What do seat belts and hockey helmets have in common? They used to be optional.
While cyber liability insurance doesn’t fall into this category yet, it’s becoming more and more of a must-have for managed service providers who want to protect themselves and their customers and stay in the game for the long term.
A recent MSP Success reader survey reveals this and other trends around cyber insurance.
It’s Becoming Table Stakes
IT managed service providers are increasingly in the crosshairs of cybercriminals who have learned that any vulnerability in an MSP’s security can serve as an attack vector to reach the hundreds or thousands of downstream clients they serve.
While MSPs are used to carrying insurance policies for errors and omissions and general liability, it’s only in the last three years or so that “they’re finally realizing they need” cyber insurance, says Rusty Goodwin, executive consultant with The Mid-State Group, an independent insurance agency. “I talk with MSPs every week right now who are asking me to help them get it, and it’s the first time they’ve ever had it.”
According to the MSP Success survey results, 73.9% of respondents currently have cyber insurance. That’s still not quite on par with tech errors and omissions/professional liability insurance, which 82.4% of respondents say they have, or general liability insurance, which 87.8% have. Only 6.9% of readers say they have no insurance of any type.
Tito Huynh, vice president of Business Data Services, an MSP based in Overland Park, Kansas, serving the Kansas City area, says his company has had all three types of insurance policies for the past two or three years. Regarding cyber insurance specifically, “I think personally that it’s important for MSPs to have it, because when you’re looking at it from the lens of a hacker … when you get an MSP, you get dozens of companies, if not hundreds of companies.”
“I think we would be doing a disservice to our clients if we didn’t have it,” says Matt Rose, co-founder and chief experience officer at Tech Rage IT, an MSP in Winter Springs, Florida. Rose says his firm has had cyber insurance since 2018.
It’s also another way to protect his business, Rose notes. “There are enough things that make it hard to sleep at night as an MSP owner, but at least I know that if we’re doing the right things, if something happens … I would at least be covered.”
Rose is not alone.
According to the survey, 51.9% of respondents say it’s critical to have the proper cyber insurance in place, while 30.8% consider it “very important.” Just 13% call it “somewhat important” and a mere 4.3% say it’s not important at all.
The Impact Of Market Volatility On Requirements And Prices
The cyber insurance industry has been volatile, with some carriers pulling out of the market, others raising prices for premiums, and most setting a higher and higher bar to obtain a policy.
While just over half (56%) of MSP Success survey respondents say it wasn’t difficult to obtain cyber insurance, 40% say it was “relatively difficult” or “somewhat difficult,” and 5% say it was “extremely difficult.”
In terms of pricing, 59.2% of respondents say their cyber insurance premiums have increased 25-50% over the past year, and 5.6% say they’ve had an increase of 100% or more. Just about a third (35.2%) say they have not seen prices go up.
Lane Cooper calls the cyber liability insurance process a broken system.
“The trend on security spending has been on an upward trajectory, but we have not seen a demonstrable correlation with reduction of risk,” says the CMO of Cysurance, a risk mitigation company that insures, warrants, and certifies security solutions. As a result, he says, “You have a situation where premiums are going up but then coverage is going down.”
In addition, early adopters of cyber insurance that experienced a breach and filed claims now “find it very difficult to find insurance after those occasions,” Cooper says, “and often if they do maintain it, they’ll get dropped at the renewal cycle.”
He continues, “What that tells us is that the market is not properly aligned.” One reason for the lack of alignment is that “people are using insurance in lieu of doing the hard work that it takes to reduce risk… Much of the industry is struggling to figure out how they can properly take risk reduction measures that can then be proven, so that insurance carriers can … properly underwrite those risks.”
Rose says Tech Rage IT changed cyber insurance providers in 2020 and saw costs go up “pretty significantly.” However, he adds, his coverage went up significantly as well compared to the first plan he had.
Raising prices was a short-term reaction to the increasing costs of breaches, Goodwin believes, but he expects pricing to level off now that carriers are getting more savvy about transferring risk. These carriers, he notes, are now saying, “We won’t let you transfer this risk to us unless you adopt certain best practices and behaviors. We want you to have multifactor authentication. We want you to do phishing training. We want you to do cybersecurity awareness training. We want you to do endpoint protection. We want you to have backups.”
MSPs are now seeing all these requirements listed in their cyber liability insurance applications, Goodwin says. “What the underwriters know is if we have a client who’s putting these in place, the chances they’re going to get a breach go way, way down.”
Rose says the application process now takes about three hours to fill out, but he says cyber insurance is “not hard to obtain if you’re already doing the things you should be doing as an MSP, not only for yourself, but for your customers.”
At the same time, Rose wants his customers to be doing the right things to protect themselves as well as to protect his own business. That’s why Tech Rage IT’s master service agreement now requires clients to have at least $1,000,000 of cyber insurance coverage; they won’t take on clients who refuse, he notes. The MSA also limits Tech Rage IT’s liability in the event of an incident, he says. For example, “Our MSA specifically says we do not cover any sort of incident response in our monthly fee.”
Huynh says cyber insurance is optional for his clients, “but I highly recommend it, and the reason why I recommend it is the same reason why we recommend our cybersecurity services”; that is, to reduce risk.
“I would do everything I could to ensure that every one of my customers has cyber liability insurance, or it might be enough of a red flag where I would not want to serve them because it’s a guarantee that I’m going to get sued,” says Goodwin. If the customer has a breach and they don’t have insurance, “Who do you think they’re going to come after? They’re going to come after the one with the insurance policy. So, if I’m an MSP, I’m doing everything I can to make sure my clients have cyber liability in place as well.”
