Cyber Insurance Pitfalls for MSPs
In this article, you will learn:
- Why cyber insurance litigation is increasingly implicating MSPs
- Three common cyber insurance pitfalls for MSPs that can derail coverage
- How courts distinguish between fraud transfer coverage types
- Why insurer subrogation is emerging as a serious MSP risk
For much of the managed services industry, insurance has felt like someone else’s problem. MSPs focused on uptime, security tooling, and service delivery. Meanwhile, cyber insurance lived in the background, handled by brokers, carriers, and clients.
That separation no longer exists.
In 2013, at Georgetown Law’s cybersecurity continuing legal education program, lawyers, technologists, defense contractors, and federal officials debated emerging cyber risks. Cyber insurance was a hallway topic more than a mature product. According to Center for Internet Security Chief Evangelist Tony Sager, zero-day exploits do not follow actuarial tables the way human lifespans do. Insuring “unknown unknowns” would be fundamentally different.
More than a decade later, courts and lawmakers are now answering those questions in real disputes. Increasingly, the answers place MSPs in the middle of coverage denials, litigation, and insurer subrogation actions.
3 Top Traps MSPs Should Watch
Below are three cyber insurance pitfalls for MSPs. These are lessons drawn from recent litigation.
1. Application Inaccuracies Can Void Coverage Entirely
Cyber insurance applications are not paperwork exercises. Courts routinely treat them as material representations that go to the heart of risk transfer.
In Travelers v. International Control Services, the insured represented on its application that multi-factor authentication (MFA) was deployed. However, MFA was enabled only at the firewall, not across all systems, as the application required. After a ransomware attack, Travelers denied coverage. The court agreed, rescinding the $1 million policy as if it never existed.
For MSPs, the lesson is clear. Even when MSPs do not complete insurance applications, their work underpins application representations. During claims investigations, insurers routinely examine MSP tickets, configurations, logs, onboarding documents, and assessments to validate underwriting answers.
Ben Yarbrough
A denied claim can quickly cascade into client dissatisfaction, negligence allegations, or insurer subrogation. MSPs should assume anything supporting an insurance representation may later become evidence.
2. Social Engineering Fraud ≠ Funds Transfer Fraud
Few cyber insurance issues generate more litigation than business email compromise and payment fraud. Insurers intentionally separate these losses into distinct coverage categories with different triggers, limits, and exclusions.
- Funds transfer fraud coverage typically requires unauthorized system access that directly causes a fraudulent transfer.
- Social engineering fraud applies when an authorized employee initiates a payment in good-faith reliance on fraudulent instructions. Typically, it’s subject to much lower sublimits and stricter conditions.
For MSPs, this distinction matters. Employee-initiated payments triggered by phishing frequently fall outside broader fraud coverage. Clients often assume “fraud is fraud.” Courts do not agree.
In Abraham Linc Corp. v. Spinnaker Insurance Co., hackers compromised a vendor’s email account and induced employees to authorize fraudulent ACH transfers. The insured sought recovery under a $2 million computer and funds transfer fraud endorsement
Because authorized employees initiated the payments acting in good faith, the court found the loss fell under the social engineering endorsement, capped at $100,000. Courts generally maintain this structure and refuse to recharacterize employee-authorized payments to access higher coverage limits.
Payee-side Social Engineering: A Hidden Risk
MSPs should also recognize that social engineering risk exists not only as the payor, but also as the payee. Losses arise when an insured’s customer is tricked into paying the wrong party leading to lost revenue, contractual disputes, and coverage litigation, even though no funds ever leave the insured’s account.
MSPs should urge clients to establish clear, documented procedures for both sending and receiving payments, including out-of-band verification for changes to banking instructions. Courts routinely examine whether payment change controls were in place. When they are not, coverage disputes and insurer subrogation claims often follow.
MSP Action Items
Application Risk Management
- Treat cyber insurance applications as legal representations, not administrative paperwork.
- Ensure application answers reflect controls deployed, not roadmap intentions.
- Retain dated documentation proving when security controls were implemented and maintained (e.g., MFA enforcement, backups, monitoring, and patching).
- Coordinate with clients before renewals to confirm nothing has drifted since last attestation.
Social Engineering Fraud Controls
- Review client declaration pages for social engineering sublimits. Ensure that clients and their staff understand terms and the cap.
- Implement mandatory out-of-band verification for any payment instruction changes.
- Require dual authorization for wire and ACH transfers.
- Train clients on procedural controls (verification, approvals), not just phishing detection.
- Address both payor and payee-side social engineering fraud in client policies and controls.
- Document payment workflows as insurer-aligned controls.
Subrogation Exposure Mitigation
- Align MSP contracts with insurance requirements. They should include clear scopes of responsibility, reasonable limitations of liability, and defined notification and escalation duties.
- Review client contracts for waivers of subrogation where permissible and clear mutual indemnification.
- Assume insurer scrutiny after any significant loss and operate accordingly.
- Evaluate and consider purchasing Tech E&O coverage. Make sure it is adequate for cyber-driven claims.
