Click to toggle navigation menu.

When the MSP Is the Target: How Ransomware Groups Hunt IT Providers and What Your Cyber Policy Actually Covers

< BACK

By Ryan Windt | Head of Growth Marketing | Updated May 2026

For years, the conventional ransomware narrative positioned MSPs as collateral damage. A client gets hit, the MSP gets pulled into the response, maybe a lawsuit follows. That framing was always incomplete, and by 2025 and into 2026, it stopped being accurate at all.

Ransomware groups like Qilin and Akira are not stumbling into MSP environments. They are targeting them deliberately. Understanding why changes how you think about your coverage, and specifically, it forces a harder look at which coverage responds when the MSP’s own infrastructure is the entry point rather than a downstream client network.

Why Ransomware Groups Hunt MSPs on Purpose

The logic is straightforward once you see it. An MSP holds privileged access to dozens, sometimes hundreds, of client environments simultaneously. A single compromise of your remote monitoring and management (RMM) platform, your professional services automation (PSA) tool, or your management console does not produce one victim. It produces a portfolio of victims.

This is what underwriters call aggregation risk, and it is exactly why sophisticated ransomware operations have shifted their targeting models to include MSPs as high-value entry points rather than generic SMB targets.

Qilin, which claimed more ransomware victims globally than any other group in 2025, has specifically been documented conducting targeted spearphishing campaigns against MSP administrators, including ScreenConnect admin compromise leading to downstream customer attacks across multiple client environments from a single intrusion. Akira, which ranks second globally in 2026 activity and has collected an estimated $244 million in ransom proceeds, explicitly lists IT and MSP environments among its primary sectors and has deployed cascading compromise strategies designed to move from a managed services environment into client infrastructure.

Neither group is choosing MSPs because MSPs are soft targets. They are choosing MSPs because MSPs are multipliers.

The Three Reasons MSPs Are Valuable as Entry Points

Access breadth. Your management plane touches every client you manage. A threat actor who compromises your RMM does not need to find 40 separate entry points into 40 client networks. They already have one.

Credential value. MSP environments hold elevated credentials, API keys, and service accounts that grant persistent access to client systems. These are worth far more on the dark web and in extortion negotiations than typical end-user credentials.

Defense complexity. MSPs are often managing security for clients while running leaner internal security operations themselves. The cobbler’s-children problem is real, and ransomware groups know it. Your internal IT environment may not receive the same scrutiny you apply to client environments.

Two Incidents, Two Very Different Coverage Questions

When a ransomware group targets an MSP, the incident can unfold in two distinct ways, and the coverage questions that follow are genuinely different.

Scenario One: The MSP’s Own Infrastructure Is Compromised

In this scenario, the ransomware group attacks the MSP directly. Your RMM is exploited. Your internal systems are encrypted or your data is exfiltrated. Your business operations are disrupted.

This is a first-party incident. Your own cyber policy’s first-party coverages respond here:

Business interruption covers your lost revenue while your systems are down and the reasonable costs of getting operations restored. For an MSP, this matters more than it might for other businesses because your revenue is directly tied to your ability to deliver services. If you cannot access client environments, you cannot bill.

Cyber extortion covers ransom demand response, including the costs of negotiating with the threat actor and, depending on your policy, the ransom payment itself. Note that sublimits here are common. A $1 million policy with a $250,000 cyber extortion sublimit will not pay more than $250,000 toward a ransom, regardless of the demand. This is worth verifying explicitly in your policy before you need it.

Incident response costs cover the forensic investigation, breach counsel engagement, and notification costs tied to your own breach. If your clients’ data was stored in your systems and was exposed in the attack, you have notification obligations and potential regulatory exposure that your policy’s first-party response costs should address.

System restoration covers reasonable costs to restore or replace affected systems and data. For MSPs running complex management infrastructure, these costs can be significant.

What does not automatically respond here: your clients’ losses. If the attack on your infrastructure causes downstream damage in client environments, that flows through a different coverage, discussed below.

Scenario Two: A Client Is Hit Through Your Infrastructure

In this scenario, the attack enters through your environment and moves laterally into client systems. The client suffers the encryption event, the data loss, the business interruption. The MSP’s own systems may be largely intact.

This is where your policy’s liability structure matters, and where MSPs with generic commercial cyber policies most commonly discover gaps.

