The increasing frequency and severity of ransomware attacks are driving significant changes in the cyber insurance market. The May 2021 attack on Colonial Pipeline Co. showed—or rather, confirmed—just how vicious and financially damaging these events can be. Unsurprisingly, cyber security insurers are taking steps to limit their exposure to losses from cyberattacks. While some of these changes are small and reasonable, like requiring broader use of MFA, insurers like Lloyd’s of London are also moving to place tighter exclusions around state-backed cyberattacks within their policies, which is causing a lot of frustration in the industry, especially among MSP businesses.
As an MSP’s role is to manage their clients’ IT assets, data, and business processes, they have become an attractive attack vector for cybercriminals. In fact, in a recent report N-able found that MSPs are fast becoming primary targets for cyberattacks, with 90% having seen an increase in attacks on their business since the pandemic started. This means that insurers now see MSP businesses as representing a greater risk, and as a result MSPs applying for cyber insurance cover are seeing tougher application criteria and increased rates.
In this blog, I’ll highlight some key things MSPs should keep in mind when applying for cyber insurance and some best practices to help them navigate the process of getting proper cyber insurance cover, as well as how having the right tools (from EDR to data protection) can help reduce perceived risk.
Let’s start from the top.
What is cybersecurity insurance?
Cybersecurity insurance, also referred to as cyber insurance or cyber liability insurance, is an insurance policy that provides coverage for business losses caused by cyberattacks, data breaches, or other technology-related risks.
It’s important to note that policy agreements vary from insurer to insurer. While some insurers may provide only a single cybersecurity insurance policy, others may offer multiple distinct policy agreements. Additionally, some insurers may also offer first-party and third-party cybersecurity liability insurance separately, and it’s important that MSPs understand the difference here:
- First-party cybersecurity liability insurance provides coverage for cyberattacks, data breaches, or other covered events involving the insured business and can help reduce the financial burden associated with responding to the event.
- Third-party insurance provides coverage for the insured business against claims made by a third-party that the actions of the insured business caused damages to the third-party. This provides protection for businesses like MSPs and other IT service providers that are responsible for maintaining a client’s IT infrastructure or defending a customer against cyberattacks, data breaches, or other security incidents.
Also, some insurers may offer data breach insurance separately. This type of insurance often has a narrower scope of what qualifies for coverage than cyber liability insurance, offering first-party coverage for costs associated with a breach where the covered sensitive information is stolen, lost, or otherwise improperly shared with an unauthorized third party.
Be Aware: Third-party cyber liability insurance does not cover the financial costs associated with an MSP responding to an incident at a customer. It would only protect the MSP in the event the third party (their customer) sought to recover damages incurred because of a cyber incident. This means that if a customer does not have their own first-party cyber liability coverage then the cost of responding to an incident would have to come out of their own pocket, or they could seek to recover their losses by suing.
How much does cybersecurity insurance cost?
As with the policy agreements, the cost of cyber insurance policies varies a lot too. Many factors influence cyber insurance premiums, from company size and annual revenue to coverage level and claims history, they can also vary between country or state. However, risk exposure and the level of coverage you choose are the most influential factors.
According to a recent industry study, in 2021 the average cost of cyber insurance for companies in the U.S. with moderate risk was around $1,500 per year. The rise in ransomware attacks and data breaches has subsequently increased companies’ risk exposure, leading to higher premiums. In fact, the same study reports an average increase of 25% in premiums for 2022, with some companies paying as much as 80% more. The Marsh Global Insurance Market Index shows significant cyber insurance price increases in all geographies, not just the U.S..
For 2023, the outlook for companies looking to access cyber insurance is quite gloomy. Experts are warning that many organizations may not be able to get cover due to the surge in cyber threats, economic struggles, and changing regulations.
However, you should not lose hope.
Be Aware: Dependent on the security controls you have in place and how many cyber insurance requirements they help you meet, you could still potentially obtain a lower cyber insurance premium.
What are the most common cybersecurity insurance requirements?
To assess the amount of coverage you need, your business will have to go through a risk assessment. Part of the risk assessment requires the business being insured to fill out a questionnaire outlining their cybersecurity insurance requirements. Again, these questionnaires can vary a lot between insurers, as there is no commonly accepted questionnaire template in the industry. But while the individual questions vary, they can still be grouped into a few broad categories:
- General Information—Company name, revenue, etc.
- People—Roles and responsibilities
- Technology—Information technology solutions in use, including single point solutions like EDR or AV
- Processes—How technology is used in the business, workflows, etc.
- Data and Data Collection—Type of data being held, who owns it, process it, etc.
- Security Controls—Secure IT configurations, physical security, best practices, NIST CSF, CIS Controls being followed
- Historical and Previous Claims—Previous events related to insurability
In terms of security controls, it’s increasingly apparent that some tools and services are becoming “must-haves” for cyber insurance coverage—these include, multi-factor authentication, vulnerability scanning, endpoint detection and response, backups, and business continuity planning. While additional ones, such as privileged access management, may also help lower the rates. However, again, because of the lack of any defined standards, “must-haves” and “good-to-haves” can also vary from insurer to insurer.
Be Aware: It’s important to provide factually correct information on these questionnaires as well as any other questions asked by the insurer. You must never get creative with your answers or take shortcuts to speed through the risk assessment process. Misrepresentation of any information provided to the insurer may provide grounds for the insurer to refuse to pay any future claims.
Key Takeaways for MSPs
Cybersecurity Insurance can be an intimidating project to tackle. However, familiarizing yourself with the types of policies on the market and the different requirements you’re likely to be faced with can help alleviate some of the anxiety that comes with it. Also, it’s crucial to have a clear understanding of the risk your business presents and the risk exposure you face from your clients before you start.
MSPs need to be mindful of the differences between first-party and third-party cybersecurity coverage. And more importantly, you need to remember that as an MSP or IT service provider, the first-party cybersecurity insurance cover you receive for your own business does not confer any benefits to a client if they suffer a cyber threat event.
Also keep in mind that the process of getting cyber insurance coverage is one thing; making a claim in the event of a successful cyberattack is another. Make sure you can demonstrate you have taken due care in implementing a solid security posture with documentation and auditability of security controls that are in place—you don’t want to find yourself in a situation where an insurer may have cause to deny a claim.
Ensure that you fully assess your security posture and that of your customers, and ensure you have a strong baseline for security. If you need ideas on where to start, put in place a solid security baseline such as the CIS Controls v8 for Implementation Group 1 and enforce it across all your customers. And then think about what additional security controls, such as those in IG2 and IG3, that you can add to strengthen your posture and possibly lower your cyber insurance premiums.
And last, but not least, remember that your business is on the line. If unsure, seek legal counsel familiar with the MSP space and cyber insurance.
If you are pressed for time and resources and need to get started with improving the security posture of your clients today, you’re not out of luck. There are some quick wins that anyone can implement in almost every environment. Making the move from legacy AV to an Endpoint Detection and Response solution and from on-site, image based backups to more modern off-site first data protection solutions can help you meet or even exceed the requirements asked for by many cyber liability insurance providers. Check out N-able EDR and Cove Data Protection to find out how we can help meet your business’ requirements.
For more security insights and best practices, be sure to check out the security events organized by N-able’s Head Nerds.
Lewis Pope is the head security nerd at N-able. You can follow him on Twitter (@cybersec_nerd), LinkedIn (thesecuritypope) and Twitch (cybersec_nerd).
