Compare Cyber Insurance for IT Service Providers

Run an MSP, a software house, or a cloud consultancy in Germany? Attackers treat your access the way a burglar treats a master key. A single breach on your side can expose dozens of client networks at once. The BSI's 2024 Situation Report places roughly 80 percent of cyber attacks on small and mid-sized companies, and Listflix counts about 93,900 IT service providers in Germany — most of them sitting on privileged customer credentials. Standard commercial policies were not written with that aggregation risk in mind. A dedicated cyber insurance can cover third-party damages, Technology E&O, and the operational fallout from supply-chain incidents. What it actually pays out depends on the contract; the sections below break down what to check before signing.

Damage Examples from IT Practice

The following scenarios show how quickly IT service providers can become liable. All examples are based on typical damage patterns as documented by insurers and BSI.

Special Risks for IT Service Providers

According to the Bitkom Economic Protection Study 2025, 87% of all German companies were affected by cyber attacks. Total damage was 289.2 billion EUR, of which 202.4 billion EUR was directly due to cyber attacks (Bitkom 2025). IT service providers bear a particularly high risk because they have privileged access to client systems and thus serve as multipliers for attackers.

Typical Risk Scenarios

• Compromised remote maintenance: Attackers use RMM tools (Remote Monitoring & Management) to distribute ransomware to all managed clients simultaneously
• Misconfiguration: An incorrect setting in the cloud infrastructure exposes customer data
• Software error: A bug in your software causes data loss or business interruption for the client
• Captured admin accesses: Attackers obtain your privileged administrator accesses to client systems
• Insider threat: A former employee uses still active access data for unauthorized access

BSI registers around 309,000 new malware variants daily (BSI 2024). For IT service providers this means: The attack surface grows permanently. A general cyber insurance for SMEs is often not sufficient because it does not adequately cover the specific third-party damage risks of the IT industry.

What Cyber Insurance Should Cover

For IT service providers, third-party damages, i.e., damages to client systems, are particularly critical. In addition, you need protection for your own business interruptions and special IT components that are missing from standard policies.

Third-Party Damages (Especially Important for IT Service Providers)

• Liability for damages to client systems through your service
• Compensation for data breaches that affect clients through your systems
• Contractual penalties for SLA violations (depending on policy)
• Legal defense costs for liability claims

Own Damages

• Own business interruption and lost revenue
• Recovery of own systems and data
• IT forensics (investigation after a cyber attack) and root cause analysis
• Notification costs for own GDPR data breach

Special Components for IT Service Providers

• Technology E&O (Technology Errors & Omissions): Coverage for damages caused by technical errors and omissions in your software or consulting
• Contingent Business Interruption: Protection when an important client or supplier fails and you thereby lose revenue
• System Failure: Coverage even without external attack, for example in case of hardware failure or operating error
• Cyber Extortion: Extended ransomware coverage including negotiation assistance and ransom reimbursement

What Does Cyber Insurance Cost for IT Companies?

Premiums for IT service providers are higher than for many other industries because the risk profile is more demanding due to client system access and data processing. The following table shows guideline values by company size. The actual premium depends on revenue, coverage amount, and existing IT security measures.

Status: March 2026. Prices are guideline values and may vary depending on insurer, deductible, and individual risk assessment. Compare Cyber Insurance Costs for detailed price information.

IT Liability, Professional Liability, or Cyber Insurance?

IT service providers face the question whether an IT Professional Liability is sufficient or whether additional cyber insurance is needed. The short answer: In most cases you need both, because the two policies cover different risks.

Recommendation: Combine both policies, or choose a combined solution that unites IT liability and cyber insurance in one contract. Some insurers like Hiscox or exali offer such combined policies specifically for IT service providers. Also check whether a D&O Insurance is useful for the personal liability of the management.

Coverage Gaps and Exclusions

Not every cyber insurance covers all risks. Especially IT service providers should carefully check the insurance terms. The following restrictions occur in many policies:

1. Willful misconduct: Damages caused by intentionally ignored security gaps are excluded
2. War exclusion: State-directed cyber attacks (e.g., APT groups) may fall under the war exclusion; ask specifically
3. Known vulnerabilities: Damages from unpatched known vulnerabilities are excluded by some insurers
4. Sublimits for business interruption: Coverage for lost revenue is often limited to a fraction of the coverage amount
5. Waiting period: Business interruption damages are reimbursed only after a waiting period (often 8 to 24 hours)
6. Run-off cover: After contract end, no new damages are covered; pay attention to sufficient run-off period (at least 36 months)

Special Considerations for Managed Service Providers

MSPs have the highest cyber risk of all IT service provider types. They often manage administrative access to dozens or hundreds of client systems. A single security incident can therefore affect many companies simultaneously in a cascading manner.