Technology errors and omissions (Tech E&O) is the primary coverage layer for client claims arising from professional failures. If a client argues that your failure to properly segment your RMM environment, maintain patched management tools, or enforce privileged access controls allowed the attack to reach their systems, that is a Tech E&O claim. The argument does not need to be valid for it to generate significant defense costs and potential indemnification exposure.

Third-party cyber liability responds to claims from clients whose data or systems were affected by a security incident connected to your services. This is distinct from Tech E&O in that it addresses the security failure itself rather than the professional services failure. In practice, client claims often trigger both simultaneously, which is why MSP-specific coverage structures the two together rather than treating them as separate purchasing decisions.

Your MSA determines your exposure floor. Most managed services agreements contain provisions that define who bears responsibility for specific failure modes. Some MSAs include indemnification clauses that effectively make the MSP liable for client losses arising from the MSP’s systems. Others contain liability caps or disclaimers. What your MSA says determines whether a client lawsuit has teeth. What your policy says determines whether your insurer has your back when it does.

The Coverage Gap That Trips MSPs Up

The single most common coverage problem for MSPs in this type of incident is buying cyber insurance that was designed for a business that owns its own network rather than one that manages dozens of others.

A standard commercial cyber policy covers breaches of the policyholder’s own systems, notification costs for the policyholder’s own customers, and liability claims from the policyholder’s own clients in limited circumstances. It was not written for environments where one compromised credential can cascade across an entire book of business.

The specific gaps that show up at claim time:

Aggregation risk is not addressed. When multiple clients suffer losses in a single incident that originated in your environment, you may be looking at multiple separate claims, each triggering its own retention and hitting the same shared limit. A policy that does not account for this structure can exhaust quickly.

Tech E&O coordination is assumed, not guaranteed. Some carriers split cyber and Tech E&O between two separate policy forms with separate retentions and separate limits. When a single incident triggers both, you are paying two retentions and potentially working with two separate claims teams. Policies structured to coordinate across both coverages produce materially better outcomes.

Client-specific notification obligations may not be covered. If you hold client data and a breach triggers notification requirements under state laws or contractual obligations, your first-party notification coverage needs to extend to that exposure. Some policies limit notification coverage to the policyholder’s own customers in a narrow sense that may not capture MSP client relationships.

For a full breakdown of what MSP-specific coverage looks like and how underwriters evaluate MSP submissions, see our guide to cyber insurance for MSPs.

What Underwriters Are Looking for After These Incidents

The rise in targeted MSP attacks has changed how carriers approach MSP underwriting. If you are renewing in the current market or shopping for the first time, expect scrutiny in areas that were more loosely evaluated two or three years ago.

RMM hardening. Carriers want to know whether your RMM platform is properly hardened: MFA enforced on admin access, API keys rotated regularly, session recording enabled, and privileged access controls implemented. Qilin’s specific use of ScreenConnect admin compromise as an initial access vector means this is not an abstract question for underwriters evaluating MSP risk in 2026.

Client security posture distribution. Underwriters increasingly ask about the security maturity of your client base, not just your own controls. An MSP managing mostly low-maturity clients in industries with high breach rates carries more aggregation risk than one managing clients with strong security programs. How your clients are distributed across industries and security postures affects both your eligibility and your pricing.

MSA review. Some carriers are now requesting copies of MSA templates as part of underwriting. The indemnification language in your agreements affects your actual liability exposure, which in turn affects the carrier’s risk. MSAs with unlimited indemnification provisions are a red flag. MSAs with clear security responsibility definitions and reasonable liability caps improve your risk profile.

Network segmentation between client environments. Can a compromise in one client’s managed environment reach another? If your management infrastructure does not properly segment client networks, a single intrusion can become a multi-client incident. Carriers are asking about this directly.

For more on what the underwriting process looks like in detail, see what underwriters look for on a cyber insurance application and how underwriters evaluate an MSP’s client base.

Limit Sizing When Aggregation Risk Is Real

One of the practical consequences of targeted MSP attacks is that limit selection requires a different calculation than it does for most businesses.

For a single-location business, the relevant question is: what would a bad incident cost, accounting for forensic response, notification, business interruption, and potential liability? That calculation anchors to the business’s own operations and customer base.

For an MSP, the relevant calculation includes the aggregate exposure across your client portfolio. If you manage 60 clients and a single incident in your environment reaches 15 of them, your exposure is not just your own loss, it includes your potential liability to those 15 clients, each of whom may have suffered business interruption, data loss, and notification costs of their own.

