If there’s one thing that the recent ransomware attack on Kaseya has pointed out, MSPs - and for that matter every organization - needs to take cybersecurity seriously, protecting themselves with the appropriate tools, processes, and policies. But that’s just technology protection. As hackers increasingly demand cash or cybercurrency and businesses file lawsuits against their providers, everyone needs to be protected financially to ensure their long-term sustainability.
Cyber insurance policies are becoming an important component of any technology solution or relationship between MSPs and their clients. And for good reason. The average cost of a ransomware payment jumped from $4,000 to $178,000 in just a few years - amounts that few small businesses can afford to pay.
Increasingly, companies are adding cyber insurance policies as protection, but like any insurance policy, your coverage is only as strong as your specific policy. There’s a lot to know when considering cyber insurance, so here are 7 things we've put together when you're reviewing your cyber liability insurance:
1. ALL BUSINESSES SHOULD HAVE IT
At this point, having cyber liability insurance should be a no-brainer. The difficult part is understanding what it covers and what you should have coverage for. Organizations need to protect themselves in the increasingly possible chance that a hack or breach occurs. The reality is, you have a higher chance of getting hit with a cyber incident than of having a fire. You're already are paying for things less likely to happen, so why not address cyber liability insurance?
And while we always help our clients complete their insurance application forms, we really shouldn’t be doing this as it leads to a false sense of security for the client. You need to complete these forms and truly understand exactly what your technology environment looks like and what it is you're looking to protect.
2. all mspS (or it service providers) should carry it
Recently, MSPs have become more of a frequent target for cyber criminals. This is because they manage the networks and IT infrastructure for dozens if not hundreds of small businesses, opening up the door to cause much more damage than targeting just one business at a time. A recent survey by NinjaRMM and Coveware revealed that 35% of MSPs did not have cyber insurance when they experienced a cyber incident. Thus, the MSP is the perfect supply chain attack. If I want a high ROI on my hacking dollars, an MSP is a far better target.
If you're working with an MSP who doesn't have a cyber liability insurance policy in place - run, don't walk, away. This is a clear indication as to how seriously they take the threat - let alone how seriously they value their own business. If they're not looking to protect themselves, how could they possibly be looking out for your best interest adequately?
3. risks are increasing, so will premiums/riders
The cost of a cyber insurance policy is based on an analysis of today’s cyber threats and what’s expected tomorrow as well as what you're doing to protect your organization from these threats. The reality is that these threats change over time, so expect that your coverage will as well - and, the related cost to insure a cyber incident.
Many insurance companies don't know exactly what they’re going to do, but most likely they're going to have to do something to address increasing risks - which means either reducing the risk or increasing the cost. The bottom line is - make sure you have controls in place to minimize the risks. Which ultimately, will help control the cost.
4. don't be the patient and the doctor
As your trusted technology advisor, it’s important that we help you make the right choices and follow all the rules when it comes to cybersecurity. Depending on the approach to the relationship, this can be difficult. Especially, in the heat of the moment during an incident that's quickly evolving and damage is being inflicted and business is being lost.
When it comes to the preventative medicine that is cybersecurity protection, too often, rather than following our recommendations and guidelines, clients end up being their own doctor as well as the patient. And this doesn't do anyone any good.
5. read the fine print
As with any insurance policy, the devil is in the details. Ensure everything that you need to have covered is actually covered.
Also, be aware that if your cyber insurance provider has a very specific procedure for mitigating damage, you need to follow that. Otherwise, you could risk a claim not being covered. If after an incident, you try to remediate on your own and you’re not properly logging or you cause information to get deleted that could have helped determine where the threat vector came from, or if it’s still ongoing, the insurance company may void the claim because you didn't follow their guidance. If you follow their plan, they can’t come back and say you didn’t do "X, Y, or Z" and you caused the damage to be worse.
Work with your insurance provider to ensure that your incident response plan syncs with theirs. Their main goal is to minimize damages. It’s hard to tell a client that you can’t immediately start remediation, but if the insurance company says to wait, you need to wait.
6. work with the cyber insurance provider
In the event of a cyber incident, contact your insurance company immediately and follow their protocol for mitigating damage. If you try to remediate things yourself, you may inadvertently destroy or alter evidence that the insurance company needs to investigate/process a claim. Make sure your incident response plan is developed in concert with your cyber insurance company.
In other words, treat it like a crime scene. That’s why you have an insurance carrier. They have forensics, breach consultation people. PR people, a whole bunch of folks who specialize in responding to and remediating cyber incidents. You shouldn't do anything without the insurance carrier approving it. While your instinct is to go in and solve the problem, you may not be able to do that right away and that’s a hard mindset to have. So be prepared to have this going in.
7. cyber insurance is not a silver bullet
Just because you have cyber liability insurance doesn’t mean you shouldn’t take cybersecurity seriously. It’s worse to buy insurance and not address the underlying shortcomings. Even if you're covered financially, your business and reputation could still suffer a significant blow should you get hit.
Cyber insurance is a great way to mitigate risk, but be careful that you’re not incentivizing the wrong behavior. Having insurance doesn't fix the problem. Cyber insurance should be used as an added level of business protection, not a technical solution. It certainly doesn't reduce any risk technically.
Each of these items is meant to help you be that much more prepared when it comes to the added layer of protection a cyber liability policy can bring to your organization. Remember though, it's not the end all be all. It's merely another arrow in your business protection quiver.
Does your organization have a cyber liability insurance policy currently in place? Or are you looking to get one? What have you done to ensure you've limited your exposure to help keep the costs of a policy down? Share your thoughts with us about this topic in the Comments section below or send me an email to discuss things more in-depth.