Managed service providers (MSPs) sit at the centre of some of the nastiest systemic cyber events: one compromise, dozens of downstream victims, overlapping claims and a messy fight over who ultimately pays.
At NetDiligence Toronto, a panel of underwriters, coverage counsel, incident responders and forensic specialists made a simple point: for insurers, the real story is not just the MSP’s security posture. It is what is buried in the MSP contract. In particular, liability caps, “unless there’s insurance” carve‑outs and the way those clauses interact with subrogation and contingent business interruption (CBI) are quietly shaping cyber accumulation.
MSPs are, in effect, outsourced IT departments. They manage networks, backups, remote access and helpdesk functions for dozens, sometimes hundreds, of clients. As Jason Kotler (pictured right) of CyberSteward put it, compromise an MSP and you effectively grab the “octopus”: one set of admin credentials, many “tentacles” into client environments. From an insurance standpoint, that creates two distinct exposures. On one side are first‑party and CBI losses for the MSP’s clients when they lose access to critical systems or data. On the other is the MSP’s own downstream liability, as customers and their insurers look to it for indemnity.
Cyber and tech E&O policies are designed to pick up those pieces. In practice, how much ultimately flows back onto the MSP – and by extension its insurers – depends heavily on a few often‑overlooked contractual levers.
David Mackenzie (pictured centre-right), a senior coverage lawyer at Blaney McMurtry, sees those levers up close. He noted that MSP contracts almost always contain some form of limitation of liability clause. Typical formulations cap the MSP’s liability at three months of fees, or at a year of fees. For a primary cyber or tech E&O carrier, that can look reassuring. If an MSP is billing five to ten thousand dollars a month, a cap at three or twelve months’ fees suggests the worst‑case single‑client exposure might be in the tens of thousands, even in a serious outage.
The detail matters. Those caps may be negotiated away for larger, more sophisticated customers. They may be drafted to exclude certain heads of loss only in some contracts, for example, lost profits or consequential loss. They may also be tied to specific services as they were defined years ago and never updated as the MSP adds new functions. Mackenzie said that in many cases, the contract on file is three years old and no longer reflects what the MSP actually does. From a subrogation standpoint, that can be fatal: if the service that failed was not part of the signed scope of work, the neat liability cap may not apply to the loss that actually occurred.
More troubling for insurers is a clause Mackenzie has seen in some larger‑client contracts: an express exception to the cap where insurance is available. In effect, the wording says that the MSP’s liability is capped at a certain multiple of fees unless there is insurance money, in which case the claimant can access the insurance. In simple terms, if there is no insurance, the MSP only ever owes a small, capped amount. If there is insurance, the real limit becomes whatever sits in the MSP’s cyber or tech E&O tower.
From an accumulation perspective, that transforms the carrier’s position. What looked like a portfolio of nicely capped liabilities suddenly becomes a set of contracts that explicitly point claimants at the insurance tower in exactly the scenarios you worry about most: large, multi‑party failures. Those carve‑outs are more likely to appear in heavily negotiated big‑client agreements, which are precisely where the quantum of business interruption and data loss can be highest.
On paper, MSP incidents look like prime subrogation opportunities. In reality, Mackenzie said, many never pass basic economic and legal tests. Before pursuing an MSP, coverage counsel will look at whether there is any realistic prospect of getting around the liability cap, and whether any gross negligence standard lifts that cap in a way that is worth arguing about in court. They will examine how the policy’s order of payments and the insured’s retention interact with any potential recovery: if a large chunk of the first dollars back must go to the insured to refill its retention, the economics for the carrier worsen quickly. They will assess how much limit the MSP actually bought and how many other claimants are already drawing on the same tower. If an MSP has more than a hundred affected customers and a five‑million‑dollar limit, there may not be much money left for anyone once the dust settles.
In that context, even a strong liability theory may not justify the cost and distraction of a fight. The result is that in many systemic MSP events, the subrogation potential is largely illusory. The combination of contractual caps, gross negligence thresholds, stacked claims and limited tower capacity often means carriers wear the loss and move on.
For Justin Sheldon (pictured centre-left) of Mosaic Insurance, this all flows straight back into underwriting. When you write an MSP, you are not just insuring its own first‑party risk; you are insuring its role in a long liability chain. He treats MSP contracts as a key control. Strong limitation‑of‑liability wording tied to fees paid, clear exclusions of open‑ended lost profits and consequential loss, and well‑drafted priority of payment provisions do not eliminate the risk, especially if services have evolved without updated contracts, but they give claims something concrete to lean on in negotiations and potential subrogation.
The same logic applies when you are writing the MSP’s customers. Eugene Ng (pictured centre) of MNP urged organisations to “read what’s included in your MSP” in the same way they are told to read their cyber policy. If your entire operation depends on a third party’s tools and admin access, the MSP agreement is a risk‑management tool, not just a procurement form.
