The Complete Guide to Insuring Your MSP: Insurance Buying Guide for MSP Owners
Updated: Aug 5, 2020
As a MSP owner (or soon to be) the last thing on your mind is probably insurance. Sure, you probably have thought about it maybe once or twice in the last year, and even then it was probably a “oh hey is my premium due soon?”. The truth is, as an MSP owner you are focused on your clients and the business. Insurance isn’t priority #1. That's why I built this guide. To maximize your time. Perhaps 12 minutes can be scrounged up?
Step 1: Use An Independent Agent
Why Work with an Independent Agent? An independent agent is well… independent. We do what we want, we’re our own boss. We don’t need no man!
Just kidding. It pretty much means we represent multiple insurance companies. We aren’t tied to one company, like the State Farm or All States of the world. If you buy insurance from a State Farm agent, they can only put your coverage with State Farm. Agents with only one insurance company are called captive agents. If you buy insurance from an independent agent, they can shop dozens of carriers, compare, contrast, negotiate, and recommend the best option(s).
Here Are Some Quick Questions to Ask Your Agent:
1. Are you independent?
2. How many carriers do you represent?
3. Are you a specialist or generalist?
4. Does your agency offer any risk management services?
5. What services come with my policy?
6. How long have you been working with companies like mine?
7. What is your agency’s service standard on certificate of insurance requests?
Step 2: The Basics
Most key suppliers, vendors, and customer contracts will require the basics. Here they are in bold:
General Liability of $1,000,000 per occurrence/$2,000,000 aggregate
Types of lawsuits covered by general liability insurance include property damage and bodily injury lawsuits like slip-and-fall accidents, and customer injury lawsuits.
Hired & Non-Owned Auto liability of $1,000,000 combined single limit
Non-Owned Auto Liability – Provides bodily injury and property damage liability coverage for employee’s vehicles
Having employees drive their vehicles for business related tasks, such as delivering an invoice,
going to the post office, or driving to the bank is a common practice for all companies.
However, this “business as usual” activity creates numerous liability exposures.
Non-owned auto steps in for occasional accidents employees may have that their personal auto
insurance will not cover due to being on company time. While physical damage to an employee vehicle would be the responsibility of the employee and most likely covered by the employee’s personal auto insurance – not the responsibility of the employer or employer’s insurance
Hired Auto Liability – Provides bodily injury and property damage liability coverage for rented vehicles.
*Bonus Tips for Renting a Vehicle for Business Use*
In the U.S., rental car companies offer a “Damage Waiver”, which is separate from insurance.
Damage Waivers can provide coverage for things that are not covered by Hired Auto Liability
and Physical Damage coverage, such as:
Diminished Value – The hired auto was worth X before an accident and now is worth X
as a result of the accident.
Loss of Use – As a result of an accident, the rental car company suffered additional loss
for however long it took to make repairs.
A Damage Waiver can only be purchased from the rental car company.
Hired Auto Physical Damage – Provides comprehensive and collision (physical damage)
coverage for rented vehicles. This is typically an add on coverage and is cheaper to purchase annually from your agent, not at the rental counter.
Worker's Compensation Coverage
Bodily Injury by Accident $1,000,000 each accident
Bodily Injury by Disease $1,000,000 policy limit
Bodily Injury by disease $1,000,000 each employee
Worker’s Compensation (WC) coverage is a no-fault coverage that provides coverage for injuries that result during an employee’s employment. No-fault means it does not require one party to prove the blame was caused by another party. It is state specific. Individual state law mandates most definitions, coverage territories, terms, and conditions in WC policies. Due to the specific state nature of WC, it is very important if a company hires an employee in a new state, to add that state to the policy.
Worker’s Compensation is mandatory in every state, except New Jersey and Texas. Why? Because well… everything is bigger there. I guess not Work Compensation though? Both states technically have elective laws with high restrictions to opt out.
In four states, you must go to a state-run worker’s compensation fund. The four WC “monopolistic” states are North Dakota, Ohio, Washington, and Wyoming. Note it is important to still have employer’s liability coverage, often referred to as Stop Gap insurance, in these states. Stop Gap attaches to a companies’ commercial package or business owner’s package policy.
