By Ryan Windt | Head of Growth Marketing | Updated May 2026
When an MSP applies for cyber liability insurance, underwriters are not just evaluating the MSP’s own security controls. They are evaluating the entire client base the MSP manages. For a full overview of MSP cyber insurance including pricing and what your own policy should cover, see cyber insurance for MSPs. The industries your clients are in, the size and number of clients you serve, how their environments are configured, and how much revenue is concentrated in any single client all factor into how underwriters assess your risk, set your premium, and in some cases decide whether to quote at all.
Most MSPs focus their renewal preparation on their own stack: MFA, EDR, backups, PAM. Those controls matter. But an MSP with a strong internal security posture and a problematic client base can still face difficult underwriting, higher premiums, or coverage restrictions. Understanding what underwriters look for in your client portfolio is just as important as knowing what they look for in your own environment.
Why the Client Base Matters to Underwriters
MSP cyber insurance is underwritten differently from standard business cyber insurance because the exposure profile is fundamentally different.
A typical business has one environment to secure. An MSP is responsible for dozens or hundreds of client environments simultaneously. When an underwriter evaluates an MSP, they are implicitly underwriting every client on that MSP’s book. A breach of the MSP’s RMM or management tools does not produce one claim. It can produce simultaneous claims across the entire client base, with the MSP at the center of each one.
This is what carriers mean when they refer to aggregation risk. The potential for a single event to generate correlated losses across multiple clients is the defining characteristic of MSP underwriting, and it is why carriers scrutinize the client base rather than just the MSP’s own controls.
The client base questions on an MSP cyber application are not box-checking exercises. They are the underwriter’s primary tool for estimating how bad a worst-case scenario could get. For guidance on which carriers and programs are best equipped to handle MSP risk, see best cyber insurance for MSPs.
Client Industry Vertical Mix
The industries your clients operate in directly affect your risk profile in the eyes of underwriters. Some verticals carry materially higher risk than others, and an MSP with heavy concentration in high-risk industries will face higher premiums and closer scrutiny than one with a diversified or lower-risk book.
High-scrutiny verticals:
Healthcare clients are the most closely evaluated. Protected health information is the most targeted data category in cybercrime, HIPAA creates regulatory exposure that extends to business associates, and ransomware attacks on healthcare have hit record frequency and severity. An MSP managing multiple healthcare practices or medical groups carries significantly more regulatory and liability exposure than one managing retail or professional services clients.
Financial services clients, including accounting firms, wealth management practices, credit unions, and insurance agencies, carry elevated data sensitivity and regulatory exposure under GLBA and state financial privacy laws. These clients are frequent targets for business email compromise and wire fraud, and an MSP that manages their email and banking system access is implicated in those incidents.
Legal firms present a similar profile. Client confidentiality obligations, large wire transfers, and sensitive transactional data make law firms high-value targets. MSPs managing law firm environments inherit that exposure profile.
What underwriters want to know:
Most MSP applications ask what percentage of your revenue comes from healthcare, financial services, and legal clients. Applications for larger MSPs may ask for a breakdown of managed client count and revenue by vertical. Being able to answer these questions accurately and document your client mix in advance of the application puts you in a stronger position than an MSP that has to estimate.
Revenue Concentration
Underwriters evaluate how your revenue is distributed across your client base because concentration risk affects the severity of a potential loss.
An MSP with 200 clients where no single client represents more than 2% of revenue has a very different risk profile from one with 30 clients where three accounts represent 60% of revenue. In the first scenario, the loss of any single client relationship is manageable. In the second, a major incident involving a large client creates simultaneous financial and liability exposure that could be existential.
Carriers typically ask what percentage of revenue comes from your largest single client and from your top five clients combined. Concentration above 20% in a single client, or above 50% in five clients, is a flag that may result in additional questions, sublimits on specific coverage components, or higher premiums.
If your book is concentrated, the underwriting conversation shifts toward: what is that client’s industry, what data do they hold, how well is their environment secured, and what contractual obligations does your MSA create if their environment is compromised.
Client Security Posture
Underwriters increasingly want to know not just what controls the MSP has deployed on its own infrastructure but what controls are in place across the client base. An MSP that has enforced MFA and EDR in its own environment but manages 40 clients without those controls on their endpoints is carrying risk that the MSP’s own security posture does not capture.
The questions underwriters ask in this area typically include:
What percentage of your managed clients have MFA enforced on email and remote access? An MSP that can demonstrate near-universal MFA enforcement across its client base is a meaningfully better risk than one where client MFA adoption is partial or optional. Carriers know that unprotected client accounts are a common initial access point in MSP-focused attacks.
What percentage of managed endpoints have EDR deployed? Coverage gaps in the client environment, workstations running legacy antivirus, unmanaged personal devices, endpoints that fall outside the MSP’s managed scope, are all potential entry points that an attacker can use to pivot into the broader MSP-managed environment.
What is your process for clients who do not meet minimum security standards? Underwriters view favorably an MSP that has a documented policy for handling clients who refuse security recommendations. An MSP that can show it has offboarded clients who refused to implement required controls, or that has a contractual mechanism for limiting its liability when clients decline security recommendations, demonstrates that it manages its own risk exposure actively rather than passively.
For a full breakdown of the controls underwriters require from MSPs directly, see our guide to what underwriters look for in a cyber insurance application.
Managed Client Count and Growth Rate
The number of clients you manage, and how quickly that number is growing, affects how underwriters model your aggregation exposure.
