10 Things MSPs Should Know About Cybersecurity Insurance

If there’s one thing that July’s ransomware attack on Kaseya has pointed out, MSPs—and every tech company—need to take security seriously, protecting themselves with proper tools, processes, and policies. But that’s just technology protection. As hackers increasingly demand cash or cybercurrency and customers file lawsuits against their providers, MSPs also need to be protected financially to ensure their long-term success.

Cyber insurance policies are becoming an important component of any technology solution or relationship between MSPs and customers. For good reason. The average cost of a ransomware payment jumped from $4,000 to $178,000 in just a few years, amounts that few small businesses, including MSPs, can afford to pay.

Increasingly, companies are adding cyber insurance policies as protection, but like any insurance policy, your coverage is only as strong as your specific policy. There’s a lot to know when considering cyber insurance, especially if it’s a new area for MSPs. Here are 10 things to know, compiled by members of the CompTIA Information Sharing and Analysis Organization (ISAO) and other cyber insurance experts:

1. All Customers Should Have It

Cyber insurance, frankly, should be a no-brainer. Customers need to protect themselves in the increasingly possible chance that a hack, breach, malware or phishing attack occurs and customer information is compromised, according to Brian Weiss, a CompTIA ISAO member and CEO of ITECH Solutions, based in San Luis Obispo, Calif.

“You have a higher chance of getting hit with a cyber incident than of having a fire. Your clients already are paying for things less likely to happen, so why not consider cyber insurance?” he said. “But one thing I recommend: I’ve seen customers hand insurance policy forms for MSPs to fill out. We shouldn’t be doing that. The client needs to fill it out. The MSP should not take on liability for filling out the form.”

2. All MSPs Should Carry It

MSPs have become a more frequent target of cyber criminals because they manage the networks and IT infrastructure for dozens or hundreds of small businesses, opening up the door to cause much more damage than targeting one business at a time.

A recent survey by NinjaRMM and Coveware revealed that 35% of MSPs did not have cyber insurance when they experienced a cyber incident or are victim of a cybercrime, escalating unnecessary business risks.

“The MSP is the perfect supply chain attack. If I want a high ROI on my hacking dollars, an MSP is a far better target,” said Benjamin Dynkin, co-founder and CEO of Great Neck, N.Y.-based Atlas Cybersecurity and a member of the CompTIA ISAO’s SME Champions Council. “MSPs don’t get to ignore cyber risk because they’re MSPs. Everyone still needs to do the exact same thing. If clients have cyber insurance, MSPs still need to carry it too. It’s still about mitigating the cyber risk. You just can’t pass the buck to clients, or you could face a very serious economic reality of six- or seven-figure harm.”

3. Risks Are Increasing, So Will Premiums/Riders

The cost of a cyber insurance policy is based upon an analysis of today’s cyber threats and what’s expected tomorrow. The reality is that those threats change, so will your coverage—and the insurance cost to insure a cyber incident.

“I don’t know that insurance companies know what they’re going to do, but they will most likely have to do something to address increasing risks. Not everyone is going to be able to afford 10x rates, but MSPs are also not going to absorb those risks. The bottom line is this—make sure you have controls in place to minimize the risks,” said Matthew Lang, CISO at IND, a Parsippany, N.J., solution provider, and a CompTIA ISAO member.

Lang started conversations about escalating insurance with customers several months ago during quarterly business reviews, and those discussions will continue, he said.

“In the policies we have, insurance companies are covering events, but those were rewritten at the end of last year. We’re halfway through the year and things have changed so much,” he said.

4. Don’t Let the Customer Be the Doctor and the Patient

As the trusted technology advisor to your customer, it’s important that you help the customer make the right choice and follow all the rules. That can be difficult in quickly evolving circumstances when damage is being inflicted and business is being lost. “Too many MSPs let the client be the doctor and the patient,” said Justin Reinmuth, founder and CEO of the Technology Risk Underwriting Group, Lewis Center, Ohio.

MSP attacks create additional complexities that can interfere with normal incident response, according to Jacob Ingerslev, head of global cyber risk at The Hartford, an insurance carrier that offers cyber insurance to MSPs through CompTIA as a member benefit. “The customer relationship creates a large incentive for the MSPs to quickly resolve the issue in an effort to salvage customer goodwill. While it is important to restore quickly, it is equally if not more important to remain focused on safety and security,” Ingerslev wrote in a blog.

5. It’s a Great Opportunity to Upsell

Insurance carriers are starting to require that MSPs and customers meet certain technical criteria to qualify for a cyber insurance policy, such as multi-factor authentication (MFA). That could open the door for MSPs to have additional conversations with customers and accelerate projects to bring them into compliance.

