Yes, cyber insurance is a hassle, but in the right hands it’s a valuable tool for protecting customers and adding revenue too. Say the word “cyberinsurance” to many MSPs and they groan at the thought of 20-page questionnaires, claims disputes and price hikes.
But Corey Kirkendoll grins ear to ear.
“It’s a golden opportunity,” said Kirkendoll, CEO, 5K Technical Services, a Plano, Texas-based MSP. Revenue at his firm is up over 30% in the last nine months thanks mostly to security products and services that clients seeking coverage are finally buying after years of resistance.
“Everything we’ve been trying to sell is actually getting sold,” he said.
He’s not the only IT provider having that experience. When approached correctly, MSPs increasingly find cyber insurance is less a time-consuming hassle and more of a secret weapon for building long-term relationships, increasing revenue and gaining a leg up on the competition.
A Source of Validation
The key, Kirkendoll and others say, is laying the groundwork before the application process by doing a gap analysis of the security defenses clients have now and the additional ones they need to be adequately protected.
“Most MSPs aren’t having those conversations, because they believe that the customer isn’t willing to pay for it,” Kirkendoll said.
They’re often right too but making that excuse for avoiding the topic can put you in an awkward spot when a client is denied coverage because they’re missing important controls. “There’s an assumption that you’re already doing all that, which is not true in most cases,” said Kirkendoll. That can leave you vulnerable to competitors who are more diligent about security than you are.
“It opens this huge door for someone to walk in and take the customer away from you,” Kirkendoll said.
On the flip side, if you have been speaking frankly with customers about security, cyber insurance assessments will corroborate the recommendations you’ve been making all along.
“They’re going to validate the need for multi-factor authentication (MFA), two-factor authentication, single sign on (SSO) and whatever extended detection and response (XDR) or managed detection and response (MDR) you’re doing,” Kirkendoll said. “It’s like a marriage made in heaven.”
Maria Scarmado, CEO of Dallas-based consultancy Praxis Data Security, agreed. MSPs often find persuading business owners to implement additional security measures an exercise in frustration.
“Now they get to say this is a requirement,” Scarmado said. “If you want to lower your cyber insurance, you have to have these best practices.”
In fact, having good coverage is so important for businesses these days, that some MSPs highlight cyber insurance consulting among their security services. Just be careful not to imply you have the expertise a broker possesses, Scarmado said. Telling businesses that you can help them understand cyber insurance and navigate the application process is OK. Telling them you can meet all their cyber insurance needs isn’t.
Don’t fill out the questionnaire for a client either, added Dawn Sizer, CEO, 3rd Element Consulting, an MSP based in Mechanicsburg, Pennsylvania, unless you’re willing to accept liability for the accuracy of everything in it.
“Will we sit with them and talk them through the paperwork that’s sitting in front of them? Absolutely,” Sizer said. “We will not fill out the paperwork.” And it’s the customer’s signature on the bottom line every time as well.
Partnering for Success
You can leverage the power of cyber insurance assessments even more effectively by allying yourself with a strategic insurance provider. Sizer, in fact, has built her standard security stack around safeguards mandated by her underwriter of choice.
“We have a deep understanding of what the insurance company requires, and then we have an offering that meets all of those requirements,” she said.
Sizer forges collaborative go-to-market strategies with her insurance partner too, and even gets sales prospects from them. Same goes for Kirkendoll, who’s happy to receive those leads even though insurers are legally and ethically barred from paying him for the referrals he sends them in return.
“They’re giving you a smoking hot lead,” he said. “That’s bigger than any referral fee you can do.”
Choosing the right insurance partner is critical though. Sizer works only with brokers and underwriters who know cyber insurance thoroughly versus what she calls “I sell that too” firms.
“I don’t want my clients having the ‘I sell that too’ policy,” she said.
Scarmado suggests working with companies that employ the NIST Cybersecurity Framework or another standard you believe in and have experience with MSPs. CompTIA members can get discounted policies from The Hartford, for example.
Scarmado notes that cyber insurance can produce recurring revenue for MSPs as well as one-time product and project income. Insurers are constantly adjusting their requirements in response to changing threats and technology trends, so an annual or even quarterly coverage review can be a valuable part of a managed services package. “It helps an MSP stay in front of their clients,” Scarmado notes.
As for businesses that don’t want cyber insurance, or the security measures needed to qualify for it? Kirkendoll had a suggestion.
“You probably don’t want that customer as a customer anymore,” he said. “When (versus if) they get hit by ransomware, it’s a sure thing they’ll blame you.”