• Aggregation risk: An incident affects many clients simultaneously. The sum of all individual damages can quickly exceed the coverage amount. Pay attention to sufficiently high limits.
• RMM tool security: Remote management tools are the most critical attack targets. According to Coveware, average downtime after a ransomware attack is around 23 days (Coveware 2024). For MSPs whose RMM is compromised, downtime can occur for all clients simultaneously.
• Contract design: Align liability limits in your client contracts with the insurance coverage. Many MSPs have liability limits of 1 to 2 million EUR in their terms, the insurance should cover at least this amount.

More on supply-chain security can be found in our Guide Ransomware Protection.

NIS-2: What Does This Mean for IT Service Providers?

The NIS-2 Directive has been in force since December 6, 2025 and affects around 29,500 companies in Germany directly (BSI). IT service providers are often not directly affected by the directive, but are strongly indirectly affected:

• Supply chain requirements: NIS-2-affected clients must ensure cyber security throughout their entire supply chain. This directly affects their IT service providers.
• Contractual proof: Clients increasingly demand proof of IT security standards, certifications, and cyber insurance coverage in supplier contracts.
• Fines: In case of violations, fines up to 10 million EUR or 2% of global annual turnover threaten. Although these fines primarily affect the affected companies, regress claims against IT service providers can be passed on.

For IT service providers who serve clients from regulated industries, cyber insurance is therefore increasingly a prerequisite for new assignments.

Improve IT Security, Reduce Premium

Insurers reward verifiable IT security measures with noticeable premium discounts. At the same time, most insurers expect certain minimum requirements as a prerequisite for insurance coverage.

1. ISO 27001 Certification: Hiscox grants up to 10% premium discount for certified companies
2. SOC 2 Report: Shows insurers your security maturity and can improve the risk assessment
3. Multi-Factor Authentication (MFA): MFA on all administrative accesses is now mandatory with many insurers; HDI grants up to 7.5% discount with documented MFA use
4. Endpoint Detection & Response (EDR): Modern EDR solutions significantly improve the risk profile
5. Documented Incident-Response Plan: A tested emergency plan shows insurers you are prepared for incidents
6. Regular Penetration Tests: Annual penetration tests by external service providers signal proactive security culture

Read our Guide Cyber Risks for SMEs for more tips on IT security.

What IT Service Providers Should Look for When Comparing

When comparing cyber insurance, IT service providers should pay particular attention to these six points:

1. Third-party damage coverage: The policy must explicitly include damages to client systems, not just own damages.
2. Technology E&O included: Not every cyber policy covers technical errors and omissions. Ask specifically for this component.
3. Appropriate coverage amount: Consider the aggregation risk. An incident affecting 20 clients simultaneously requires significantly higher limits.
4. Run-off cover: At least 36 months run-off period after contract end. Damages may only become known months after an incident.
5. Check sublimits: Business interruption, ransom, and legal defense often have their own sublimits. Make sure these are sufficient for your business model.
6. 24/7 emergency hotline: Every hour counts in a cyber attack. Check whether the insurer offers a around-the-clock hotline with IT forensics expertise.

More about our evaluation methodology can be found on the page How We Compare.

Cyber Insurance by IT Specialization

Different IT sub-types have different risk profiles. While MSPs carry the highest aggregation risk, software developers primarily face Technology-E&O risks. Solo IT consultants are similar in profile to freelancers. The following subpages offer industry-specific information:

• Cyber Insurance for SMEs (general commercial businesses)
• Cyber Insurance for Freelancers (solo IT consultants)
• IT Liability for Software Developers (liability for software errors)
• Cyber Insurance for Trades (businesses with digital control)
• IT Professional Liability (liability protection for IT consultants)

Conclusion

IT service providers carry a double risk: They can be attacked themselves and are simultaneously liable if client networks are compromised through their systems. Cyber insurance with sufficient third-party damage coverage and an IT professional liability component is therefore almost indispensable for MSPs and software companies.

Pay attention to the sublimits for supply-chain damages and check whether your obligations (patch management, MFA, backup) are fulfillable.