Insights

Insurance Companies Are Buying MSSPs Now: The Buyer Nobody Is Pricing

Zurich, Coalition, Resilience and Acrisure are buying or building MDR capability. Why cyber insurers became MSSP buyers, and what it means for sellers.

By Alexej Pikovsky  ·  Updated

In March 2026, Zurich agreed to buy Beazley for £8.1bn in all cash, about $11bn, and Beazley shareholders approved the deal in April. The headlines called it a specialty insurance deal, which it is. What almost none of them said is that the purchase comes with an MDR provider. Beazley Security, a managed detection and response business built out of Beazley's own claims operation, comes with the deal when it closes, expected in the second half of 2026. A cyber insurer is about to own a security operations service, inside an £8.1bn specialty-insurance transaction.

That is the story most buyer maps miss. When people ask who buys MSPs and MSSPs, they list private equity roll-ups, strategics, and the odd public consolidator. There is now a fifth buyer sitting quietly at the table, and it has a balance sheet most of the others would envy: the cyber insurance carriers themselves. Zurich, Coalition, Resilience, At-Bay, and Acrisure have all either bought or built detection-and-response capability, and the logic driving them is different from anything a PE fund is running. This piece maps who has moved, why the underwriting math pulls carriers toward owning an MSSP, and what it means if you own one and are thinking about who eventually writes the cheque.

I read this from the buyer's seat because that is the seat I spent a decade in. I moved more than $7bn of transactions across investment banking and private equity and sat on a board through a $300M-plus exit, and now I run growth for MSPs and cyber firms. When an $11bn insurance deal quietly absorbs a security service, I read the incentive underneath it, not the press release. That incentive is the whole article, and it sits alongside the pattern in private equity's move into cybersecurity and the wider cybersecurity market map, where insurance has always been the quiet demand engine nobody prices.

Why carriers are buying: the underwriting logic

Start with the thing an insurer actually sells. A cyber policy is a bet that the customer will not get breached badly enough to file a large claim. The carrier collects premium, holds the risk, and pays out when the bet goes wrong. Everything a carrier does to make breaches less likely or less expensive flows straight to its loss ratio, which is the share of premium it pays back out in claims. Lower the losses and you keep more of every premium dollar. That is the entire game, and it is why a carrier looks at a security service completely differently from how a PE fund looks at it.

The clearest statement of the logic comes from At-Bay, a cyber carrier that ran two years of its own claims data and concluded that more than 50 percent of its customers' cyber insurance claims could have been mitigated with an effective MDR solution in place. That is At-Bay's own analysis, and its CEO Rotem Iram put his name to it. Sit with the number for a second. If more than half of claims could have been reduced or mitigated with a decent detection-and-response service running, then owning that service is not a product-line diversification. It is loss prevention on the exposure you are already carrying.

Coalition, another carrier, frames the same idea from the claims side. Its 2025 report says it negotiates ransom demands down roughly 60 percent on average, and the company markets that policyholders using its risk tooling file materially fewer claims, a figure Coalition publishes as its own marketing claim rather than an audited third-party result. Whether the exact percentage holds, the direction is the point. A carrier that can see the attack early and respond fast pays out less. A carrier that only finds out at claim time pays out full freight.

The macro backdrop makes this urgent rather than optional. Cyber loss ratios across the industry leave real room for a carrier to compete on prevention rather than price, which is the pressure the NAIC's 2025 cyber insurance report documents across the US market. When competitors all price the same risk off the same broker submissions, the carrier that can genuinely lower the loss, not just the premium, wins the renewal and keeps the margin. Owning the security service is how you do that at scale instead of one policy at a time.

So the underwriting logic is simple to state and hard to argue with. A carrier that owns detection and response converts its biggest cost line, claims, into something it can actively manage. No PE thesis, no matter how good, gives you that. This buyer is not chasing a services multiple. It is buying down its own losses.

The deal record, 2020 to 2026

The moves are not hypothetical and they are not new. They stretch back to 2020 and cluster hard in the last two years. Here is the record, with the ones where the buyer holds the loss set apart from the broker that does not.

