Cyber insurance: what it covers, what it doesn’t, and how to qualify

According to the 2026 Kaseya State of the MSP Report, 44% of MSPs report that at least 10% of their clients experienced a cyberattack in 2025. That figure is why cyber insurance has moved from optional to essential for most businesses and for every MSP serving them.

The market has gone through a dramatic cycle. Premiums rose 73% in 2021 and over 50% in 2022 as ransomware losses mounted. Competitive pressure then pushed rates down through 2023, 2024, and much of 2025. As of early 2026, that softening is stalling: analysts at WTW and S&P Global project premiums rising 15 to 20% over the next 12 months, driven by rising ransomware severity and reinsurance pressure. The global cyber insurance market reached approximately $16 billion in 2025 and is projected to exceed $23 billion by 2026.

The harder questions are not whether to carry cyber insurance, but what coverage to seek, how to qualify in a market where underwriters have become significantly more rigorous, and how to avoid the exclusions that leave organizations exposed at the moment they need the policy most. Kaseya’s platform supports MSPs helping clients navigate exactly this, and this guide covers what every MSP and IT team needs to understand.

What cyber insurance covers

Cyber insurance policies vary significantly between insurers, but most comprehensive policies include coverage across several categories.

First-party costs are expenses the insured organization incurs directly as a result of an incident: forensic investigation and incident response services, data recovery and system restoration, business interruption losses during downtime, crisis communication and public relations, and legal counsel.

Third-party liability covers claims from customers, partners, or other parties whose data was compromised or whose systems were affected by a breach originating in the insured’s environment. This is particularly relevant for MSPs, whose environment compromise can cascade into client environments and create aggregate liability exposure.

Ransomware-related costs include incident response, ransom negotiation services, and in some policies and jurisdictions, the ransom payment itself where paying is legally permitted and operationally necessary. Note that ransomware payments have become legally complex: US OFAC sanctions apply to payments to certain threat actor groups, and legal counsel is essential before any payment decision.

Regulatory defense and penalties covers legal costs and settlements related to regulatory investigations following a breach. This is critical for organizations subject to HIPAA, PCI DSS, CCPA, or other frameworks with significant enforcement consequences.

Cyber extortion is broader than ransomware, covering threats to release data, DDoS extortion, and other pressure tactics short of full encryption events.

Social engineering and funds transfer fraud covers business email compromise (BEC) attacks that result in fraudulent wire transfers. This is not universally included and is often subject to specific sub-limits significantly lower than the main policy limit.

What cyber insurance doesn’t cover

Understanding exclusions is as important as understanding coverage. Over 40% of cyber insurance claims in 2026 result in no payout, and exclusions are the most common reason.

Pre-existing breaches. Incidents that began before the policy inception date are typically excluded. Many ransomware operators establish access weeks or months before deploying the payload, creating a significant coverage gap if the initial compromise predates the policy start date.

Known, unpatched vulnerabilities. Policies increasingly exclude incidents attributable to known vulnerabilities that the insured had reasonable grounds to patch. If a breach exploits a CVE that was publicly disclosed and patchable six months before the incident, coverage may be denied. This exclusion makes patch management a direct insurance obligation, not just a security best practice.

Nation-state attacks. War exclusions historically covered kinetic warfare. Lloyd’s of London updated its market requirements in 2023 to formally exclude losses from state-backed cyberattacks in many standalone policies. Organizations in critical infrastructure, financial services, and the defense supply chain face the greatest exposure from this gap. The language varies significantly between policies and merits careful legal review.

Non-malicious events. Cyber policies cover malicious events. Hardware failure, human error without malicious intent, and accidental data exposure typically fall under different coverage types such as errors and omissions.

Sub-limits. Many coverage categories have sub-limits significantly below the overall policy limit. Business interruption, social engineering, and cryptojacking are common sub-limited categories. A policy with a $5 million limit may have a $250,000 sub-limit for social engineering losses. Understanding sub-limits is essential for any realistic coverage assessment.

How underwriting has changed

Cyber insurance underwriting tightened dramatically between 2020 and 2022. The frequency and severity of ransomware incidents created significant insurer losses, which drove premium spikes, coverage reductions, and substantially more rigorous security requirements before coverage was issued.

The market softened from 2022 through 2025 as competitive pressure among insurers drove rates down and capacity increased. That softening did not loosen security requirements. Insurers who reduced premiums maintained or increased their control requirements, creating a market where coverage is more available but the bar for qualifying has not lowered.

As of 2026, underwriting scrutiny is intensifying again. Carriers are increasing their focus on evidence of control implementation rather than attestation. Third-party risk management programs are becoming a requirement, not a differentiator. Organizations that cannot demonstrate current, documented security posture are finding coverage unavailable or priced prohibitively.

The practical shift: organizations that would previously have qualified with a one-page attestation now face detailed security questionnaires, mandatory technical control requirements, and in some cases external security assessments before policies are bound. Insurers have become, in effect, a market-based forcing function for basic security hygiene.

What insurers now require

Most reputable cyber insurers require the following as baseline security controls before coverage is issued.