Employer’s Liability provides coverage for an employer’s liability where recovery is permitted by law for bodily injury arising out of and in the course of an injured employee’s employment that is not covered under worker’s compensation law. It is a kind of like umbrella insurance that sits above the state run Worker’s Comp insurance program. Say an employee is hurt, goes and gets fixed up through worker’s comp, but that isn’t enough, they want more, they are still hurt, and there isn’t any coverage left in the Work Comp, so naturally they go after the employer. Enter Employer’s liability insurance.
What are the Benefits of the Worker’s Compensation System?
Although Worker’s Comp can seem like a headache and just something the government forces businesses to buy, it was put in place to protect businesses and employees. Employers gain predictability for the cost of workplace injuries. Imagine back in the industrial revolution where many adults (and children) were working in dangerous factories. Upper management had no idea what the cost would be for injured employees each year (downtime, hiring and training replacements, or paying other workers overtime). Now they can just see how much they paid for work comp annually.
The WC system encourages loss prevention and promotes safety. If a company has tons of WC insurance claims one year, you better bet the estimated premiums will go up.
Prompt benefits. Employees don’t have to wait to get treated, the idea is to get them fixed up ASAP and back to work.
Worker’s Compensation Audits
Worker’s Compensation policies are auditable. When the policy is put in place it is based off estimated payroll information. At the end of the policy term the insurance company goes back and reviews the policy term with actual pay roll data to account for any hires/fires throughout the year. The goal is to charge the appropriate premium for the appropriate risk/exposure.
It would be unfair if when the policy was put in place it was rated with $200,000 worth of office employees, but really throughout the year you hired $2,000,000 worth of sales people and only paid for the office employees. Vice versa, if the company had massive layoffs, the worker’s compensation premiums would go down (although you have bigger problems if you had massive layoffs, can anyone say EPL claims?). The audit also double-checks that employees were categorized correctly. Often the insurance companies sub-contract out the audits. Audits can be done in person, over the phone, electronically, or if the insured doesn’t respond, the insurance company can just assume estimated changes (which isn’t ideal).
As you can imagine, work comp is a moving target. With larger companies that have 100s of employees I often recommend at least a quarterly Work Comp check.
How is WC Rated/Underwritten?
The payroll or WC underwriting information exchanged between the insured, insurance agent, and insurance company often consist of the following datapoints:
• FEIN #:
• State Unemployment Number
• Date of Hire
• Number of Employees by state
• Work Address or if Employee works from home – home address
• Job Title or Work Comp Class code
• Annual payroll by state
As an insured, you don’t need to know class codes, but essentially every job title is broken into work comp class codes for insurance companies to rate the riskiness and the according premium charged. Office employee is 8810, Salespersons is 8742 etc. One item to note is that many states have maximum payrolls for directors or executives like CFOs, CEOs, COOs, etc. So if a CEO makes $1,000,000 per year salary, but the state has a maximum annual payroll of $160,000 the employer’s WC policy will be rated on $160,000 thus saving the insured’s insurance premium dollars.
WC audits can be a pain, but most insurance company policies include wording that the insurer must comply. To make it less of a pain, usually someone in the HR department can run a payroll report. Luckily, the bulk of employees at an MSP are office workers, computer programmers, and salespeople. None of these job classifications are high risk or expensive to insure under Worker's Compensation. When there are more Telecom Technicians out installing cabling, the worker's compensation can get a bit more expensive.
*Bonus Tips for Insuring an Employee Versus an Independent Contractor*
A general rule of thumb is an individual is an independent contractor if the payer has the right to control or direct only the result of the work and not what or how the work will be done. An employee is hired at a wage or commission where the employer directs and controls what and how work will be done. Another question to ask is “who provides the tools”? Independent contractors bring their own tools to the job.