Cyber carriers and adjacent players buying or building MSSP capability, 2020 to 2026
BuyerTarget or buildDateTerms
Coalition (carrier)BinaryEdge (scanning and threat intel), acquiredJan 2020Undisclosed
Acrisure (broker and fintech)Catalyst Technology Group and ITS Inc. (MSPs), acquired into Acrisure Cyber ServicesJul 2022Undisclosed
Acrisure (broker and fintech)Homefield IT (MSP), acquiredNov 2022Undisclosed
Coalition (carrier)Coalition MDR, built in-house, roughly 60 MSP channel partners2023Build
At-Bay (carrier)At-Bay Stance MDR, built via At-Bay Security subsidiaryOct 2023Build
Beazley (carrier)Beazley Security (MXDR), built from in-house cyber team plus LodestoneJun 2024Build
Resilience (carrier)BreachQuest (incident response platform), acquiredFeb 2024Undisclosed
Coalition (carrier)Wirespeed (automated MDR), acquiredNov 2025Undisclosed
Zurich (carrier)Beazley, agreed acquisition, bringing Beazley Security with it on closeAgreed Mar 2026; closing expected H2 2026£8.1bn all cash, agreed
Aon (broker), counter-exampleStroz Friedberg and Elysium Digital, sold to LevelBlueAug 2025Undisclosed

Read down the terms column and the honest limitation of this whole category jumps out. Almost every deal is undisclosed. Coalition's Wirespeed acquisition in November 2025, the most on-thesis purchase in the set, closed on undisclosed terms. Resilience's BreachQuest deal in February 2024, undisclosed. The only hard price in the table is the Zurich-Beazley figure, and that is a whole-company insurance acquisition where the MDR business is a rider, not the headline. Nobody has publicly priced a carrier buying an MSSP as a standalone asset. Keep that in your pocket, because it becomes the crux of the seller's question later.

Build versus buy: what each move signals

The carriers split cleanly into two camps, and the split tells you how far along their thinking is.

the insurers building or buying security operations
ZurichBeazleyCoalitionAt-BayResilienceAcrisure
the broker that went the other way
AonLevelBlue

The builders

At-Bay built first. Coalition mixed the two moves: it bought scanning capability (BinaryEdge) back in 2020, built its incident response and MDR arms in-house, then bought Wirespeed in 2025. At-Bay stood up At-Bay Stance MDR through an At-Bay Security subsidiary in October 2023, then wrapped insurance and MDR together into what it calls InsurSec packages in October 2025, with premium credits and reduced retentions for customers who run the security service. Coalition built Coalition Incident Response in-house, gave it free to policyholders, then launched Coalition MDR and pushed it through roughly 60 MSP channel partners. Building signals conviction that the security capability is core enough to own from the studs up and integrate tightly with the policy.

Beazley is the interesting hybrid. It owned Lodestone, an incident-response and MDR business, for years, then folded its in-house cyber team and Lodestone together into Beazley Security, which went live in June 2024 as an integrated MXDR platform and expanded into restoration services by October. That is the asset Zurich agreed to buy. A carrier assembled a real security business over several years, and a bigger carrier agreed to pay about $11bn for the parent partly to get larger in exactly these specialist lines, with the deal expected to close in the second half of 2026.

The buyers

Coalition also buys, which is why it appears in both camps. It acquired BinaryEdge for scanning and threat intelligence back in January 2020, a deal it later described as part of a "secret master plan," then bought Wirespeed, an automated MDR shop founded in 2024, in November 2025 and installed Wirespeed's CEO as its GM of Security. Resilience bought BreachQuest in 2024, explicitly citing business email compromise as its number-two loss driver the prior year. Buying signals a carrier that has decided the capability gap is too wide or too slow to close internally and would rather acquire the team, the platform, and the leadership in one move.

Acrisure, the earliest mover, is the cautionary note in the buy column. It bought Catalyst Technology Group and ITS Inc. in July 2022, then Homefield IT that November, rolling all of them into Acrisure Cyber Services. Financials on that unit are undisclosed. Then the first mover paused: no MSP acquisitions in 2024 or 2025. Acrisure is a broker and fintech valued at $32bn after a $2.1bn round led by Bain Capital in May 2025, so the appetite and the capital are clearly there. The pause is worth noticing precisely because it separates the players who hold the loss from the players who only touch it, which is the whole point of the next section.

The honest counter-example: Aon divests

If the thesis were "everyone in insurance is buying security," it would be wrong, and the exception is what makes it sharp. In August 2025, Aon, one of the largest insurance brokers in the world, completed the sale of Stroz Friedberg and Elysium Digital to LevelBlue. Aon went the other way. It owned respected cyber consulting and forensics assets and chose to hand them to a dedicated security provider rather than build a security business around them.