Clients who do want cyber insurance are increasingly turning to their MSP providers to help them with the security questionnaires.
Rose looks to limit his risk here, too. “We will help them with the insurance applications, but we won’t sign them for them, so we’re not responsible.”
Goodwin agrees. “What you don’t want is the CFO just answering yes to everything, not telling the MSP about it. [MSPs] need to make sure they’re answering it honestly, but they don’t want to fill it out for them. It’s not their obligation.”
How The Vendor Community Is Working To Address The Problem
Still, filling out security questionnaires is time consuming for the MSP. Mike Puglia, general manager of Kaseya’s security products, says one MSP partner recently told him, “If I added up all the time I spent filling out insurance questionnaires for my customers, it’s probably about three straight weeks of work.”
Kaseya is among a growing list of cybersecurity providers that are aiming to make the process of getting cyber insurance easier, more streamlined, and more affordable for both MSPs and their SMB clients. In March 2023, Kaseya announced a partnership with Cysurance for its Kaseya Cyber Insurance Fast Track Program, available to companies that adopt and implement Kaseya’s IT Complete Security Suite, which includes Kaseya’s Dark Web ID, BullPhish ID, Graphus or SaaS Defense, Datto EDR, and RocketCyber Managed Security Operations Center (SOC) modules.
“We are identifying solutions providers that meet the criteria that our insurance community would be willing to underwrite,” explains Cooper.
The idea, Puglia explains, is if an MSP is using the suite internally, which has been vetted and certified by Cysurance, the application process is expedited and premiums are discounted. The same is true for customers of that MSP using the entire security suite.
“The more that [insurance providers] can understand and quantify the risk for each business, the more they’ll be willing to write policies,” Puglia says.
Puglia stresses that Kaseya is not selling insurance, but “it’s a benefit of using our technology that you may be able to take advantage of getting better insurance at a lower rate.” MSPs can also use the Fast Track program as a differentiator when talking with customers, he adds. “They’re not selling insurance, but they can say to a customer, ‘Because of the services I provide, I can connect you with an insurance provider that has a program that can help you get it easier and at a lower cost.’”
Other vendors have moved in this direction in 2023 as well. For example, Sophos announced a partnership with cyber insurance provider Cowbell that allows customers running Sophos Intercept X Endpoint Security to opt in to share endpoint health security data, streamlining the cyber insurance process. Barracuda Networks rolled out the Barracuda Cyber Warranty via a partnership with Cork, a startup cyber monitoring and warranty company. MSPs leveraging Barracuda’s full XDR stack will be able to offer the Barracuda Cyber Warranty to their SMB customers. Similarly, Liongard now offers Cork’s warranty to users of its Configuration Change Detection and Response (CCDR) solution.
How To Find The Right Coverage
To find the right cyber insurance coverage at the right price, both Rose and Huynh recommend that MSPs work with a licensed insurance professional, a broker or a wholesaler. And both advise looking for a policy that covers not only the cost of the breach itself, but the cost of business disruption and other ancillary expenses.
Goodwin says a policy should have the proper supplements for both ransomware and financial fraud, breach response, legal fees, damaged hardware, business disruption, third-party coverage, and more.
“And another thing you look for is, do you have insurance that will replace income that you lost because one of your vendors got hacked or breached?” he adds. “A lot of these MSPs have a lot of different software companies they use as vendors. Well, what do they do if their vendors get breached and they can’t operate because a vendor is down? So, there’s a lot of things that a good broker can help you walk through and make sure you have the right kind of coverage.”
Pricing will vary. “If an RMM attack happened and your clients are affected, the bigger you are, the bigger the dollar amount” for coverage, Rose says.
Goodwin stresses, “We want them spending as little on insurance policies as possible, but still making sure they have the right coverage. But don’t overspend. If you’re doing $100,000 a year [in revenue], you don’t need a $5 million policy.”
If you do have a customer that requires a certain amount of coverage, he adds, “make sure that that customer brings in enough money to make paying for that insurance policy worth it.”
Education Still Needed
Surprisingly, both Rose and Huynh say many of their customers neither ask if their MSP business has cyber insurance nor require it, which is in line with the survey findings. Indeed, just 11% of MSP Success respondents say their customers require them to have cyber insurance, and only 21% say they have been asked about it. Meanwhile, a whopping 54% say their clients don’t know enough to ask about it, and 14% say their clients don’t care.
That survey finding, Cooper says, “disappoints me, but it does not surprise me, because I think it requires a new level of digital literacy. When you are working in the midsegment of the market, they’re interested in doing their business and I think often they fail to see themselves as targets.”
“I think that there has to be an educational push from the whole industry” around the need for cyber insurance and the accompanying cyber controls to limit risk, Rose says.
MSPs “need to start walking through this whole area of compliance and security with their customers,” says Goodwin, “or those MSPs will be replaced by MSPs who are willing to do that. And then MSPs who don’t see the need for cyber liability insurance, the first time something bad happens, they’re going to be broke.”
Concludes Huynh, “While it is a cost for you, you can use that as a differentiating factor. If you are a security-focused MSP then you should be saying, ‘We take security seriously, and we take it so seriously that we follow the same practices and recommendations ourselves, and that includes cyber security insurance.’”