Do IT service providers need MSP cybersecurity insurance?
Today's fraught threat landscape puts MSPs and customers at risk. Purchasing liability insurance reassures subscribers while protecting providers in case of a malware incident.
Industry experts say, unequivocally, now is the time for IT service providers to invest in MSP cybersecurity insurance if they haven't already.
2019 was a banner year for cyberattacks, with cybercriminals increasingly targeting MSPs as launching pads for ransomware campaigns. Industry experts predicted 2020 to be just as bad, if not worse -- even before attackers starting scheming to exploit the COVID-19 pandemic.
For an MSP, "it starts with the basic premise that a customer thinks they're hiring you to make sure nothing bad happens," said Robert Scott, managing partner at technology law firm Scott & Scott LLP. Regardless of what an MSP's contract says about specific IT services that it will provide, the customer is always thinking about risk transfer, he stressed.
"The threat landscape has evolved … so much that, for many businesses, it's not a question of if they'll be compromised, but when, and who's responsible," Scott added.
Obtaining professional cybersecurity liability insurance is the most pragmatic way to assure customers they are protected against incidents that may cause them financial harm. When a managed service contract is structured properly, it allows an MSP to provide services to a customer that addresses the risk and threat landscape without the MSP taking on any more risk than what has been transferred to the insurance company. Insurance can enable an MSP to transfer liability risk associated with data loss, data compromise and breaches.
Purchasing cybersecurity insurance
As of today, MSP cybersecurity insurance policies are unregulated and not standardized, so it is critical an MSP uses a firm that specializes in cybersecurity liability errors and omissions insurance, said Justin Reinmuth, founder and CEO at technology risk underwriter Techrug.
But some MSPs balk at the cost of cybersecurity insurance. Because it can cost upward of several thousand dollars a year, they don't purchase it, which is "stupidity" and "ignorance," Scott said. Some MSPs likely feel their business is so small they have nothing to lose, but that is a poor assumption.
"I look at this as a doctor practicing medicine without malpractice insurance or a lawyer practicing without legal liability insurance or driving without insurance," Scott said. "It's so risky for your business, and it puts you at a competitive disadvantage in the marketplace."
However, if purchasing MSP cybersecurity insurance comes down to a choice between making payroll and feeding your family, that's a good reason not to purchase it, Scott noted. But beyond that, he said he couldn't think of any reason an MSP offering cybersecurity services would have to go to market without cybersecurity insurance.
Reinmuth agreed, saying the insurance cost might be high for some MSPs, but if you're going to perform cybersecurity services, "you've got the potential for things to go sideways." Like Scott, he cited the analogy of a doctor not having malpractice insurance. It doesn't matter if you provide network security to a single client or 100, cybersecurity insurance is a must-have.
Scott said he recommends his MSP clients that offer cybersecurity services to include a provision in their contract that their customer also get first-party cyber liability coverage.
"It allows the MSP to explain to the customer, 'My insurance covers you in the event there's something that goes wrong that is my fault -- but there's a lot of things that can go wrong in IT that aren't my fault,'" Scott explained. For example, if a customer's employee clicks on a phishing email and exposes the organization to malware, the infection is not the MSP's fault.
How to lower cybersecurity insurance rates
MSPs can make internal changes to reduce how much they pay in cyberinsurance premiums. Insurers want to see tools like firewalls, antivirus protection and secure backup installed, said Eran Farajun, executive vice president at cloud backup software provider Asigra Inc.
"If a company doesn't prove it's shoring up its security practices, [an insurance agency] won't renew a policy," Farajun said. MSPs need to ensure they are doing their due diligence to be more secure.
He recommended MSPs "shy away from using all-in-one MSP solutions like remote monitoring and management software." Even air-tight ones have been hacked, he said, and that has allowed attackers to gain access to an MSP's network. "If one component gets compromised, they all get compromised. And that has happened.''
Scott said insurance companies will ask if an MSP has a comprehensive security policy, such as an internal breach incident response plan. "This will make your managed services practice a lower risk than others," he said.
Another step is to have an auditable framework in place so third parties can verify and certify you've implemented best practices, Scott said. "From a liability perspective, someone being audited for how their controls have been implemented, and is continually performing risk assessments and reviews, will be at a much lower risk for claims."
Liability is based on an MSP's business revenue. If managed services is part of another business you offer, and you get a high quote, consider creating a separate entity for those services, Scott suggested. Another option, of course, is to shop various insurance carriers and brokers. You can also adjust your aggregate limit or the total dollars the policy would pay, as well as the deductible.
Tips for filing claims
If an MSP must file a claim, Scott said to keep in mind that, in most instances, it will be because a customer had an incident that the MSP discloses. The customer might believe the MSP is at fault, however, and will either write a letter claiming damages or file a lawsuit. In that case, the MSP has to contact an attorney, who will notify the insurance carrier.
Robert ScottManaging partner, Scott & Scott LLP
This triggers a claims process, which starts with an acknowledgment of the notice and a preliminary position with regard to coverage. "You might have a situation where the carrier says, 'We're reserving our rights because we don't know what this claim will be about and there are certain exclusions, but in the meantime we'll provide you with defense,'" Scott explained.
The carrier might even engage forensics experts to recover data or investigate malware to determine who is at fault, he said. MSPs should consider what the cost would be if they have to hire their own lawyers and do the forensic investigation themselves.
Once a claim has been filed, the carrier's interest is to mitigate exposure for the MSP, its client. "They're on the hook contractually to defend and pay a claim."
Having the right coverage at the outset will help ensure claims are accepted. Scott said he likes the cybersecurity liability insurance offered by MSPAlliance, a managed services industry association based in Chapel Hill, N.C., because the insurance is "extremely broad" and essentially covers any services an MSP performs for customers.
Keep in mind, every policy has exclusions, however. "In a lot of cyber[security] cases, it's not entirely clear what happened. Merely saying, 'My customer had a loss and I'm an MSP' isn't going to cut it," Scott said.
The MSP needs to share the results of a thorough investigation with the carrier. In the absence of that, if the cause of the damages is not conclusively demonstrated, coverage becomes questionable.
How can MSPs ensure claims are accepted?
The key to assuring a claim will be covered is to let the insurance carrier know you're doing everything you should be doing from a technology perspective, Reinmuth said.
"Don't misrepresent what you're doing," he emphasized.
Also, find an agent who will make sure there aren't any unnecessary exclusions in your MSP cybersecurity insurance policy. For example, in a policy Reinmuth recently reviewed for an IT provider that wanted to switch to Techrug, he learned the MSP's current carrier "went above and beyond to add in an inclusion about backups not being covered."
Reinmuth also found a number of basic items not included -- "things like cyberextortion, business interruptions, forensics, regulatory fines and penalties." This is why it's important to find someone who specializes in cyberinsurance.
"The MSP's job is not to become insurance experts," he said.