It is important if you are hiring independent contractors that you get certificates of insurance from them including worker’s compensation coverage to prove they have their own. During a worker’s Compensation audit, auditors may include independent contractors that look like employees. Insureds should have saved their contractor’s certificates of insurance to show proof they have their own worker’s compensation insurance and should be excluded from the audit. From the insured’s prospective, contractors are not employees, so why should they pay for their WC insurance? Insureds must have proper documentation to back it up.
Step 3: Advanced Coverage:
Do you own or rent your location?
Should you decide to take an alternate route and purchase your own space, you would need to make sure that there is proper building coverage in place for a loss. Much like owning a home, owning a commercial building requires more detailed coverage in the event you have a fire, water, or natural disaster loss.
It will be extremely important to review specific information with your independent insurance agent to make sure they have it accurate for your new building. Some examples of things you will need before talking with your agent would be:
Total Building Square Footage
When was the HVAC system, roof, and major electrical systems last updated?
Who does business on all 4 sides of you (are they vacant, in business, and what type of businesses occupy these units if applicable)
What is the building constructed out of? *Bonus- this might also allow some hefty discounts depending on construction type*
These aren’t all of the questions you will be asked but this is a great start to making sure you are prepared.
Business Interruption Coverage
If something were to happen to your office and you were unable to respond to customer service requests would you have enough coverage in place to subsidize your net income and continued operating expenses like rent, insurance, utilities, and salaries? Normally, business owners who offer a service type business don’t think about “what would happen if I couldn’t offer this service any longer”. This is why it is imperative to have this coverage in place on your business insurance policy. Often for an MSP, a solid work-from home policy or disaster/contingency plan can help alleviate some of this concern.
Technology Errors & Omissions (Tech E&O)
Worker's Compensation insurance is to roofers as Tech E&O insurance is to MSPs.
Tech E&O is arguably the most important coverage for an MSP.
When $H!T hits the fan, this is your "get out of jail free" card.
This coverage is professional liability mixed with cyber liability and is designed specifically for technology service providers. It consists of three parts; First Party, Third Party, and Cyber Crime.
First Party Cyber Coverage
First party is financial loss coverage due to a data breach for the insured. This is for items that directly affect the insured’s (MSP) business. There are numerous coverages:
Computer Forensics – coverage for a computer forensics expert to investigate a data breach
Reputation Harm – coverage for a public relations firm to restore your brand name from negative effects a data breach may have on your company.
Notification Costs – coverage for call center or notification services to notify those affected by a data breach.
Credit Monitoring – coverage for credit monitoring services to scan for “bad actors” attempting to open new or use existing credit lines for those affected by a breach.
Costs to Defend Claims – coverage for litigation costs associated with legal proceedings following a data breach.
Fines and Penalties – coverage to reimburse the company for fines or penalties due to a data breach
Business Interruption – coverage for downtime and the additional cost to get computer systems back up and running after a breach
Replacing electronic data – coverage to replace electronic data
Often the Errors or Omissions covering any act or error in your professional services is included under First Party Coverages.
First Party Questions to Consider
Does the insured have a Say in Choice of Legal Counsel?
Can the insured use whatever legal providers they want? or must the insurance company’s pre-selected service provider panel be used? Some policies will consider the insured’s preference for the appointment of counsel, but the insurance company still has the final say. Some policies state the Insured shall not formally appoint counsel without approval from the insurance company. This may be a sticking point if an insured is keen on using their own legal counsel. Cyber policies may offer lower limits of coverage for “non-panel” service providers.
Are the above first party coverages within policy limits or outside?
Essentially, if you have a $1M aggregate policy does every single 1st party coverage fall within this $1M bucket or do some coverages have their own $1M limit bucket. It would be advantageous to either have a higher aggregate or a separate limit on items like Business Interruption and Defense costs. Oftentimes some line item coverages can be sublimated to $250 or $500K on a $1M policy.
Is the policy written on an admitted or non-admitted basis?
