Cybersecurity insurance, XDR, MDR

Cyber Insurance Providers Offer Their Own MDR

Credit: Adobe Stock Images

Beazley Security, the cybersecurity services business unit of the insurance giant Beazley, is getting into the managed XDR business in competition with incumbent players including technology vendors and MSSPs.

Beazley recently announced the merger of its in-house cyber services team with its wholly owned cybersecurity company Lodestone, creating Beazley Security, an integrated cybersecurity risk management company.  The new company sells cybersecurity services in addition to bundling in a cybersecurity insurance policy.

Should MSSPs and MSPs brace for market disruption as a new class of competitors potentially undercuts them on price?

That depends on who ask. But this most recent move isn’t the first time cybersecurity insurance companies like Beazley have offered cybersecurity services. It’s just the newest one. Companies such as Beazley have established a beachhead of security offerings.

As part of its announcement, Beazley Security said it will deliver integrated cyber preparedness and response capabilities while investing in new services, such as a managed eXtended detection and response (mXDR) solution.

Insurance, Cybersecurity Converge

Chris Clymer, chief information security officer of MSSP Inversion6, said that the insurance industry’s move into the cybersecurity space “has been one of the most interesting stories in security of the last decade.”

He sees a growing group of carriers who are hands on with tech, offering to discount your insurance if you allow them to perform their own vulnerability scans, add security agents to your endpoints, and/or have their employees perform your forensics. 

“There has been a growing group of carriers who are hands on with tech,” Clymer said. “I think this is a very interesting approach to the market, and having these services all bundled is going to be very attractive for certain companies, especially those struggling to afford all of these controls on their own.”

Jen Greulich, co-founder and chief operating officer of MSSP Legato Security, welcomes the initiative taken by cyber insurance agencies to offer security services to customers.

“It is encouraging to see the industry evolve towards a more comprehensive approach to cyber risk management,” Greulich said. “While these agencies are making strides to enhance their business strategies, this move validates the model that MSSPs like Legato Security are taking to help organizations develop a holistic approach to improving their security posture.”

Accordingly, Legato Security believes that MSSPs will continue to see success in a market with a growing demand for managed, strategic and professional services.

“We see a great market opportunity for MSSPs to partner with insurance agencies to provide these types of services,” he said.

Paul Levasseur, vice president of Enablement at Stellar Cyber, emphasizes freedom of choice as the cybersecurity landscape evolves and MSSPs continually adjust to safeguard their clients from security risks.

“Utilizing advanced analytics from open systems that present security coverage data across all security tools within an organization, clients of MSSPs have the flexibility to choose their preferred MSSP and cyber insurance provider,” Levasseur explained. “This empowers clients to construct a customized defense strategy aligned with their specific requirements and preferences for security and cyber insurance, avoiding dependency on a single solution.”

A ”Nothing Burger”?

While a cyber insurance carrier offering MDR services may be something new, they have been offering vulnerability scans, security awareness training and other types of cybersecurity services for years, according to Joe Brunsman, a cyber insurance broker, a cybersecurity law expert and best-selling author.

Speaking to MSSP Alert about the potential disruptive market forces at play, Brunsman was explicit in his belief that the cyber insurance carriers getting into the cyber services game would not amount to much.

As he explained, “Pragmatically, I think it's a big ‘nothing burger.’ And the reason I say that is from the boots on the ground perspective. I don't think it's going to impact the industry whatsoever materially, because the end user just doesn't know what this stuff is. I don't think it's really going to in any material way displace MSPs or MSSPs. Realistically, it's a just one slice of the pie as far as cybersecurity goes.”

Brunsman went as far as to say that a cyber insurance salesperson is not going to fully understand what something like MDR is and be able to fully articulate it to a customer. That said, the customer should already have retained an MSSP or MSSP and is relying on them for the appropriate services and advice.

He cautioned that cyber insurance companies offering, say MDR, will assume more risk if something goes wrong.

“As an insurance company, you may have a ton of risk and money on the line now because instead of this guy getting popped and this guy getting popped, it's now you have like hundreds of policyholders all getting hit at the same time, all with the same thing,” Brunsman explained.

Clymer cautions that cyber insurance carriers offering security services can also be a potential conflict of interest. As such, your MSSP partner is now concerned both with protecting your environment and limiting their own costs from insurance payouts.

“This will lead to many positive outcomes for security but it also puts your carrier in a position of actively being involved in and driving your security program,” he said. “Your own ability to choose how to prioritize security efforts, vulnerability remediation, etc. could become secondary to the desires of the partner you’ve brought in that wields significant financial leverage. I want the carrier to be a key, trusted partner in my security program, but ultimately, I don’t want them in the driver’s seat dictating how we run the day-to-day.”

Jake Milstein, chief marketing and revenue officer for MDR provider Critical Insight, said he has heard from end customers that they are leery of their insurance carrier have that much access to their network if they were in fact also providing security services.

“They’re wary of the actual insurance carrier having that much data about their network because they could find something that would allow them to deny a claim,” he said. “They’re more comfortable with the relationship between an external MDR provider and the insurance company so that the end customer continues to own the data and the data is not owned by the insurance company.”

Milstein said that while a few cyber insurance companies trying to get into the security business, he believes that companies will ultimately reject it. However, MDR companies are offering cyber insurance, and believes that “some of them have an actual relationship with a carrier that in some ways has gotten a little too cozy.”

There are also MDRs that instead offer a warranty for their service, and that’s where the details truly matter.

“A warranty is where you know if something happens there's, say, a $250,000 warranty,” he said. “But if you ever see somebody offering something like a $1 million warranty, read the contract because it may not really be $1 million. It could be $200,000 for this and $200,000 for that. Yes, it adds up to $1 million, but it's not what you think it is.”

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.