15 August 2024  —  Jeff Hardy

The critical role of cyber insurance in safeguarding MSPs and their clients

Acronis
Acronis Cyber Protect Cloud
with Security + XDR

Managed service providers (MSPs) play a crucial role in ensuring that businesses of all sizes operate smoothly and securely. As trusted technology partners, MSPs handle a variety of IT-related tasks, including help desk support, system updates, hardware refresh cycles and, importantly, cybersecurity. Each of these services carries an element of risk because each carries the potential for cyberattacks and data loss.

Given the rapid increase of cyberthreats, it’s imperative for MSPs to understand the significance of cyber insurance coverage, both for themselves and their clients, and the role that cyber insurance plays in the market.

Understanding the different kinds of business insurance policies

It may seem obvious, but it is worth stating that MSPs are businesses themselves. And just like all businesses, they need to protect themselves with various kinds of insurance. There are many kinds of insurance policies, from company health care and employee disability plans to property and vehicle insurance and more. But there are specific insurance policies directly related to the work MSPs do every day for their clients.

·      General liability.

·      Errors and omissions (E&O).

·      Cyber insurance.

·      Liability “umbrella.”

Understanding these policies can be helpful to MSPs in protecting their businesses and also in understanding the needs of their clients. Let’s start by briefly reviewing each one.

What is general liability insurance?

Sometimes called “commercial general liability,” this kind of policy generally protects a business against property damage or loss and personal injury that occurs as a result of business operations or on the business’s premises, among other things. General liability policies always have specific exclusions — too many to list here. But importantly for MSPs, general liability policies almost always exclude professional and cyber liability.

What is errors and omissions (E&O) insurance?

Errors and omissions policies are designed to do exactly what name implies — to protect the company and its managers from mistakes made in good faith. For example, if a manager accidently deletes an important part of a contract, if a client claims that they received bad advice, or if an administrator made an honest mistake while configuring an endpoint device. E&O policies do not protect businesses from intentional acts. Because of the potential blurred line between E&O coverage and cyber insurance coverage, many insurance carriers strongly recommend or insist that a supplemental cyber policy document — often referred to as a “rider” — be purchased with E&O insurance.

What is cyber insurance?

Cyber insurance is designed to protect business from most cyber events. This can include data loss, ransomware, data corruption or exfiltration, the consequences of social engineering and phishing, and more. Importantly, an MSPs cyber insurance coverage does not extend to client data or systems — it protects the business, data and systems of the MSP. It is also important to note that cyber insurance does not cover physical devices. Just like any other business, an MSP will need a property insurance policy to cover any damage or loss to a physical device.

What is liability umbrella insurance?

A liability umbrella policy is designed to pick up where all of a business’ other insurance policies leave off. For example, if a business vehicle is involved in an accident and the damages exceed the face value of the vehicle insurance policy, then the umbrella policy would likely cover the difference to the limits of the umbrella policy. Likewise, if a cyber event creates internal data loss for the MSP or impacts a client — and thus creates liability — then an umbrella policy would support the E&O and cyber insurance policies to fill any gaps.

Now that we have defined the major kinds of business insurance, we will focus on cyber insurance for the remainder of this article.

How to qualify for cyber insurance policies

Any business seeking to qualify for a cyber insurance policy — including MSPs — will be required to follow cybersecurity best practices, document all related policies and procedures, and deploy a defined set of professional cybersecurity solutions that support those best practices and policies. In short, you will be required to understand what you are required to do, document how you are going to do it, and then ensure that the plan is implemented.

During the cyber insurance application process, you will be required to complete a detailed questionnaire that covers many aspects of cybersecurity and the cybersecurity measures that business deploys, along with things like the value of the data covered and the revenue of the business. All answers need to be truthful and transparent. Generally speaking, the more cyber protection measures properly deployed and documented the lower the cyber insurance premium (cost) that will be charged by the insurance company.

What is covered by cyber insurance policies?

The specific kinds of liability and loss covered by a cyber insurance police vary greatly depending on the insurance company’s templates and their assessment of the risks of each policy. But in the case of a covered cyber incident, most cyber insurance policies cover:

·      Lost revenue due to business interruption.

·      Helping clients or employees recover from identity theft.

·      Recovering compromised or encrypted data.

·      Restoring compromised computer systems.

·      Costs associated with notifying regulatory and / or law enforcement agencies.

·      Notifying impacted individuals about possible data breaches.

·      Recovering and restoring identities and personal information.

·      Incident-related legal fees.

It is important to remember that an MSP’s cyber insurance policy covers the MSP’s business. The client’s cyber insurance policy covers their business in the same way. If a cyber incident occurs and an MSP is found liable in any way, the MSP’s E&O, general liability and liability umbrella policies would come into effect to defend and support the MSP.

How much do cyber insurance policies cost?

It’s not possible to estimate the cost of a cyber insurance policy for any business here. The cost of a cyber insurance policy is a function of their level of cyber sophistication — how many cyber security and data protections are deployed — and the amount of potential loss to the insurance company. Since cyber insurance policies cover things like downtime, data recovery measures and lost business, the amount of data involved and average daily lost revenue are all factors in the cyber insurance premium cost. Incident deductibles — the amount that a business must pay out of pocket before insurance coverage kicks in — are also a factor. The higher the incident deductibles, the less risk is carried by the insurer and thus the lower the potential premium amount.

That said, as of this writing and by way of example, we have seen annual premium quotations on E&O policies with cyber insurance riders of between $2,000 and $4,000 for businesses with the following basic attributes:

·      Eight or fewer employees.

·      Less than $1 million in annual revenue.

·      Minimum security measures deployed.

o   Active protection with antivirus.

o   Endpoint detection and response (EDR).

o   Email security.

o   Comprehensive backup for company data and systems.

·      Annual security awareness training for all employees.

·      Documented security and recovery policies.

·      Annual security audit and risk assessment.

·      $2,000 deductible.

Obviously, this is just an example. There are many variables that affect the premium a business will pay for cyber insurance. That’s why insurance companies have sophisticated risk management systems to estimate premium costs.

What happens when an MSP helps a business qualify for cyber insurance?

It is fairly common for a client to ask an MSP to help them complete the insurance questionnaires so that a client can qualify for cyber insurance. This is understandable. When an MSP has a good relationship with their clients, it is only natural that they would ask their trusted advisors for some help filling out the forms.

If an MSP chooses to help a client complete their insurance qualifying forms, there are some important things for the MSP to consider.

Clearly define and document MSP services

The MSP should not only clearly define the cyber products and services that they provide to the client, but also the ones that they do not provide. If an MSP answers an insurance form on behalf of their client and affirms that a cybersecurity measure is deployed, then the client may confuse that with the services provided. This could also raise liability and coverage issues in the event that a cyber incident occurs.

Clearly document who is making the insurance declaration

Stipulate in writing, as a part of your MSP service agreement, that even though the MSP is helping to complete the insurance paperwork at the request of the client, the information contained in insurance forms are not a declaration by the MSP. When the forms are submitted to the insurance company for consideration and underwriting, the information on those forms are a declaration of the client business.

Conclusion

All businesses should be fully insured — including MSPs and the clients they serve. Cyber insurance is an important part of every insurance and risk management strategy. Having a clear understanding of insurance types and the coverage included can help MSPs avoid confusion and protect their businesses and serve their clients better.

This article is for general education purposes only and reflects the research, experience and opinion of the authors. Acronis and the authors of this article do not give financial, legal or insurance advice, nor is this article an offer or solicitation for the purchase of any financial product or service. Readers should consult their legal and financial professionals before purchasing any financial product of service.

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.