Most MSP master services agreements include some version of this language:
“Provider shall indemnify and hold Customer harmless from any and all claims, losses or damages arising out of or relating to the Services, including without limitation any breach of security, data loss, or interruption of Customer’s business.”
That clause, lifted verbatim or with small variations, is the single biggest reason MSPs end up paying out of pocket on E&O claims. It’s worth understanding exactly what it does — and what your insurance form does and doesn’t say about it.
What the clause actually creates
“Indemnify and hold harmless” means you’ve contractually agreed to make the customer whole for losses arising from your services — including losses that, absent the contract, you wouldn’t have been legally liable for. It converts a tort question (was there negligence?) into a contract question (what does the agreement say?).
That matters because:
- Liability standards differ. Negligence requires a breach of duty. Contractual indemnity is triggered by the loss itself, regardless of fault.
- Damages can be broader. Tort damages are constrained by causation and foreseeability. Contractual indemnity can include consequential damages, lost business and even attorneys’ fees.
- Carve-outs are uncommon. Most MSAs don’t carve out the customer’s own negligence — meaning even when the customer caused the loss, the MSP is still on the hook contractually.
Why standard Tech E&O often doesn’t respond
Tech E&O covers liability for negligent performance of professional services. Contractual liability assumed by the insured is usually excluded — with two carve-outs:
- Liability you would have had absent the contract (i.e. negligence-grade exposure)
- Liability assumed under specific “insured contracts” defined in the policy
Most generic Tech E&O forms treat MSP master services agreements as outside the “insured contract” definition. That means the indemnity above creates exposure your form doesn’t pick up.
The result: a customer suffers an outage caused by their own employee clicking a phishing link, sues the MSP under the indemnity clause, and the MSP’s E&O policy declines because it’s contractual liability outside the insured-contract scope.
What to do about it
Three moves, in order of leverage:
1. Negotiate the clause
You won’t always win, but you should always try. Specifically push for:
- A mutual indemnity (customer indemnifies you for their own negligence)
- A knowledge qualifier (your obligation triggers only for losses arising from your failure to perform)
- A liability cap tied to fees paid (common: 12 months of fees)
- An explicit carve-out for the customer’s own systems and decisions
Even partial wins materially reduce your exposure.
2. Get the right E&O form
Bind a Tech E&O policy with broad contractual liability cover specifically written for MSPs. Several specialty markets now offer forms that affirmatively include indemnity assumed under standard MSAs. Pay attention to:
- Definition of “insured contract”
- Cap on indemnity exposure (some forms still limit it)
- Treatment of consequential damages
3. Bind contingent business interruption
When the customer’s business goes down because of an event on your watch, the lost-income claim is often the bulk of the loss. Contingent BI on cyber covers third-party outage scenarios. Standalone, it’s modest premium. As part of an MSP-specific cyber/E&O programme, it’s table stakes.
The clause itself isn’t going away — customers will keep asking for it because their own contracts and procurement teams require it. The right response is to read what you’re signing, negotiate what you can, and bind cover that actually responds when the rest doesn’t work.