The tell is in the business model, not the size of the firm. Aon is a broker. It arranges cover and earns commission, but it does not carry the risk on its own balance sheet. When the policy pays out, Aon does not write the cheque, the carrier does. So the loss-prevention math that makes At-Bay and Coalition want to own detection and response simply does not apply to Aon. A broker gets no P&L benefit from mitigating a claim it never pays. A carrier gets the whole benefit. Acrisure sits in between as a broker-fintech, which may be part of why its cyber-services push stalled while the pure carriers accelerated.

So the rule is cleaner than "insurers buy MSSPs." Risk-bearing carriers buy or build security services because it lowers the losses they carry. Brokers, who pass the risk through, do not, and when they do own security assets they tend to sell them. If you want to know which insurance player might realistically buy your MSSP, the first question is not how big they are. It is whether they hold the loss.

The reverse flow: warranties and primary policies

The traffic runs both ways. While carriers move into security, security vendors have been moving into something that looks a lot like insurance, and telling the two apart matters if you are choosing where to sit.

The clearest version is the vendor warranty. Arctic Wolf doubled its warranty to $3M in April 2025 and paired it with an insurance partner program, the same warranty that shows up in the AI SOC economics of outcome-based pricing. SentinelOne got there first, establishing a breach warranty of up to $1M back around 2016 and effectively originating the category. A warranty is a vendor's promise to cover certain breach costs if its own product fails to stop an attack. It is a product guarantee dressed for the security market, not a regulated insurance policy, and the vendor funds it, sometimes with a carrier behind the scenes.

Then there is the MSP-native version. Cork is an independent, VC-backed cyber-warranty company built specifically for MSPs, which raised a $6M seed round and partners with names like Liongard and Barracuda. Cork is not owned by an insurer and it is not an MSSP either. It is a warranty layer an MSP can wrap around its own stack, which is its own signal: the warranty concept has become valuable enough to fund as a standalone company aimed straight at the channel.

The distinction that actually matters is between a warranty and a primary policy. When Huntress and Acrisure announced their cyber insurance program in May 2026, with a $0 ransomware deductible for customers running Huntress EDR and ITDR, that was not a vendor warranty. It was actual primary insurance, underwritten through Acrisure, priced off the security controls the customer already runs. A warranty is the vendor backing its own product. A primary policy is a regulated carrier taking the risk and pricing it on your controls. The Huntress-Acrisure deal is the reverse flow meeting the main flow in the middle: a security vendor and an insurance player packaging protection and coverage as one purchase, where your security posture directly sets your price and your deductible.

Put the two flows together and the border between security services and insurance is dissolving from both sides. That is the market context an MSSP owner is now selling into.

What it means if you own an MSSP

Here is the practical read if you run detection and response and you are thinking about an exit, framed the way I would frame it sitting across the table from you.

You have a new class of buyer, and it values you differently

A PE fund prices your MSSP on EBITDA, growth, retention, and how cleanly you bolt into a platform. A carrier prices you on how much of its loss you can prevent. Those are different questions and they can produce very different numbers for the same business. If your service genuinely lowers breach frequency and severity, and you can prove it with claims-relevant data, a risk-bearing carrier has a reason to value that prevention differently from any financial buyer. The At-Bay 50-percent figure is the shape of the prize: to a carrier, a service that could mitigate more than half of claims, per At-Bay's own analysis, may be worth more than its services multiple implies, because a carrier values prevention differently than a financial buyer does.

But this buyer is not publicly priced yet, so anchor on the PE baseline

Be honest about the gap. Every carrier-MSSP deal in the record above closed on undisclosed terms. There is no public comp for what a cyber insurer pays for a standalone MSSP, no multiple you can point a banker at, nothing to model against. So you plan around the baseline that is visible, which is the private-equity market. CT Acquisitions' advisory synthesis puts MSSP platforms in the $10M to $25M revenue range at 9 to 13 times adjusted EBITDA, cyber-focused MSSPs at 12 to 15 times in PE deals, and reckons owning genuine detection-and-response authority is worth two to three turns over pure alert-forwarding. Treat those as your floor and your frame. The mechanics behind them are the same ones that drive MSP valuation multiples generally and sit under the thesis of the PE firms buying MSPs at pace right now. The carrier premium, if it exists, sits on top of that PE number, and nobody can tell you how big it is because it has never been printed.

