Cyber insurance requirements are quietly reshaping MSP security packages

Cyber insurance companies are quietly making their requirements more stringent.

“We’ve seen [cyber insurance] become more complex,” says Mike Semel, compliance expert and President of Semel Consulting. “There was a time where if you could fog a mirror, you qualified for cyber insurance. We’re seeing more [requirements] included in the policies now.”

The changes are driven, in part, by the fact that “insurance companies have figured out how much sprawl there is with technology,” Semel says.

To keep up, MSPs are making their security stacks more robust. Here’s how it’s affecting the current face of compliance and cybersecurity.

Rigid requirements and “gotcha” questions

The questions the insurance company asks to determine whether or not your MSP or your client qualifies for a policy are becoming more detailed, comprehensive and often include trick questions. For example, if an application asks whether or not the client uses MFA, their MSP would likely advise them to answer yes—but the insurance company doesn’t want to know if the client uses MFA in some places, they want to know if they use it everywhere. This discrepancy, which the insurance company will discover during their audit in the event of a breach, can be enough to deny the client’s claim, leaving them out millions of dollars. Their next most likely move? Suing the MSP who “gave them bad advice.”

Some of the “gotcha” questions that appear on insurance applications are even more rigid than that. On a client’s application, Semel recently saw the question: “‘Do you use EDR software that monitors and logs all endpoint activity?’… I don’t think I know anybody that could answer yes to that question.”

Wayne Hunter, Founder and CEO of AvTek Solutions, says, “Their questionnaires are getting deeper into asking specifically not only do you have it, but are you maintaining it? And that’s not going to stop, I don’t believe.”

What MSPs need to be aware of

To keep up with the changing cyber insurance requirements, MSPs “need to really be documenting and practicing what they preach,” says Hunter. “A lot of times MSPs will be so focused on doing something from a client, but they’re not doing the same thing for themselves. Does their stack protect them? Because they’ve got to be protected at a different level of what they’re doing to their end clients because they have information from a lot of different people.”

Hunter also emphasizes that if an MSP has even one client under compliance requirements like HIPAA, they need to be following those same standards themselves. “We’re part of that vendor supply chain, which is one of the biggest attack vectors right now. We’re targets. So MSPs really need to make sure they’re practicing that, above and beyond what they’re doing for the customer.”

To keep up with the changing requirements, more robust security packages are becoming mandatory. “First and foremost, MSPs need an EDR or SOC solution—something to protect the endpoints and protect the environment,” says Jorge Alonso, Associate Manager of Solution Specialists at Kaseya. “From there, it’s more consistent analysis of the environment, making sure that there’s no outstanding vulnerabilities with consistent pen testing. Then ultimately, making sure those security requirements are up to date with the compliance requirements they need to follow.”

Stacks—and client conversations—are evolving

These changes are shifting tech stacks—though changes in the industry should result in changes in your stack, no matter where the change originates from, says Hunter.

“If you’re not paying attention to the changes in the business environment, not only cybersecurity insurance, but industry, state, local and federal government, and understanding those security changes, then you’re not updating your stack to stay up with those things,” he explains. “Stack evaluations should be going on all the time, regardless of insurance. Because it’s not just the insurance, it’s whatever you’re doing in the industry—legal, CPAs, banking, etc.—those things get updated and you have to be evolving your stack to make sure it stays up to date.”

“You’ve got to work with your clients and look at them as the whole patient,” says Semel. “If you’re the MSP, you might be the right-arm specialist. People need their right arms; they’re critical. Their email, their network, etc. But if somebody says, is the patient healthy? You can’t just look at the right arm. These are the things that MSPs don’t really see because they’re so focused on the right arm, on what they do. You have got to broaden your scope.”

Protect yourself, not just your clients

Beyond following the compliance requirements of any regulatory bodies their clients are under, MSP need to protect themselves legally in the face of these more stringent insurance requirements.

“MSPs need to have good errors and omissions (E&O) insurance themselves,” Semel says. This will help keep them protected in the event of a client’s cyber insurance application getting denied.

“What it really gets down to is, on any given day, an MSP can screw up,” Semel says. “But the reason you have E&O insurance is the same reason you have car insurance. Even if it wasn’t mandatory, you’d probably still buy it because of the catastrophic costs that can come from a car accident. MSPs should look at errors and omissions insurance as accident insurance.”

“You better have good insurance—and a lot of it. I’ve got a client who has 10 million in cyber insurance. I don’t have 10 million in E&O, because I’m not touching their cyber insurance. I’m not telling them what to answer on the questions. But I will tell you that if I was, I would have $10 million in insurance—because I don’t want to lose everything I own because I gave the wrong answer,” Semel says.

Advice for MSPs struggling to keep up

For any MSPs having difficulty keeping up with the changing requirements, Hunter advises leaning on your peers. “Get in a peer group to understand what’s going on, because there’s a lot of information and it’s hard to stay up on it all. For typical MSPs, it’s hard enough for us to get our techs to put their time in on the ticket, much less write policies, do analytics, do data governance… all of which you have to do for compliance.”

Leveraging vendor services like Kaseya’s can help as well. “We have services in place to help our partners understand what the requirements are and how to implement them,” says Alonso. “We have team members that are experts in those areas and can sit down with partners for a couple hours a month,” to help them keep up with the changes.

Specifically, Kaseya’s Compliance Manager GRC can be a great help. “Anytime a new standard comes out, we update it automatically. We do that on a monthly basis. For example, HIPAA is coming out with a new security rule update. Once that’s done, our team will review the information, update it and push it through. All those [requirements] are going to be included for you automatically through the solution itself. You don’t have to worry about building anything on your own.”

Challenge… and opportunity

Of course, anywhere there is challenge, there is opportunity. Hunter says the change here is to “become a bigger part of a client’s business. If you’re focused just on the traditional old helpdesk and you’re not focused on cybersecurity, compliance and how compliance is driving cybersecurity change, then you’re going to get left behind.”

Related: Cybersecurity and compliance risks are hiding in plain sight