- Treat MFA enforcement, back-up restoration, alert escalation, and incident notification as litigation-exposed functions, not just technical tasks.
3. Subrogation Is No Longer Theoretical
Perhaps the most concerning trend for MSPs is the rise of cyber insurance subrogation. Once an insurer pays a claim, it may pursue third parties that allegedly contributed to the loss. In the cyber context, MSPs, MSSPs, and vendors are increasingly viewed as recovery targets.
Early cases signaled insurer commitment in recovering losses. In Travelers v. Blackbaud, Inc., insurers sought recovery after a 2020 ransomware attack affecting hundreds of nonprofits. Although the insurers recently lost in April of 2025 due to contractual limitations and pleading defects, the case demonstrated carriers’ willingness to pursue technology providers.
In Ace American Insurance Co. v. Accellion, Inc., insurers claimed a software provider was negligent in handling a security vulnerability in its online file-transfer service. This allegedly led to a ransomware attack on a Boston law firm.
The case was settled, but it highlights insurers focusing recovery on failed patching, notification, and monitoring. All of these are all key services provided by MSPs.
Direct Exposure: Congruity 360 and Trustwave
In September 2025, Ace American Insurance Co. v. Congruity 360, LLC and Trustwave Holdings, Inc. squarely targets an IT provider and an MSSP following a ransomware incident at CoWorx Staffing Services. Ace paid approximately $500,000 under CoWorx’s cyber policy. Then, it invoked subrogation rights against its service providers. Ace alleged Congruity 360 failed to properly enforce MFA and secure servers while Trustwave failed to timely detect and escalate suspicious activity.
Unlike earlier cases against software vendors, this action directly targeted outsourced IT and security providers for core MSP responsibilities including MFA enforcement, server hardening, monitoring, and incident escalation. Those same controls are routinely referenced in underwriting applications.
Subrogation increasingly converts MSP operational decisions into legal exposure. In many cases, MSP Tech E&O coverage becomes the primary defense.
Final Takeaway for MSPs
Cyber insurance litigation is not abstract or limited to large enterprises. Courts are shaping standards that directly affect MSP operations, documentation, and risk posture. MSPs must understand these pitfalls and proactively align technical and process controls, documentation, and client communication. Doing so can reduce exposure. These MSPs also can position themselves as trusted advisors in an increasingly insurance-driven cybersecurity landscape.
FAQs
Q: Can an MSP be liable even if the client’s cyber insurance denies coverage?
Yes. Coverage denial can increase the likelihood of client disputes including breach of contract or negligence claims.
Q: Does Tech E&O cover ransomware events?
Tech E&O typically covers cost of defense and liability for third-party claims alleging professional service failures or negligence (e.g., malpractice), not the ransomware loss itself.
Q: Are vendor warranties a substitute for cyber insurance?
No. Vendor warranties are marketing and sales techniques for assuring quality of a product or service and not substitutes for cyber insurance. Vendor warranties are limited, one-size fits all, unregulated, cancellable, and may exclude incidents and losses covered by insurance.
Q: Should MSPs help clients with insurance applications?
Maybe. Failure to assist could lead to gross inaccuracies. Any assistance should be provided carefully. Document and retain supporting details for applications and renewals and ensure they are completed accurately based on current facts at the time and not based on future services, controls, or projects.
Q: Who can be held liable in a cyber subrogation claim?
Common targets for subrogation claims include cloud vendors, MSPs, MSSPs, cybersecurity consultants, and software vendors whose negligence or breach of contract caused or worsened the incident.
Q: Can contracts reduce the risk of subrogation?
Maybe. Enforceable contracts with effective limits of liability and a waiver of subrogation may reduce the risk of subrogation but will not eliminate the risk entirely. Even with effective contractual defenses, the litigation cost of defense can be high.
Q: Is subrogation always successful?
No. Successful subrogation must overcome several challenges including attribution, contractual defenses, and financial viability. Subrogation claims may be abandoned once viability is exhausted. Even unsuccessful subrogation can impose significant costs on targeted firms.
Q: Can an MSP’s internal documentation be subpoenaed in a cyber insurance dispute?
Yes. Insurers can seek tickets, logs, on-boarding checklists, and configuration records during coverage disputes or subrogation investigations, including to verify underwriting assumptions and application details.
Q: Does a client’s waiver of subrogation automatically protect an MSP?
Not necessarily. Waivers must align with the client’s insurance policy language, and some policies restrict or override contractual waivers.
Q: Can social engineering losses ever qualify as funds transfer fraud?
Rarely. Courts generally require unauthorized system access to trigger funds transfer fraud coverage.
Q: Do insurers look at MSP contracts after paying a claim?
Almost always. Contracts, SLAs, and scopes of work are central to subrogation analysis.
Ben Yarbrough, CEO of Calyptix Security Corp., has 30-plus years of industry experience spanning law, cybersecurity, and managed services. He leads the development of Community Shield® Plus, a comprehensive MxDR platform incorporating Calyptix’s flagship all-in-one firewall, AccessEnforcer®, with SentinelOne delivered in partnership with OpenText.
Featured image: jozefmicic — stock.adobe.com
