), endpoint detection & response (EDR), and offline backup practices — weak controls trigger declinations or sublimits post-2021.
- All 50 states have breach notification laws; a cyber policy funds the legal, forensic, and notification costs required under those statutes.
What Does Cyber Liability Cover for IT & Technology Services Firms?
Cyber liability for IT companies is split into first-party (your own losses) and third-party (claims made against you by others). Both matter equally for this industry.
| Coverage Component | What It Pays | First or Third Party |
|---|---|---|
| Data breach response | Forensic investigation, breach counsel, notification to affected individuals, credit monitoring | First-party |
| Network business interruption | Lost revenue and extra expense when your systems go down | First-party |
| Dependent business interruption | Lost revenue when a third-party provider you depend on (such as a cloud host or software vendor) goes offline due to a covered event | First-party |
| Cyber extortion / ransomware | Ransom payments (subject to OFAC screening), negotiation costs, decryption assistance | First-party |
| System damage / data restoration | Cost to recover, restore, or recreate corrupted or destroyed data and systems | First-party |
| Network security liability | Third-party claims alleging your security failure caused their data breach | Third-party |
| Privacy liability | Claims for unauthorized collection, use, or disclosure of personal information | Third-party |
| Regulatory defense & fines | Defense costs and covered fines from state privacy regulators, FTC, HIPAA OCR | Third-party |
| PCI DSS fines & assessments | Payment card brand assessments following a cardholder data compromise | Third-party |
| Media / content liability | Copyright infringement, defamation in digital content you publish | Third-party |
Important exclusions to know: Standard cyber policies for IT firms typically exclude bodily injury and property damage (covered under GL/umbrella), war and nation-state attacks (though coverage varies by carrier and policy language is evolving), intentional or criminal acts by the insured, and prior known incidents. Tech E&O is often a separate insuring agreement or policy — network security liability does not replace professional liability for faulty software or bad advice.
Cyber vs. Tech E&O: What's the Difference and Do You Need Both?
This is the most common coverage gap for IT companies. The two coverages are related but not interchangeable.
| Cyber Liability | Tech E&O (Professional Liability) | |
|---|---|---|
| Core trigger | Network security or privacy event (breach, ransomware, outage) | Professional mistake, error, or omission in services rendered |
| Example claim | Ransomware spread from your RMM tool to 30 client endpoints | You misconfigured a firewall that left a client exposed; they sue for losses |
| Policy form | Claims-made; first-party + third-party insuring agreements | Claims-made; third-party only |
| Who pays first? | May overlap when a tech error causes a security event | May overlap when a security failure is caused by an error |
Best practice for IT firms: Purchase a combined Tech E&O + Cyber policy from a single carrier. This eliminates disputes over which policy responds when a professional error (wrong firewall rule) leads to a security incident (breach). Many carriers — including leading tech E&O writers — now offer this as a single combined form.
How Much Does Cyber Liability Cost for IT & Technology Services?
Premium is primarily driven by annual revenue, with significant adjustments for industry served, client count, and security controls. Figures below reflect approximate market ranges as of mid-2026; actual quotes vary by carrier and specific underwriting profile.
| Company Profile | Annual Revenue | Estimated Annual Premium (Standalone $1M Cyber) |
|---|---|---|
| Solo IT consultant / freelancer | < $300K | $1,500 – $3,500 |
| Small IT firm / VAR | $300K – $1M | $2,500 – $6,000 |
| Small-to-mid MSP | $1M – $3M | $5,000 – $12,000 |
| Mid-market MSP | $3M – $10M | $10,000 – $25,000 |
| Software developer (SaaS) | $1M – $5M | $4,000 – $14,000 |
| IT staffing firm | $2M – $8M | $6,000 – $18,000 |
Factors that lower your premium: Enforced MFA across all admin accounts, EDR deployed on all endpoints and servers, immutable offline backups tested quarterly, incident response plan on file, no prior cyber claims, revenue concentrated outside healthcare or financial services.