Multi-factor authentication on all remote access, email, and privileged accounts. The Change Healthcare breach in 2024, in which an unprotected Citrix portal without MFA was exploited and resulted in a $22 million ransom payment and $872 million in immediate response costs, has become the standard industry reference for why MFA is non-negotiable. Many insurers now ask specifically about MFA coverage on a per-application basis rather than accepting a blanket yes.

Endpoint detection and response (EDR) deployed across all endpoints, not just servers. Traditional antivirus is no longer sufficient for most policies. Some insurers now ask whether EDR is managed or unmanaged, with managed EDR (MDR) receiving better terms.

Privileged access management with MFA and just-in-time access controls on administrative accounts. The separation of day-to-day access from privileged access is increasingly a discrete underwriting question.

Patch management with a documented process and evidence of reasonable remediation timelines for critical vulnerabilities. Insurers are moving from asking whether patch management exists to asking for metrics: average time to patch critical CVEs, percentage of endpoints within patch policy.

Tested, isolated backups. Backups that exist but sit on the same network as production systems and are accessible to ransomware provide no recovery value and no insurance benefit. Insurers want evidence of network-isolated or offline backups, immutable storage, and documented recovery testing results. Backups that have never been tested are increasingly treated as no backup at all.

Security awareness training with documented delivery and in many cases phishing simulation results. Some insurers require evidence that training is delivered at least quarterly rather than annually.

Incident response plan with evidence of tabletop exercise testing. A documented plan that has never been exercised is weaker evidence than a tested plan with documented outcomes.

The security controls that drive coverage and premium

The relationship between security controls and insurance economics runs directly in both directions.

Organizations with strong, documented security controls qualify for broader coverage, higher limits, and lower premiums. The investment in security pays a measurable financial return in reduced insurance cost, in addition to the primary benefit of reduced incident risk.

Organizations with weak or undocumented controls face higher premiums, lower limits, more sub-limits, higher deductibles, and in some cases unavailable coverage. An MSP helping a client document their security posture for a renewal is not just providing a compliance service. They are directly improving that client’s insurance economics.

Claims history significantly affects renewal terms. An organization that has experienced a significant breach may face substantially changed coverage terms at renewal regardless of post-incident improvements. The 12 months following a significant claim are often the most expensive insurance period a business will face.

From an MSP perspective, helping clients achieve and document the security baseline that insurers require is both a service delivery value-add and a risk management function. It reduces the client’s insurance cost, reduces the MSP’s own liability exposure from client incidents, and strengthens the MSP’s advisory positioning.

Cyber insurance for MSPs

MSPs have two distinct cyber insurance considerations: internal coverage for their own operations, and a client advisory role in helping clients qualify and maintain coverage.

Internal coverage must reflect the unique risk profile of MSP operations. High-privilege access to multiple client environments creates a liability exposure that is fundamentally different from a single-organization IT function. An MSP breach can cascade into dozens of client environments simultaneously, creating aggregate third-party liability that a standard commercial cyber policy is unlikely to cover adequately. MSP cyber policies should include specific coverage for third-party client liability and limits commensurate with the aggregate value of the client portfolio.

The advisory opportunity is significant and growing. MSPs are increasingly asked to help clients document security controls for underwriting questionnaires, ensure that services delivered align with policy requirements, and advise on coverage adequacy. This is a natural extension of a managed security services offering, and it creates a revenue opportunity: compliance advisory and insurance readiness services are increasingly billable at premium rates.

Contractual alignment matters. MSP service agreements should clearly address security incident liability, breach notification obligations, and the scope of responsibility for client data protection. Cyber insurance and contractual terms need to be reviewed together. An MSP whose contract limits liability to three months of fees but whose client’s breach creates $2 million in third-party claims has a coverage gap that needs to be understood before an incident creates it.

How Kaseya helps MSPs meet insurer requirements

Kaseya 365 bundles the security controls that insurers now require across a single platform, giving MSPs both the protection and the evidence trail that underwriters ask for.

Datto EDR provides endpoint detection and response across all managed endpoints, with managed detection and response (MDR) capability for organizations that need a monitored SOC layer. Evidence of EDR deployment and alert response is a standard underwriting question.

BullPhish ID delivers security awareness training and phishing simulation across client environments, with reporting that documents delivery frequency and employee results for underwriting documentation.

Dark Web ID continuously monitors for compromised credentials across client domains, detecting exposed credentials before they are exploited. Credential monitoring is an increasingly common underwriting requirement.

Inky provides AI-powered email security and phishing protection, addressing the social engineering threat vector that drives the majority of initial access events.

Datto SIRIS provides isolated, immutable backup with automated screenshot verification, producing the documented recovery testing evidence that insurers increasingly require as proof that backups are actually restorable.

Compliance Manager GRC generates the security posture documentation and compliance evidence trail that underwriting questionnaires require, across multiple clients from a single platform.

For MSPs who qualify, the Kaseya Cyber Insurance Fast Track program, available through KaseyaOne in partnership with Cysurance, provides pre-qualified cyber liability coverage of up to $1.5 million for MSPs and their clients who have deployed Kaseya’s security stack. Qualifying MSPs access coverage at rates significantly below standard market pricing, with a streamlined application process through the KaseyaOne portal.

Explore Kaseya 365 security for MSPs