The Four Pillars of Risk Management for MSPs - Tech E&O Insurance
In part three of our series on risk management for MSPs we'll take a look at the role of insurance. Several months back we posted a blog on the importance of having a comprehensive cyber insurance policy to protect against potential claims of negligence or malpractice from your clients.
Most likely from the early days of our practice we have carried Errors and Omissions (E&O) insurance to protect against potential claims for negligence in the course of our work. Should one of our engineers accidently lose significant data of one of our clients resulting in a claim, we wanted to make sure we were covered. However, most older traditional E&O policies do not cover cybercrime events.
It is important for MSPs to now carry insurance that covers any type of cybercrime that takes place inside their organization as well as any cybercrime that takes place within one their clients environment. For instance, if a client were to experience a ransomware attack and claim that somehow it was the result of negligence on your part (whether true or not), you need to have insurance to cover the cost of remediation should it go that far.
So does the MSP simply shop around for a cyber insurance policy to compliment their existing E&O insurance? No, according to Justin Reinmuth of TechRug, an insurance broker specializing in MSPs. "You should really have two policies in one. your E&O should also be your cyber liability, they should be together." If the policies are separate there may be gaps. Traditional E&O policies cover errors, omissions, staff mistakes, etc. A proper E&O policy contains third party liability that covers unauthorized access to your client's network. As an example, if an engineer on your team were to disable MFA on a client's system while troubleshooting an issue and then forget to reenable it, your traditional E&O likely would not cover it. Even though the issue was caused by an error on your part, the damage was caused by unauthorized access to the network which is typically not covered under traditional E&O.
As with all insurance policies, the devil is in the details. In his "Tech E&O Insurance Run Through for MSPs" YouTube video, Joe Brunsman of Chesapeake Professional Liability Brokers takes a detailed look at a sample Tech E&O policy with cyber provisions. Brunsman walks us through the definitions of the various aspects of the policy and how they relate to the overage in common scenarios in the MSP industry.
Another reason to have a single E&O policy with comprehensive cyber coverage is the existence of "other insurance" clauses. Most cyber insurance policies have a some overlap with Traditional E&O policies. It is common for these policies to include an "other insurance" clause that states that in the event that another insurance policy in effect has coverage for the particular type of claim, that other insurance policy is primary. Therefore, the coverage under that other policy must be exhausted before the coverage under this policy kicks in. Assuming both policies have that same clause, the two insurance companies will be claiming the other is primary. Of course, there may by special cases where an MSP has needs that cannot be addressed with a single policy. In such cases they would need to ensure the policies are written in such a way to eliminate overlap or have the second underwriter commit to being primary for the special case.
Underlying all of this, the cyber insurance industry in a major state of flux. According to Justin Reinmuth, "carriers that were in this business two years ago…90% of them are gone." Unlike auto insurance, which has a long established track record and years of actuarial data to accurately assess the risk, the cyber world is a relatively young and everchanging landscape. Both the MSP and the cyber insurance industries are unregulated at this time. This makes it a risky business for any underwriter.
The bottom line for MSPs is to work with an insurer that is familiar with the MSP business. Have them craft a full Tech E&O policy with comprehensive cyber liability coverage. At the same time, make sure your legal counsel is familiar with the MSP industry. The combination of the two will ensure that you are adequately protected should the inevitable occur.