Cyber Insurance MSP Requirements: What Your Provider Must Have
The Australian cyber insurance market has tightened significantly since 2023. Insurers are no longer offering blanket policies without asking hard questions about your IT environment — including the security posture of your Managed Service Provider.
If your MSP causes a security incident that impacts your business, your ability to recover damages depends on your MSP's insurance coverage, their compliance with security standards, and how your own policy is structured.
Why Insurers Now Scrutinise Your MSP
The shift happened because of a simple reality: MSPs are high-value targets. When an MSP is compromised, every client they manage is at risk. The Kaseya VSA attack in 2021, the ConnectWise ScreenConnect vulnerabilities in 2024, and the ongoing targeting of RMM tools have demonstrated that MSP security is everyone's problem.
Australian insurers now ask:
- Who manages your IT infrastructure?
- Does your MSP hold cyber insurance?
- What security framework does your MSP follow?
- Does your MSP use multi-factor authentication on all administrative access?
- What is your MSP's incident response capability?
If you cannot answer these questions, your premium goes up — or your application gets declined.
What Insurers Look for in Your MSP
1. Cyber Insurance Coverage
Your MSP should hold their own cyber liability insurance. Request a Certificate of Currency and verify:
- Minimum coverage: $5 million for small MSPs, $10–$20 million for larger providers
- Coverage types: Professional indemnity, public liability, and cyber-specific liability
- Policy status: Current and not expired
- Named insured: The entity you are contracting with, not a parent company or subsidiary
If your MSP does not carry adequate insurance, you are exposed. If they cause a breach and cannot pay damages, you absorb the loss.
2. Security Framework Compliance
Insurers want evidence that your MSP follows a recognised security framework. The most common requirements:
| Framework | Insurer Preference | Notes |
|---|---|---|
| Essential 8 (ACSC) | High | Australian standard; most common requirement |
| ISO 27001 | High | International standard; demonstrates formal ISMS |
| SOC 2 Type II | Medium-High | Common for US-facing MSPs |
| CIS Controls | Medium | Technical control framework |
| NIST CSF | Medium | US framework; less common in Australia |
At minimum, your MSP should demonstrate Essential 8 Maturity Level 1 compliance. The Essential 8 Maturity Level 1 article covers what this means in practice.
3. Multi-Factor Authentication
This is now a non-negotiable requirement for most Australian cyber insurers. Your MSP must use MFA on:
- All administrative access to client environments
- All VPN and remote access connections
- All cloud service admin portals
- All RMM and PSA tools
- Email accounts (especially shared and admin accounts)
If your MSP does not use MFA on all of these, flag it as a critical risk.
4. Incident Response Capability
Insurers want to know that your MSP can detect, contain, and recover from a security incident. Key questions:
- Does the MSP have a documented incident response plan?
- Can they detect breaches within their client environments?
- Do they have 24/7 monitoring capability?
- Can they provide forensic support if an incident occurs?
- Do they carry separate incident response retainer agreements?
5. Backup and Recovery
Your MSP's backup practices directly affect your cyber insurance posture. Insurers want evidence that:
- Backups are tested regularly (at least quarterly)
- Backups are stored in immutable or air-gapped storage
- Recovery time objectives (RTOs) are defined and documented
- Backup restoration has been tested successfully
If your MSP cannot demonstrate tested backups, your insurer may exclude ransomware-related losses from your policy.
How MSP Compliance Affects Your Premium
The relationship is direct: better MSP security = lower your premiums.
Scenario 1: MSP meets all requirements - Your premium is calculated based on your own risk profile - No additional loading for IT provider risk - Claims process is straightforward
Scenario 2: MSP partially meets requirements - Your premium may include a 10–25% loading for IT provider risk - Insurer may require a remediation plan with evidence of completion - Claims may be subject to additional scrutiny
Scenario 3: MSP does not meet requirements - Your application may be declined - If already insured, your renewal may be refused - If a claim arises, the insurer may deny coverage based on inadequate third-party controls
Questions to Ask Your MSP About Cyber Insurance
Use this checklist when reviewing your MSP's cyber insurance posture:
- "Can you provide a current Certificate of Currency for your cyber liability insurance?"
- "What is your coverage limit and what does it cover?"
- "Are we named as an additional insured on your policy?"
- "What security framework do you follow, and can you provide evidence of compliance?"
- "Can you show me your Essential 8 maturity assessment?"
- "Do you use MFA on all administrative access to our environment?"
- "What is your incident response process if our environment is compromised?"
- "When was your backup restoration last tested?"
- "Do you carry cyber insurance that covers third-party claims from your clients?"
- "Have you had any security incidents in the past 24 months? If so, what happened and what changed?"
If your MSP cannot answer these questions clearly, it is a significant red flag. The Red Flag Scanner can help you identify other warning signs.
What to Do If Your MSP Fails the Requirements
If your MSP does not meet the cyber insurance requirements:
- Raise it with the MSP directly. They may not realise their gaps. Provide them with the insurer's requirements and a timeline for remediation.
- Review your contract. Your MSA should require the MSP to maintain adequate insurance and security standards. If it does not, that is a contract gap to address at renewal.
- Consider your options. If the MSP cannot or will not meet the requirements, you need to evaluate whether they are the right provider for your business.
- Document everything. If a claim arises and your MSP's inadequate security contributed to the incident, your documentation of the gap strengthens your position.
Building a Cyber-Resilient MSP Relationship
The best defence is a proactive approach:
- Include insurance requirements in your MSP contract. Specify minimum coverage amounts and require annual proof of coverage.
- Conduct annual security reviews. Ask your MSP to provide an Essential 8 assessment annually.
- Maintain your own cyber insurance. Even with a good MSP, you need your own policy. The MSP's insurance covers their liability; yours covers your business.
- Test incident response together. Conduct a joint tabletop exercise at least annually to ensure both parties know their roles during a breach.
Related Guides
- Essential 8 Maturity Level 1 — The baseline security framework
- MSP Cybersecurity Incident Response — What happens during a breach
- MSP Contract Checklist — Insurance requirements for contracts
- MSP Health Score — Benchmark your MSP's security posture
- How to Choose an MSP — Security evaluation criteria
Was this helpful?