Factors that raise your premium or trigger declinations: No MFA on remote access or admin portals, use of legacy/end-of-life systems, prior ransomware claims, large healthcare or financial sector client base, use of shared credentials or flat network architecture.
Deductibles typically range from $2,500 to $25,000 for limits of $1M; higher limits may carry higher per-occurrence deductibles or self-insured retentions (SIRs).
How to Get Cyber Liability Insurance for an IT Firm: A 5-Step Process
- Gather your underwriting information. Compile prior year revenue, three-year revenue forecast, client count and industries served, a list of any cloud-hosted services you operate, and your current security controls documentation (MFA policy, backup schedule, EDR vendor).
- Decide on limits and structure. Work with your broker to select a per-occurrence limit, aggregate limit, and whether you want a standalone cyber policy, a combined Tech E&O + Cyber form, or a separate Tech E&O plus a cyber endorsement.
- Complete the cyber application. Most markets use their own supplemental application with 30–60 security questions. Answer accurately — misrepresentation can void coverage. Underwriters will ask specifically about MFA, EDR, backup frequency/isolation, and patch management cadence.
- Review quotes for coverage terms, not just price. Compare retroactive dates (the further back, the better), sublimits on ransomware and social engineering, waiting periods on business interruption, and whether dependent business interruption is included and at what limit.
- Bind, set a policy diary, and document your retroactive date. Since cyber is claims-made, note your retroactive date and bind tail coverage (extended reporting period) any time you switch carriers or let the policy lapse.
Real-World Scenario: Ransomware via Compromised RMM Tool
This is an illustrative example to show how coverage responds — not a guarantee of any specific outcome.
Setup: A 12-person MSP in Texas manages IT infrastructure for 45 small-business clients across healthcare, legal, and retail sectors. Annual revenue: $2.1 million. They carry a $2M/$2M combined Tech E&O + Cyber policy with a $10,000 retention.
Incident: A threat actor exploits a known but unpatched vulnerability in the MSP's remote monitoring and management (RMM) platform. The attacker deploys ransomware that encrypts servers at 18 of the MSP's client sites simultaneously over a weekend.
Costs triggered: - Forensic investigation and incident response retainer: $85,000 - Ransom demand (paid after FBI consultation and OFAC screening): $120,000 - Data restoration and system rebuild labor across 18 clients: $210,000 - Business interruption — MSP's own lost billings during 3-week disruption: $65,000 - Client notification and credit monitoring (where PHI involved): $30,000 - Regulatory inquiry defense (2 clients in HIPAA-covered industries): $55,000 - Client claims for their own business interruption losses (Tech E&O / Network Security Liability): $340,000 across multiple clients
Total gross loss: approximately $905,000. After the $10,000 retention, the combined cyber + Tech E&O policy covered the remainder up to the $2M limit. Without adequate limits, the MSP would have faced out-of-pocket exposure on client claims that easily exceeded the cost of the ransom itself.
Frequently Asked Questions
Does a general liability policy cover a data breach? No. Standard commercial general liability (CGL) policies contain exclusions for electronic data and typically do not cover data breach response costs, ransomware, or third-party claims arising from a network security failure. A standalone cyber policy is required for these exposures.
Is cyber liability claims-made or occurrence? Virtually all cyber liability policies in the US market are written on a claims-made basis. Coverage responds when the claim is first reported during the policy period, not when the incident occurred. This makes your retroactive date and continuity of coverage critical — a gap in coverage can leave prior incidents uninsured.
Do IT firms need cyber liability even if they don't store sensitive data? Yes. IT and MSP firms face liability not just for data they store but for security failures that affect client systems they manage. Even a firm that stores no personal data itself can be sued if a network security failure on their watch exposes a client's customer records or causes system downtime.
What is a retroactive date and why does it matter? The retroactive date is the earliest date from which prior incidents are covered, as long as the claim is reported during the policy period. A retroactive date of "full prior acts" (meaning no retroactive date limitation, so prior incidents are covered regardless of when they occurred) provides the broadest protection. When switching carriers, verify the new carrier matches or improves upon your existing retroactive date.