Build the thing both buyers pay up for

The good news is that the two buyer types reward the same underlying asset, so you do not have to choose a strategy blind. Both the PE consolidator and the carrier pay a premium for real detection-and-response authority over commodity alert-forwarding, and both increasingly want defensible, compliance-grade evidence that your service works. That is the same pressure showing up in the CMMC land grab, where provable security posture is becoming the price of entry. Own the response, hold the data that shows you prevent losses, and you have built the asset a PE fund wants for its multiple and a carrier wants for its loss ratio at the same time. You do not need to bet on the carrier category maturing. You need to be the business both of them compete for.

One honest close. This buyer category is real and moving, but it is early and opaque. The deals are undisclosed, the premium is unpriced, and Acrisure's pause shows not every entrant stays aggressive. Do not restructure your company around a carrier exit that may take years to develop a public market. Build the durable asset, watch which carriers keep buying, and treat the insurance buyer as upside on top of a PE floor you can see.

FAQ

Why would an insurer own an MSSP instead of just requiring customers to buy one?

Because a risk-bearing carrier pays the claims. At-Bay's own analysis of two years of claims found more than 50 percent of its cyber claims could have been mitigated with effective MDR in place. If you own the security service, you can lower the losses you are already carrying rather than hoping a customer picks a good provider on their own. Requiring coverage helps at underwriting; owning the service lets the carrier actively manage its biggest cost line, claims, across the whole book.

What is the difference between a vendor warranty and actual cyber insurance?

A warranty, like Arctic Wolf's $3M offering or SentinelOne's up-to-$1M guarantee, is a vendor promising to cover certain breach costs if its own product fails. The vendor funds it and it is a product guarantee, not a regulated policy. Actual cyber insurance, like the Huntress and Acrisure program, is a regulated carrier taking on the risk and pricing a primary policy off your security controls, with real deductibles and coverage limits. Warranty equals vendor backing its product; insurance equals carrier taking the risk.

Is Acrisure an insurance company or an MSP company now?

Primarily an insurance broker and fintech, valued at $32bn after a $2.1bn round led by Bain Capital in May 2025. It bought several MSPs into Acrisure Cyber Services in 2022, with financials undisclosed, then paused, with no MSP acquisitions in 2024 or 2025. As a broker it passes risk through rather than carrying it on its own balance sheet, which is likely part of why its cyber-services buildout stalled while pure carriers accelerated.

What does the Zurich-Beazley deal mean for Beazley Security's MDR customers?

Zurich agreed to buy Beazley for £8.1bn all cash in March 2026, with shareholder approval secured in April and closing expected in the second half of 2026. Beazley Security, the integrated MXDR business that went live in 2024, comes with the acquisition. Zurich has stated it wants a larger presence in specialist lines including cyber, which suggests it intends to keep and grow the capability rather than unwind it. Nothing about the transaction points to Beazley Security being sold off.

Will insurers pay more or less than private equity for an MSSP?

Nobody knows yet, honestly. Every carrier-MSSP deal on record, from Coalition-Wirespeed to Resilience-BreachQuest, closed on undisclosed terms, and there is no public comp for a carrier buying a standalone MSSP. The logical case is that a carrier could pay a premium over PE because it values loss prevention, not just services EBITDA, but that premium has never been printed. Plan around the visible PE baseline for larger MSSP platforms and cyber-focused deals, roughly 9 to 15 times adjusted EBITDA per CT Acquisitions (smaller generalist MSPs trade well below that), and treat any carrier premium as unpriced upside.

Should an MSSP owner court insurers as buyers, or is the category too new to plan around?

Build for both and bet on neither. The carrier category is real and moving, but it is early, the deals are opaque, and the premium is unproven, so do not restructure your company around a carrier exit. The asset that both a PE consolidator and a carrier pay up for is the same: genuine detection-and-response authority plus data that proves you prevent losses. Build that, keep a live read on which carriers keep buying, and treat the insurance buyer as upside on top of a private-equity floor you can actually see.

What does it signal when a carrier builds MDR versus buys it?

Building, as At-Bay and Coalition did, signals conviction that the security capability is core enough to own from the ground up and integrate tightly with the policy. Buying, as Coalition did with Wirespeed and Resilience did with BreachQuest, signals that the capability gap is too wide or too slow to close internally, so the carrier acquires the team, platform, and leadership at once. Beazley is the hybrid: it assembled a security business over years, and Zurich then bought the parent partly to own exactly that.