Confusion reigns supreme in the cyber liability field. If you were to ask ten different insurance agents about the right coverage to protect your MSP business from breaches, ransomware, and other cybersecurity attacks, you might receive ten very different options. That’s not a knock on the profession or the people, but an acknowledgment that with so many diverse risk factors, you need someone who understands the IT services business model to guide you through the process.
Cyber insurance is not your garden variety policy. The insurance agents who handle your house and car may be at the top of their game, but what do they know about phishing attacks, ransomware, and MSPs’ risk profiles. Cybercrimes are a much different animal. Glass coverage and tort liability discussions require knowledge and expertise in those specific areas and, while those professionals may be awesome at what they do and be well respected in your community, protecting your business against advanced security threats requires a much different skill set.
That’s why MSPs have to ask potential insurers all the right questions. While a good first step towards finding a suitable cyber liability partner may involve getting recommendations from peers, you still need to ensure those firms can understand and can address the specific needs of your business.
Experience is the connector. MSPs need to rely on the insight of skilled cyber liability experts, and that process begins with asking the types of questions you might ask any prospective supplier, such as:
- What types of organizations does your firm currently support with cyber liability insurance?
Ask prospective agents and brokers about their roles in the application, assessment, and claims processes. Don’t settle for simple answers. Be sure to discuss how actively their employees get involved in each of those steps and get introductions to your company’s “go-to person” should you sign a contract. The key is to know which people to contact and all the responsible parties to contact and engage should your MSP get hit by a cyberattack.
- What does the proposed policy cover?
Partners need to ensure the insurance applies to their specific business situations and relationships. The unregulated nature of cyber liability insurance tends to confuse MSPs and their SMB clients, so it’s imperative that providers understand the various coverage levels and, more importantly, the exclusions. For example, some policies may not specifically cover specific actions you may need to take on behalf of your firm or your clients.
Those exclusions can break an MSP. Should cybercriminals get your firm in their crosshairs, you’ll want a policy in place that covers all the likely and some of the less common scenarios. You’ll need to ask many other questions to clarify the coverage and any exclusions, including:
- Does the policy cover ransomware payments?
- Will your company reimburse us for regulatory fines or penalties?
- What types of business losses and expenses are covered (such as lost revenue and other costs associated with an attack and any subsequent downtime)?
- Does the policy payout on employee-aided attacks, whether their actions are an act of sabotage, negligence, or accidental?
If your clients get hit by an attack distributed through your network connections, whether from a direct hit on your business or through a vendor partner’s toolset, your company’s exposure can grow exponentially in a short amount of time. Your cyber insurance coverage must correlate with the size and scope of those potential liabilities. From the cost of restoring operations of every client and incurred regulatory fees or penalties to the damages and legal expenses from resulting lawsuits, the price tag for a single incident could blow your mind.
Review and Periodically Update Coverage
Like your home or business, cyber liability insurance needs will likely change over time. If your MSP is growing its clientele by 10%-20% each year, your financial exposure could rise at a similar rate, if not more, depending on the size and type of businesses you support. The total damages from a ransomware attack originating from your systems could easily eclipse your coverage if you’re not paying close attention.
Brokers and agents need a general idea of your firm’s total dollar exposure. Insurers experienced in IT services understand the industry risks and you should prepare to answer their questions relating to potential liabilities. That process may take some time and could force your team to do extra homework ‒this isn’t a place to take shortcuts or fudge the numbers ‒ but providing the right information helps ensure you’ll receive policy options to cover your damages is one of those worst-case scenarios were to occur.
Do you have the right coverage for your MSP business? The best way to understand the type of policy and limits you need and avoid the exclusions that can cost you substantially if hit with an attack is to find a broker or agent with considerable experience supporting the IT services community. Ask as many questions as it takes to feel comfortable signing that check for the initial premium
Don’t limit your queries to those few included in this post. Information and best practices for acquiring cyber liability insurance is a top focus for MSPs according to feedback from IoTSSA members, and we’re planning to offer a host of new podcasts, articles, and other resources related to that topic in 2020. Stay tuned for more details…
If you are looking for more insights on cyber liability check out our Podcast with Brad Gross, a lawyer experienced in the IT Channel. Watch Podcast
Brian Sherman, Content Director