10 Cybersecurity Insurance Tips for the MSP
It's more than just the fine print.
December 14, 2021
Getty Images
The chances of a cyberattack increase daily and having insurance should be a given. Customers need to protect themselves and take some initiative. Not everything should be left up to the MSP, says CompTIA.
Brian Weiss is CEO of ITECH Solutions, a California-based IT services firm.
“You have a higher chance of getting hit with a cyber incident than of having a fire. Your clients already are paying for things less likely to happen, so why not consider cyber insurance?” Weiss said. “But one thing I recommend: I’ve seen customers hand insurance policy forms for MSPs to fill out. We shouldn’t be doing that. The client needs to fill it out. The MSP should not take on liability for filling out the form.”
MSPs are more likely to be the target of bad actors. This is because MSPs manage the IT infrastructure and networks for hundreds of SMBs. Cyber criminals see this as an opportunity to inflict the most damage, targeting multiple businesses at a time.
That said, 35% of MSPs did not have cyber insurance when they experienced cybercrimes.
As an MSP, you are the valued adviser to your customer. Sometimes the relationship between you and your customer can be challenged when the customer decides to take the reins in decision making. Hold firm to your role as trusted technology adviser. This is especially the case when damage from a cyberattack is in progress and business is being lost.
Jacob Ingerslev is head of global cyber risk at The Hartford, an insurance carrier that offers cyber insurance to MSPs.
“The customer relationship creates a large incentive for the MSPs to quickly resolve the issue in an effort to salvage customer goodwill,” Ingerslev said. “While it is important to restore quickly, it is equally if not more important to remain focused on safety and security.”
Your insurance coverage changes when cyber threats change. Moreover, the cost of a cyber insurance policy is based on analysis of current and future cyber threats.
Matthew Lang is CISO at IND, a New Jersey-based solution provider.
“I don’t know that insurance companies know what they’re going to do, but they will most likely have to do something to address increasing risks,” Lang said. “Not everyone is going to be able to afford 10x rates, but MSPs are also not going to absorb those risks. The bottom line is this — make sure you have controls in place to minimize the risks.”
Some insurance carriers specify that MSPs and their customers meet technical requirements for a cyber insurance policy. One example is multifactor authentication (MFA). By having a conversation with your customers about MFAs, MSPs secure their customer base.
Benjamin Dynkin is co-founder and CEO of New York-based Atlas Cybersecurity.
“Think of it this way. If you’re not offering MFA, you open the door to a competitor,” Dynkin said. “A customer’s desire to mitigate their business risk and put in a cyber insurance policy may be higher than staying with you as an MSP. They could potentially face millions in liability versus whatever their monthly bill for you is.”
Having cyber insurance doesn’t mean you should let your guard down. Continue to take cybersecurity seriously. Just because your business is covered financially doesn’t mean MSPs shouldn’t be concerned. Cyber insurance is a great tool for risk mitigation, but it’s no magic bullet. It’s not adequate when it comes to protecting business and reputation. MSPs shouldn’t think it’s better to buy insurance than fix whatever cybersecurity issue is at play.
It goes without saying that it’s important to read the insurance policy from front to back. This is so you can tell your customers that what you say is covered is, in fact, covered. For instance, your insurance provider may have a particular way for mitigating damage. You will need to adhere to those procedures.
“If you try to remediate on your own and you’re not properly logging or you cause information to get deleted that could have helped determine where the threat vector came from, or if it’s still ongoing, the insurance company may void the claim because you did not follow their guidance,” Weiss said. “If you stick to their plan, they can’t come back and say you didn’t do ‘XYZ’ and you caused the damage to be worse.”
MSPs and customers may both have cyber insurance. However, the liability arises with the service agreement. This should be updated periodically to reflect changes in business and the threat landscape. To update adequately means having regular conversations with clients about the latest threats. By reviewing a cyber insurance policy, the customer can understand where gaps exist and how they should be resolved.
If a cyber incident occurs, make sure to contact your insurance company immediately. They will have protocols for mitigating damage that you should follow. Don’t try to resolve the issue by yourself because you may unintentionally destroy evidence for the insurance investigation. Instead, have an incident response plan already lined up with your insurance company. Treat an attack like it’s a crime scene.
Justin Reinmuth is founder and CEO of the Ohio-based Technology Risk Underwriting Group.
“That’s why you have an insurance carrier. They have forensics, breach consultation people. PR people. A whole bunch of folks that specialize in responding to and remediating cyber incidents,” Reinmuth said. “I wouldn’t do anything without the insurance carrier to approve it.”
Not all insurance companies are staffed with employees skilled in cyber areas. Providers often rely on third-party companies to investigate and remediate cyberattacks. That said, there may be an opportunity for MSPs to serve as cyber experts for insurance companies, complementing the provider’s internal staff.
Not all insurance companies are staffed with employees skilled in cyber areas. Providers often rely on third-party companies to investigate and remediate cyberattacks. That said, there may be an opportunity for MSPs to serve as cyber experts for insurance companies, complementing the provider’s internal staff.
Cybersecurity insurance is increasingly necessary when malicious hackers do more than just disrupt software and hardware.
Bad actors in ransomware attacks demand more and more money that providers can’t afford to pay; and in most cases, they shouldn’t. Moreover, customers continue to file lawsuits against their providers when these and other attacks occur. As a result, MSPs need to be protect themselves financially and legally.
So how do MSPs know what kind of cybersecurity insurance procedures to put in place? Compiled by the members of the CompTIA Information Sharing and Analysis Organization (ISAO), experts have outlined 10 things (see slide show above) that MSPs should consider when adopting a policy.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Claudia Adrien or connect with her on LinkedIn. |
Read more about:
MSPsAbout the Author(s)
You May Also Like