What limits should an MSP carry? A common benchmark is a $1M per-occurrence / $2M aggregate minimum for small MSPs, with $2M/$2M or higher recommended for firms managing healthcare, financial, or government client data. Contracts with enterprise clients often specify minimum limits — review client agreements before selecting limits.
Does cyber insurance cover social engineering and wire fraud? Many cyber policies include social engineering and funds transfer fraud as a sublimit endorsement (typically $100,000–$250,000 at standard policy terms), not at the full policy limit. Review this sublimit carefully — it is often the most contested coverage area in IT firm claims.
Can I get cyber coverage if I had a prior ransomware claim? Possibly, but the market is more restricted and pricing will be higher. Carriers will want to see documented remediation steps taken since the prior incident. Some standard markets may decline; specialty or surplus lines markets may offer coverage with higher retentions or ransomware sublimits.
Is cyber liability required by client contracts? Increasingly, yes. Enterprise clients, government contractors, and companies in regulated industries (healthcare, finance) routinely require their IT vendors to carry minimum cyber liability limits and name them as additional insureds or provide certificates of insurance evidencing coverage.
Why Morrow for IT & Technology Services Cyber Insurance
- Independent access to multiple cyber markets. As an independent agency, Morrow places coverage across a broad panel of admitted and surplus lines carriers that specialize in tech E&O and cyber — not a single captive insurer. That means competitive quotes and the ability to match your risk profile to the right underwriter.
- Expertise in combined Tech E&O + Cyber placement. We understand the coverage gap between professional liability and cyber for IT firms and structure policies specifically to close it, whether that means a combined form or coordinated separate policies.
- Fast certificate and COI turnaround. IT firms frequently need certificates for new client contracts on short notice. Morrow prioritizes same-day certificate issuance and can provide additional insured endorsements without delays that cost you business.
- Security controls guidance before you apply. We help clients document MFA, EDR, and backup practices in the format underwriters actually want to see — improving both approval odds and final pricing.
- Real claims advocacy. If a breach happens, Morrow works as your advocate with the carrier and the appointed breach response firm, not as a bystander. We help you navigate the claims-made reporting requirements, OFAC considerations for ransomware, and multi-party client notifications.
Get a Cyber Liability Quote for Your IT Firm
Ready to protect your business and satisfy client contract requirements? Morrow's tech insurance specialists can typically turn around bindable cyber + Tech E&O quotes within 24–48 hours.
Request a cyber liability quote →
Trust: Morrow (Afthonea Inc, DBA Morrow) is a licensed independent insurance agency [Morrow to confirm: licensed states and NPN]. We work with A-rated admitted and surplus lines carriers. [Morrow to confirm: carrier panel names.] [Morrow to confirm: review count and rating platform.]
Related Pages
- IT & Technology Services Insurance — Industry Overview
- Technology E&O (Professional Liability) for IT Firms
- Cyber Liability Insurance — Coverage Guide
- How Much Does Cyber Liability Insurance Cost?
- Cyber Liability vs. Tech E&O: What's the Difference?
- General Liability for IT & Technology Services
Author: Written by the Morrow Commercial Insurance Editorial Team. Content reviewed for accuracy against current US P&C insurance market standards and carrier form language.
Published: June 2026 | Last updated: June 2026
Sources: - National Association of Insurance Commissioners (NAIC) — Cyber Insurance Report - Insurance Information Institute (III) — Cybersecurity and Insurance data - U.S. Department of the Treasury / OFAC — Ransomware Advisory guidance - HHS Office for Civil Rights (OCR) — HIPAA Breach Notification Rule - FTC — Safeguards Rule (16 CFR Part 314) - State breach notification statutes (all 50 states maintain individual statutes; verify requirements with breach counsel) - ISO / IEC cyber policy form language (reference only; actual policy terms control)