If you run an IT services business, managed service provider (MSP) operation, or technology consulting firm, you already know your company is a target. What you might not realize is just how exposed you are—and how much a single breach could cost you. The average data breach in the United States hit $10.22 million in 2025, more than double the global average. For tech companies handling client data, intellectual property, and critical systems, the stakes are even higher.
Cyber insurance has shifted from optional to essential. Nearly 92% of MSPs now carry cyber insurance, and many are requiring their clients to have it too. But getting coverage isn't as simple as filling out an application anymore. Insurers are requiring proof of sophisticated security controls, and they're scrutinizing IT companies more carefully than ever. Here's what you need to know to protect your business.
Why IT Services Companies Are High-Risk Targets
Technology service providers face a unique problem: you're not just protecting your own data, you're the gatekeeper for dozens or hundreds of clients. When attackers compromise an MSP or IT services firm, they gain access to an entire portfolio of businesses. That's why ransomware was involved in 44% of all breaches in 2025, up from 32% the year before—and tech companies are frequently the entry point.
Supply chain attacks have exploded, with 79 attacks in the first half of 2025 alone affecting 690 organizations and 78.3 million individuals. When your business provides access to client networks, you become the weak link attackers look for. Third-party vendor involvement showed up in 30% of breaches in 2025—twice the rate from the previous year.
The data you handle makes you valuable to attackers. Intellectual property, proprietary code, client credentials, and financial records all flow through your systems. Manufacturing and tech companies face particular exposure from operational sabotage and IP theft, which can result in catastrophic downtime and competitive damage that goes far beyond the immediate breach costs.
What Cyber Insurance Actually Covers for Tech Companies
Cyber insurance for IT services businesses comes in two critical flavors, and you need both. First-party coverage protects your own business when you're hit with a breach or attack. This covers forensic investigations, breach notification costs, business interruption while you recover, crisis management and PR, and reimbursement for financial fraud or ransomware payments. When your systems go down and you can't serve clients, first-party coverage keeps you afloat during recovery.
Third-party coverage is where MSPs and IT service providers see the majority of claims. This kicks in when a client blames your company for failing to prevent their breach or when your services are the vector for an attack. It covers legal defense costs, settlements and judgments, regulatory fines and penalties, and damages from client lawsuits. If you manage client security, backups, network access, or cloud infrastructure, third-party exposure is your biggest risk.
Professional liability coverage overlaps with cyber but addresses service delivery failures specifically. When something goes wrong with a service you're delivering—a misconfigured firewall, failed backup, or security vulnerability you missed—professional services coverage responds. This is critical because these claims fall into a gray area between traditional errors and omissions policies and cyber coverage.
The Five Requirements You Must Meet in 2026
Cyber insurers have tightened underwriting dramatically. You now need to prove you have enforceable security controls before you can get coverage or renew an existing policy. These five requirements are non-negotiable:
Multi-factor authentication (MFA) is required on all administrative accounts, and increasingly across all user accounts. But here's the catch—SMS-based MFA doesn't cut it anymore. Insurers want app-based authentication or hardware tokens. If you're still using text messages for verification, you'll struggle to get coverage.
Endpoint detection and response (EDR) is now expected by 65% of insurers because it significantly reduces breach impact and speeds up incident response. Traditional antivirus won't satisfy this requirement—you need active monitoring and threat detection across all endpoints.
Encrypted, air-gapped backups are essential. Without segregated backups that ransomware can't reach, you're at much higher risk of being denied coverage. Insurers want to see regular testing of backup restoration and offline copies that attackers can't encrypt along with your primary systems.
Identity and access management (IAM) with privileged access management is what separates low-risk from high-risk applicants in 2026. Insurers are scrutinizing how you control admin access, manage credentials, and enforce least-privilege principles. The maturity of your identity security directly affects your coverage limits and premiums.
An incident response plan isn't just documentation you file away. Insurers want to see that you've actually tested your plan, trained your team, and can execute when a breach happens. Security awareness training for employees is also required—if your team can't spot phishing attempts, insurers see you as too risky to cover affordably.
How Much Coverage Do You Actually Need?
Here's where IT services companies often get it wrong: they buy coverage based on what they think sounds reasonable instead of calculating their actual exposure. Start with your revenue and client count. If you support 50 small business clients and one of them gets breached through your systems, you're looking at legal costs, forensic investigations, breach notifications, and potential damages that could easily hit seven figures.
Consider the types of data you handle. If you manage healthcare data, you're dealing with HIPAA penalties on top of breach costs. Financial services clients mean PCI-DSS compliance and potentially massive fraud liability. Many insurers now offer modular coverage where you select components based on your risk profile—cloud environment coverage, remote work vulnerabilities, and comprehensive incident response services can be added as needed.
Most MSPs and IT service providers should be looking at $1 million minimum coverage, with many needing $2-5 million depending on their client base. If you have large enterprise clients or handle particularly sensitive data, $5-10 million isn't excessive. The cost of being underinsured far exceeds the premium difference between adequate and minimal coverage.
Getting Started with Cyber Insurance
Before you apply, audit your security posture against the five core requirements. If you don't have proper MFA, EDR, or backup systems in place, fix those gaps first. Applying before you're ready results in either denial or premium quotes so high they're effectively denials.
Document everything. Insurers want proof, not promises. Have evidence ready showing your security controls are implemented and enforced. This includes MFA enrollment reports, EDR deployment status, backup test logs, and incident response drill documentation. The more thorough your documentation, the better your underwriting terms.
Work with an insurance broker who specializes in technology businesses. Cyber insurance for IT services companies is complex, and generic commercial insurance agents often don't understand the unique exposures and coverage needs. A specialized broker can help you structure appropriate first-party and third-party coverage, negotiate better terms, and avoid gaps between your cyber and professional liability policies.
Finally, consider requiring your clients to carry their own cyber insurance as a contractual obligation. Many MSPs are shifting to this model to reduce their liability exposure. When clients have their own coverage, you're less likely to be the first target in a lawsuit, and you create an additional layer of protection for everyone involved. With cyber premiums projected to reach $23 billion globally by 2026, cyber insurance has become table stakes for technology services businesses. The question isn't whether you need it—it's whether you can meet the requirements to get it.
