OTX Partners

View Original

Cyber Insurance for MSPs

In last week's article we brought to light the need for MSPs to shore up their own security. As part of that strategy we discussed the need for a Cyber Insurance Policy to protect against any lawsuits that may arise due to perceived negligence on the part of the MSP.

 So let's delve into the Cyber Insurance industry in general for a minute.

The cyber insurance industry is still very much in its infancy. Although it has been around for a decade or more, that pales in comparison to other forms of insurance such as casualty and property. With more mature forms of insurance, companies have decades worth of data and actuarial tables to accurately assess risk and assign value to premiums.  With less history and a rapidly changing threat landscape, the cyber insurance industry lacks any real method of assessing risk accurately. Thus, there is no standardization across the industry.

At the same time, the cyber insurance industry seems to be experiencing a bit of a plateau in demand according to a January article in the Harvard Business Review. Of course, that article predated the recent high-profile ransomware attacks against a major gas pipeline and the meat packing industry. The demand for cyber insurance will most be on the rise again as corporate balance sheets return to normal post-COVID.

Meanwhile, back in the MSP world, recent incidents such as the Solarwinds attack and the Kaseya infiltration should come as a wake-up call to all MSPs. We can do everything we can to bolster our own security, but most of us are vulnerable to weaknesses within our business partners' security. There is little that we can do to prevent their tools from becoming weapons that we inadvertently help distribute.  Had the Kaseya breach affected their SaaS customers, the effects would have been catastrophic. Literally thousands of SMBs would have been shut down. And they would be looking to their MSPs for restitution. The rash of cascading lawsuits would have been tremendous. SMBs suing MSPs, MSPs suing Kaseya, etc. Even if Kaseya were able to pay a single ransom payment to get an unlock code to be distributed to all affected systems, it would take a while and all of those SMBs would incur significant downtime and losses. Even though the MSP is simply the middleman in this attack, customers would perceive them as being responsible.

This just demonstrates the need for cyber insurance for MSPs. However, due to immature nature of the industry it is important that MSPs shop carefully. Work with a firm that specializes in the MSP business. MSP Alliance offers Cloud and MSP Insurance policies to its members. Some MSSP services offer Cyber Insurance along with their security services for added protection. Regardless, read the fine print. Make sure there are not glaring exclusions or very low caps on payouts.

Finally, don’t bear the entire burden of insuring against cyber-crime. Make sure you are encouraging (or even demanding) your customers to purchase their own cyber-insurance policy. Make sure they fully understand what their own responsibility is in protecting themselves. A user clicking on the wrong link or wiring a gajillion dollars to Nigeria is not the MSPs fault. They will need their own policy to recover losses in those scenarios.

Going back to last week's article, you'll have to get your internal ducks in a row to get the right coverage so start there. The insurance company is going to want to see the protections, countermeasures, and policies you have in place to offer you coverage.

The time to get started is now.