An MSP managing 15 clients has a contained blast radius in a worst-case scenario. An MSP managing 300 clients has a potential claim that could involve hundreds of simultaneous breach notifications, regulatory investigations, and client lawsuits. The premium and coverage terms reflect that difference.
Rapid growth also gets attention. An MSP that doubled its client count in the past 12 months may have outgrown the controls and processes that were adequate for a smaller book. Underwriters are aware that growth periods are when security gaps tend to appear, and they factor that into their assessment.
What helps in this context: being able to demonstrate that your onboarding process includes a security baseline assessment for new clients, that your RMM deployment is standardized and consistent across new and existing clients, and that your team capacity has scaled alongside client count.
MSA Language and Contractual Liability
Your managed services agreement is a significant underwriting factor because it defines the contractual obligations your MSP carries toward each client. Underwriters review MSA language because it determines how much of a client’s loss can flow back to you after an incident.
The three things that generate the most underwriting concern in MSA language:
Broad indemnification clauses. An MSA that requires you to indemnify a client against any security-related loss, regardless of whether the loss was caused by your actions, creates open-ended liability. Underwriters want to see indemnification scoped to your negligence within your defined scope of services, not to any security event that touches an environment you have access to.
Undefined scope of services. When the MSA does not clearly specify what systems, users, and platforms fall under your management, and what falls outside it, disputes about responsibility after an incident are almost guaranteed. Ambiguous scope language is one of the most common sources of Tech E&O and cyber claims against MSPs.
Unlimited or uncapped liability. Some MSAs, particularly those drafted by enterprise clients, include unlimited liability provisions or caps tied to annual contract value. An MSP that has accepted these terms has created an exposure that may exceed its policy limits on a single large client incident.
Underwriters are not asking MSPs to gut their contracts. They are looking for evidence that the MSP has thought through its contractual exposure and has language in place that reflects reasonable professional liability standards. For a deeper look at how MSA language interacts with cyber and Tech E&O coverage, see our post on embedding cyber insurance into MSP services.
RMM and Tooling Standardization
The tools your MSP uses to manage client environments, and how consistently they are deployed and hardened, are a direct underwriting input.
Underwriters ask which RMM and PSA platforms you use because certain platforms have been involved in high-profile MSP-focused attacks and carry known vulnerability histories. SolarWinds, Kaseya, and ConnectWise have all been subjects of major incidents that cascaded across MSP client bases. Carriers track this history and it informs how they evaluate MSPs running those tools.
More important than which tools you use is how you have hardened them. The questions underwriters ask include whether your RMM console requires MFA, whether admin access is restricted to named accounts with documented access controls, whether you have monitoring in place for unusual activity on the management plane, and whether your tooling is patched on a documented schedule.
An MSP that uses a well-known RMM platform but can demonstrate rigorous hardening and access controls is in a better position than one using a less common platform with no documented hardening process.
For a detailed breakdown of RMM hardening standards that carriers look for, see our post on MSP RMM hardening and cyber insurance.
What Prepares an MSP for a Strong Underwriting Outcome
The MSPs that get the best underwriting outcomes, clean approvals, competitive pricing, broad coverage terms, share a few common characteristics.
They know their client base before the application. They can answer questions about vertical mix, revenue concentration, client MFA adoption rates, and endpoint coverage without having to estimate. That preparation signals to underwriters that the MSP manages its book actively rather than reactively.
They have documented processes for client security. A written onboarding checklist that includes security baseline requirements, a policy for handling clients who decline recommended controls, and evidence that those processes are followed consistently all make the MSP easier to underwrite.
They have reviewed their MSA. An MSP that can confirm its indemnification language is scoped to negligence, its liability caps are reasonable, and its scope of services is clearly defined presents a meaningfully lower contractual risk than one that has not reviewed its agreements since they were first drafted.
They can evidence their own controls. Not just attest to them. The difference between saying “we have MFA deployed” and producing a screenshot of your RMM showing MFA enforcement status across all managed clients is the difference between a carrier taking your word for it and having confidence in what you have represented.
Frequently Asked Questions
Do underwriters look at individual client environments during the application process? Not typically at the individual client level, but they do ask aggregate questions about your client base that require you to know your own book well. Some carriers use external scanning tools that can identify vulnerabilities visible from the internet across your client environments.
Does having healthcare clients automatically make my premium higher? Not automatically, but it is a material factor. An MSP with 10% of revenue from healthcare and strong controls for those clients will be evaluated differently than one with 60% healthcare concentration and inconsistent security enforcement across that segment.
What if some of my clients refuse to implement the controls underwriters require? Document it. A paper trail showing that you recommended MFA, the client declined, and you have contractual language limiting your liability for their decision is far better than silence. Some carriers will ask directly whether you have clients operating below your recommended security baseline and how you handle that situation.
How does client count affect my premium? More clients generally means higher premium because it means higher aggregation exposure. But the relationship is not linear. An MSP with 200 small SMB clients in low-risk industries may be a better risk than one with 50 clients in healthcare and financial services. Vertical mix, revenue concentration, and control enforcement matter as much as raw client count.
Work With a Broker Who Understands MSP Underwriting
MSP cyber insurance applications are more complex than standard commercial cyber applications, and the differences in how carriers evaluate client base composition, MSA language, and tooling can produce meaningfully different outcomes depending on how the submission is prepared.
SeedPod Cyber works specifically with MSPs and understands how underwriters evaluate the full picture of MSP risk, not just the controls checklist.
Talk to SeedPod Cyber | Learn About MSP Coverage | See How We Work With MSPs
Related Resources