Many cyber insurance policies for MSPs—a group that’s considered a higher risk to insure than almost any other class of business— now constitute a very lengthy document. In the wake of incidents that impacted MSPs such as the Kaseya ransomware attack in 2021, many insurers continue to “look at MSPs like they have a big target on their back,” insurance counselor Brian Mahon said Wednesday.
On the other hand, the revenue opportunities associated with cyber insurance are massive and growing, according to Mahon, an adviser at independent insurance agency EHD Insurance.
[Related: Cyber Insurance Primer: How To Avoid The Pitfalls]
“If you look at cyber insurance applications and the [required] IT controls, it mimics an MSP’s services-offered website almost to a tee,” Mahon said during a session at XChange Security 2023, which was hosted this week in Dallas by CRN parent The Channel Company.
In addition to actually helping provide many of the security controls required to comply with and obtain cyber insurance, MSPs can assist businesses as advisers since many customers “don’t know the IT terminology,” Mahon told an audience of MSP executives. “They need interpreters. They need us.”
ADVERTISEMENT
To help customers with interpreting cyber insurance policies, however, MSPs must obviously first familiarize themselves with the policies and the process of getting one. And that can be a tall order, according to Bill Suarez, CISO at Southwick, Mass.-based Whalley Computer Associates.
“I think so many people today are just happy to be able to get coverage—and not have had their rates quadruple—but have they really paid attention to what’s in that new policy?” Suarez said.
Suarez said he admittedly was unfamiliar with some of the issues mentioned by Mahon during the session about cyber insurance policies and technology E&O (errors and omissions) coverage. MSPs are generally recommended to obtain a tech E&O policy to cover their professional liability on top of acquiring a standard cyber insurance policy.
For instance, a measure now baked into many cyber insurance policies concerns cases of a “neglected” software vulnerability, Mahon said.
“Essentially they’re referencing this Common Vulnerabilities and Exploits list, and saying, ‘If you don’t address these in [a certain] time frame that your coverage will slowly decrease,’” he said. “That’s something to be wary of.”
Costs Have Fallen
On the brighter side, the cost of obtaining cyber insurance is “softening,” Mahon said.
The shift could be due to improved risk control and better underwriting—and perhaps even the possibility that threat actors in Russia and Ukraine have been “preoccupied with more traditional kinetic warfare than cyber,” he said.
Regardless, the cost of cyber insurance is now “back to pre-pandemic levels,” Mahon said.
Suarez said he’s looking forward to putting a greater focus on advising customers about cyber insurance in the future. And crucially, doing so is “not just about checking the box—you’ve got to be able to substantiate it,” he said. “Because if push comes to shove, and you can’t substantiate it, [the insurers] are not going to pay.”