“Think of it this way, if you’re not offering MFA, you open the door to a competitor,” Dynkin said. “A customer’s desire to mitigate their business risk and put in a cyber insurance policy may be higher than staying with you as an MSP. They could potentially face millions in liability vs. whatever their monthly bill for you is.”

“Get your smartest people in front of clients as soon as possible. MSPs often put their smartest people in the background,” said Lang. “That’s where the danger is. Get in front of clients, make sure discussions are being had. It’s great for sales opportunities. We’re in a bit of a renaissance in terms of what we can achieve. If you don’t have someone good in front of a client, you’ll lose the client. They don’t want to talk to someone who can’t speak to all these challenges.”

6. Cyber Insurance is Not a Silver Bullet

Just because you have cyber insurance doesn’t mean you or your customers shouldn’t continue to take cybersecurity seriously. It’s worse to buy insurance and not fix the problem, according to Dynkin. Even if you are covered financially, your business and reputation could still suffer a significant blow by not having appropriate security policies and protocols in place.

“Cyber insurance is a great tool, a great route for risk mitigation, but be careful that you’re not incentivizing a moral hazard,” said Dynkin.  “You don’t want people to think it’s better to buy insurance than fix the problem. Cyber insurance should be used to strengthen someone’s risk mitigation, not be the risk mitigation.”

7. Read the Fine Print

As with any insurance policy, the devil is in the details. Ensure everything you tell your customer is covered is actually covered. If you say you have a SIEM, or MFA, or need to perform an annual Pen test, you better do it. Likewise, if your cyber insurance provider has a very specific procedure for mitigating damage, you need to follow that. Otherwise, you could risk a claim not being covered or not meeting regulatory requirements.

“If you try to remediate on your own and you’re not properly logging or you cause information to get deleted that could have helped determine where the threat vector came from, or if it’s still ongoing, the insurance company may void the claim because you did not follow their guidance,” Weiss said. “If you stick to their plan, they can’t come back and say you didn’t do ‘XYZ’ and you caused the damage to be worse.”

Work with your insurance provider to ensure that your incident response plan syncs with theirs, added Weiss. “They’re amenable to working together. Their main goal is to minimize damages. It’s hard to tell a client that you can’t immediately start remediation, but if the insurance company says to wait, you need to wait.”

8. Review Your Service Agreements

MSPs may have cyber insurance, customers may have cyber insurance, but their service agreement is the link between them and where liability issues may possibly arise. Service agreements should be updated regularly to reflect changes in the market, threat landscape and businesses.

It’s critical to have cybersecurity conversations all the time with clients and prospects. Explain to them the risks, show them the latest threats—and the damage being done. If they haven’t had an incident themselves, too often a cyber-attack is viewed as something that just happens to “other people,” said Weiss.

“Many have the attitude ‘We’ve done it this way for 10 years, why not continue the same?’” he said. “The problem is it’s not a matter of if but when and they have no idea what the damages might be.”

Reviewing a cyber insurance policy is another way to review current solutions and help the customer understand where gaps may lie are and how they should be addressed, Weiss said.

9. Work with Cyber Insurance Provider

In the event of a cyber incident, contact your insurance company immediately and follow their protocol for mitigating damage. If you try to remediate yourself immediately, you may inadvertently destroy or alter evidence that the insurance company needs to investigate/process a claim or determine general liability. Have an incident response plan in concert with your insurance company.

In other words, treat it like a crime scene, according to Reinmuth.

“That’s why you have an insurance carrier. They have forensics, breach consultation people. PR people, a whole bunch of folks that specialize in responding to and remediating cyber incidents,” he said. “I wouldn’t do anything without the insurance carrier to approve it.”

If your guy starts doing something, it could void coverage completely. The MSP has a problem. Tell your instance company. I’m coming in, is that OK? We do business with eyes wide open. Your instinct is to go in and solve the problem, but you may not be able to do that right away, and that’s a hard thing to tell the customer.”

10. Work for Your Cyber Insurance Provider

Insurance companies don’t always have cyber-skilled professionals on staff. Some rely on third-party companies to mitigate/investigate/remediate. It’s a long shot, but if you have a lot of cyber experience, there’s potential opportunity to become a trusted partner with an insurance company and get called in when one of its customers has a cyber incident.

The Hartford employs dozens of cyber experts in house but occasionally might look for help to complement its internal staff, according to Matt Moossa, regional director of small commercial underwriting, at The Hartford.

“[Our own staff] is how we understand what risks to insure and at what terms. We do tap some third-party vendors for value added services like remediation or public relations assistance, but we are fully capable of reviewing complex cyber risks and measuring their total exposure,” he said.

Some solution providers may find lower margins than their normal business, but it’s additional revenue if it can be secured.

Added Reinmuth, “It’s hard to get on the carriers’ lists. They usually look for folks that have a strong regional or national presence and a specific niche but if the opportunity presents itself, it is a great way to build your business with new opportunities.”