10 Things MSPs Need to Know About Cybersecurity Insurance
MSPs are smart enough to consider cybersecurity insurance. However, coverage is only as strong and specific as the policy you have. According to the CompTIA Information Sharing and Analysis Organization, (ISAO), there are 10 things MSPs need to know to protect themselves and customers. July’s ransomware attack against Kaseya highlighted one thing: MSPs, as well as all tech companies, need to take security seriously. They must use the right tools, processes, policies, and procedures. This is not just about technology protection. MSPs need to be financially protected to ensure their long-term success. Hackers are increasingly demanding cash and cybercurrency, and customers file lawsuits against providers.
Cyber insurance policies are an increasingly important part of any technology solution or relationship between MSPs, customers. It’s a good thing. In just a few short years, the average ransomware payment cost jumped from $4,000 up to $178,000, which is a price that very few small businesses, even MSPs, can afford.
Cyber insurance policies are becoming more popular among companies. However, as with any insurance policy, your coverage will only be as strong as the policy you have. Cyber insurance is a complex area that MSPs need to be aware of. Here are 10 things you should know, as compiled by the CompTIA Information Sharing and Analysis Organization and other cyber insurance experts.
1. All customers should have it
Cyber insurance should be an obvious choice. Customers must be prepared in case of a hack, breach or malware attack, and customer information being compromised. Brian Weiss is a CompTIA ISAO member, CEO of ITECH Solutions, San Luis Obispo (Calif.).
“You are more likely to be hit by a cyber-incident than you are of being in a fire. He said that cyber insurance is something that clients are already paying for, even though they are less likely to occur. “But I do recommend one thing: I have seen customers fill out insurance policy forms that they want MSPs to complete. This is wrong. It is the responsibility of the client to complete it. The MSP should not assume responsibility for the client filling out the form.
2. All MSPs should have it
Cyber criminals are increasingly targeting MSPs as they manage the IT infrastructure and networks of small businesses. This makes them a more attractive target than just one business.
NinjaRMMM and Coveware recently found that 35% of MSPs didn’t have cyber insurance when they were victims of a cybercrime or had to deal with a cyber incident. This increases business risks.
“The MSP is the perfect supply-chain attack. An MSP is a better target if I want a high return on my hacking dollars,” stated Benjamin Dynkin. Dynkin is cofounder and CEO at Great Neck, N.Y.-based Atlas Cybersecurity, and a member the CompTIA ISAO SME Champions Council. MSPs can’t ignore cyber risk simply because they are MSPs. Everyone still has to do the exact same thing. MSPs must still carry cyber insurance if clients have it. It’s all about mitigating cyber risk. It’s not possible to pass the blame to clients. Otherwise, you could be facing a serious economic reality of six- and seven-figure damage.
3. As the risks increase, so will premiums/riders
Cyber insurance policies cost based on the analysis of cyber threats today and tomorrow. These threats are constantly changing, which means that your coverage and the insurance cost to cover a cyber incident will change as well.
“I don’t know if insurance companies know what to do, but they will likely have to do something about increasing risks. Not everyone can afford 10x rates. However, MSPs will not be able to absorb those risks. Matthew Lang, CISO of IND, Parsippany (N.J.) solution provider and CompTIA ISAO member, stated that the bottom line is to have controls in place to minimize risks.
Lang began conversations with customers about increasing their insurance several months ago during quarterly reviews. Those discussions will continue, Lang said.
“Insurance companies cover events in the policies they have, but these were rewritten at year’s end. He said that things have changed so much since the beginning of the year.
4. Don’t let the customer be the doctor and the patient
Your customer trusts you to be their trusted technology advisor. It is important that they make the right decision and follow all rules. This can be difficult in rapidly changing circumstances where business is at risk and damage is being done. Justin Reinmuth, founder of the Technology Risk Underwriting Group, Lewis Center in Ohio, stated that too many MSPs allow the client to be the doctor and patient.