MSPs can help reduce their customers’ cyber insurance premiums by ensuring they have a strong security baseline. They should also accelerate projects to bring customers into compliance and meet requirements for tools like multi-factor authentication and secure backup. Many MSPs said that showing clients the value of cybersecurity is a big challenge. Others noted price, and clients agreeing to pay for services as other major challenges.
Ransomware Attacks
Cybercriminals are shifting away from their scattershot approach and targeting more and more businesses. Managed service providers, the vendor’s companies hire to manage their IT infrastructures, are increasingly prime targets as hackers hone their skills and look for ways to scale their attacks. MSPs need to not only focus on improving their cybersecurity posture but encourage and, in some cases, require their clients to do the same. Educating and training staff members on best security practices is critical, but even the most educated employees may need to be corrected. For instance, one errant click of an email attachment can upend the most sophisticated defenses. Companies like Fortinet strongly encourage regular cybersecurity training to help companies avoid paying ransomware settlements to hackers.
MSPs must also protect backup files and ensure those backups aren’t contaminated with malware. They need to scan their systems and isolate any infected machines immediately, ensure they’re not holding their client’s data hostage by taking it offline, and regularly run a proactive threat scan to prevent new threats from coming in through gaps in defenses. Then, they need to be prepared for a disaster recovery scenario. That includes thoroughly investigating the incident to determine its full impact and associated costs, including business interruption, IR vendors, any ransomware settlement, and customer attrition post-incident.
Data Breach Reports
MSPs are often viewed as the low-hanging fruit for cybercriminals due to their smaller resources and limited cybersecurity investments. Despite this, they must remain vigilant because of the increased threat landscape. As a result, MSPs are now reporting more breaches to their insurance providers than ever. While many of these breaches may not have a significant financial impact, they can still cause damage to the reputations and loyalty of customers. It can be especially difficult for MSPs with a high percentage of referral business. Insurance firms have also increased rates and demanded more thorough information on cyber risk in response to the rising incidence rate. It has led to some MSPs deciding against purchasing cyber insurance or creating retainer agreements with legal and forensic services companies to classify and resolve incidents independently. Despite these challenges, there is reason for MSPs to stay positive about the future of the cyber insurance market. The recent drop in attacks directly responds to improved cyber-policing activities motivated by global unrest and concern over attribution. As a result, many cybercriminals have started to feel less safe engaging in attacks, leading to a slower attack pace in 2023. It, combined with a more stable economy, has helped the insurance industry to recover.
Policy Repricing
With a rise in data breaches and attacks against critical infrastructure, policyholders are taking action by purchasing cyber insurance. With the COVID-19 pandemic and work-from-home (WFH) trends, more employees are working remotely and utilizing cloud-first solutions, so a cyber policy is needed to ensure business continuity. However, with the increase in attacks and subsequent insurance industry rate increases, insurers have become more cautious about the underwriting process — leading to higher premiums for many insureds. For instance, insurers now require that companies demonstrate security controls like multi-factor authentication, vulnerability scanning and endpoint detection and response. Additionally, some insurers require that insureds implement more stringent cyber risk management programs such as cybersecurity matrices and cyber threat modeling.
In addition, the growing number of state-sponsored attacks against companies in industries that provide vital services – such as utilities, financial institutions and transportation – is forcing insurers to tighten their definition of “covered perils” within a policy. For example, some insurers have added new exclusions, such as those related to ransomware-as-a-service, making it more difficult for insureds to obtain coverage for the losses caused by these attacks. As a result, some MSPs find that their clients have to pay higher premiums for the same coverage due to these new requirements and others.
Liability Concerns
Even if MSPs try to reduce their responsibility and provide customers with a secure working environment, it is still possible to completely safeguard some clients. Taking precautions, following cyber security best practices, and creating a disaster response plan will help. But in today’s high-threat environment, a single mistake could put a client at risk for financial loss. That’s why it’s important to understand the benefits of purchasing a cyber insurance policy for your clients. It’s a no-brainer for MSPs to offer their customers a cyber insurance policy because it helps mitigate business risks. A data breach, cyberattack, or customer business disruption can be very expensive. With cyber insurance, the cost can be much less. MSPs are also becoming a more frequent target for cybercriminals who know they manage many small businesses’ networks and IT infrastructure. It makes them easier to hit with large ransomware attacks and causes more damage than targeting one small business at a time. While some MSPs have reported fee resistance from their clients, they can overcome this by using a sales and marketing funnel geared towards cyber security. They can also help their clients by analyzing their tech environment to show them where to improve to qualify for a cyber insurance policy.