This is why MSP limits need to be calibrated to client portfolio exposure, not just the MSP’s own revenue. A $1 million limit that would be appropriate for a standalone professional services firm may be materially inadequate for an MSP with $8 million in annual client billings managing environments that include healthcare practices, financial services firms, and government contractors.

For a framework on how to think through limit selection, see how much cyber insurance do I need.

The Incident Response Panel Question

One coverage feature that matters more for MSPs than for most other buyers is the quality of the carrier’s incident response panel and, specifically, whether the panel has experience responding to MSP-level incidents.

When an attack enters through an MSP’s infrastructure and affects multiple client environments simultaneously, the response is more complex than a single-organization incident. The forensic team needs to understand how the MSP’s management plane works, how lateral movement through an RMM differs from lateral movement through a standard enterprise network, and how to triage and contain across multiple client environments at once.

Carriers whose IR panels have deep MSP experience can execute this response more effectively than those whose panel primarily works enterprise or single-tenant incidents. Ask specifically about this when evaluating coverage options. It is a meaningful differentiator that does not show up in policy language.

Pre-Breach Services and What They Cover

Most MSP-focused cyber policies include pre-breach or risk mitigation services that are available before any incident occurs. These are worth using, not just holding in reserve.

Common pre-breach services include access to security consultants who can review your RMM hardening and segmentation practices, tabletop exercise facilitation for your team to rehearse incident response scenarios, phishing simulation tools and security awareness training access, and dark web monitoring that flags compromised credentials associated with your domain before they are weaponized.

For MSPs dealing with the specific threat profile that Qilin and Akira represent, the pre-breach services most directly relevant are credential monitoring and privileged access review. The initial access vectors these groups use most commonly involve compromised admin credentials and unpatched edge devices. Monitoring for credential exposure and hardening administrative access are the highest-leverage controls for reducing the likelihood that your environment becomes their entry point.

Frequently Asked Questions

If my RMM is compromised and clients are hit downstream, does my cyber policy cover client losses?

Your first-party cyber coverage does not automatically cover your clients’ losses. Client losses flow through your third-party liability coverage and your Tech E&O coverage, depending on how the claim is framed. If a client sues you arguing your failure to maintain a secure management environment caused their losses, that is a Tech E&O claim. If a client’s data was exposed through your systems, that may also trigger third-party cyber liability. This is why MSP policies need both coverages coordinated in the same structure, not purchased separately with gaps between them.

Does cyber insurance cover a ransomware payment if my business is the one encrypted?

Yes, in most cases, if your policy includes cyber extortion coverage. The practical issue for MSPs is sublimits: many policies cap the extortion coverage at a fraction of the total limit. You need to confirm the sublimit specifically and assess whether it is adequate given your revenue and the ransom demand history for groups targeting your size of organization.

What if the attack came through a vendor or tool I use, not something I directly controlled?

This is the supply chain question, and it matters for MSPs who rely on third-party RMM, backup, or security tools that are themselves compromised. Your policy’s coverage of losses arising from vendor compromise depends on how the policy defines the insured event. Some policies cover losses arising from a third-party security failure; others require that the breach involve your own systems. This is worth reviewing carefully, especially given how common software supply chain attacks against MSP tooling have become. For more on this topic, see does cyber insurance cover supply chain attacks.

Will my carrier try to deny a claim if the attack exploited a known vulnerability I had not patched?

Potentially. Carriers can assert a coverage defense if the application represented certain security controls as in place and the investigation reveals they were not, or if a known vulnerability with an available patch was left unaddressed for an extended period. This is not guaranteed, and outcomes depend on specific policy language and the facts of the incident. The more defensible position is to document your patching practices, track remediation timelines, and be accurate on your application about control maturity. Misrepresentation on the application is a more significant coverage risk than a missed patch alone.

Should MSPs require clients to carry their own cyber insurance?

Yes, and for reasons that go beyond contract protection. An uninsured client who suffers a breach is a client who cannot fund their own incident response. When a client cannot pay for forensic investigation and notification costs, pressure often turns back to the MSP to fill the gap, either contractually or reputationally. Clients with their own cyber coverage engage their own carrier’s IR resources and are better positioned to absorb their own losses, which reduces the downstream exposure that lands in the MSP’s lap. For more on how to think about this as a practice, see embedding cyber insurance into MSP services.

If you manage client networks and want to make sure your coverage is structured for the way MSP incidents actually unfold, we can help. Talk to a specialist at SeedPod Cyber.

Cyber Threats & Incident Analysis
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.