Admitted insurance policies are insurance policies written by an admitted insurance company. An admitted insurance company pays the proper taxes, fees, and paper work to achieve admitted status, in exchange for being backed by a state guarantee fund. If the insurance company becomes insolvent and an insured has a claim, the claim will still be paid by the guarantee fund. A non-admitted carrier/policy has no such guarantee. It is wise to check the AM Best rating and admitted status of the insurance company writing your insurance policy here: http://www.ambest.com/ratings/guide.pdf
Third Party Cyber Coverage
Third party is financial loss coverage from a data breach for the benefit of others. It could be your customers, partners, supplies, vendors, etc. It includes three separate coverages:
Privacy Liability - Covers expenses the insured becomes legally obligated to pay due to failure to protect the following classes of information:
PHI (Personal health Information) i.e. health records
PII (Personally identifiable information) i.e. Social security #, address information, etc.
PFI (Personal Financial Information) i.e. Bank account #s, credit card numbers, etc.
Content Liability/Web Publishing Liability/Multimedia Liability – Provides “digital world” personal and advertising injury liability coverage. This includes infringement or violation of another’s copyright, title, slogan, trademark, trade name, trade dress, service mark, and service name. An example would be using unauthorized images or music on a website. This also provides coverage for defamation, libel, and slander like negative comments posted on your website about a competitor’s product.
Third party Security Breach Liability – is coverage for if the insured becomes responsible for a virus, security breach, transmittal of malicious code, etc. Essentially, since your system got hacked, the hacker was able to gets access to your customers, vendors, partner, or other third party’s system and it becomes your fault.
Third Party Questions to Consider:
Is there Coverage for Rogue Employees?
A rogue employee may also be described as a disgruntled employee but is essentially an employee who is purposely causing a data breach or transmits malicious code to sabotage the company. Policy language can explicitly name rogue employees, be implied but not specifically mentioned, exclude coverage all together, or add coverage via endorsement.
What is the Coverage Trigger?
Policies are written on one of the following coverage triggers; Occurrence, Claims Made, or Claims Made & Reported.
1. Occurrence Form.
Definition: A policy covering claims that arise out of damage or injury that took place during the policy period, regardless of when claims are made.
2. Claims-made Policy
Definition: A policy providing coverage that is triggered when a claim is made against the insured during the policy period, regardless of when the wrongful act that gave rise to the claim took place
3. Claims-made and Reported Policy
Definition: A type of claims made policy in which a claim must be both made against the insured and reported to the insurer during the policy period for coverage to apply
The above coverage trigger types are in order from most advantageous to lease advantageous form an insured’s prospective. Cyber insurance policies are typically written on claims-made or claims made and reported forms. claims-made is more advantageous from the insured’s prospective than claims-made and reported.
Coverage for Contractual Liability?
Good cyber insurance policies have coverage for contractually assumed liability. Often this is subject to a sub-limit and should be scrutinized when purchasing an insurance policy. Check that the limit is sufficient with specific contract requirements.
Cyber Crime Coverage - is typically separate from First and Third party coverages, but not always. Sometimes, cybercrime coverage is pushed onto a separate crime policy. Regardless, It typically covers claims for financial loss from the following:
Extortion/Ransom – A hacker is holding your business’s computer system hostage, everything is locked with a message that says "pay 10 Bitcoins in 24 hours or computer system will be destroyed". Cyber insurance can help pay to restore or replace a system held hostage.
Social Engineering/E-Mail Phishing – An e-mail that looks like it’s from the CFO with instructions to wire $50,000 to a bank account is sent to a new controller, the controller wires the funds not knowing the CFO’s e-mail was really a hacker. Cyber Crime insurance can cover the loss resulting from this unintended parting of money/funds due to fraudulent instruction/impersonation.
Just like computer systems, every insurance policy needs a checkup. Even if you have had the same insurance agent for years and their agency is a client of your MSP. Your business is ever growing and changing (or at least that is the goal right?). You need to make sure your coverage reflects that too.
Your insurance agent should be reviewing your insurance policies at least once a year and doing a “baseline” on it. Are we still in the same place? Do we need to add or modify anywhere? Are their more competitive carriers in terms of pricing or coverage? Are new services being provided, does the policy automatically pick these up as covered services?
Have a question about insuring your MSP? Reach out!