The insurance and compliance game: Why MSPs are getting sidelined

At the end of the fiscal year, the pressure is on to retain your most profitable clients. The most common reason clients decide to part ways is because of poor service quality. But another growing reason clients leave is because of compliance failure and cyber insurance denial.

Cyber insurance requirements are stricter, applications are longer and compliance audits are more nitpicky. If your protection is revealed to be inadequate in an audit, small and mid-sized businesses may cast you aside in favor of the competition.

Do a quick Google search for cyber insurance applications and you can expect to download a PDF of anywhere between four to 14 pages — riddled with checkboxes and fine print. Missing any of the criteria as an MSP can result in your client being denied a claim or policy.

According to the Delinea 2023 State of Cyber Insurance Report, small businesses with less than 250 employees are more likely to be denied coverage; in fact, 28% of small businesses were denied. The study revealed that 40% of small business respondents listed lack of security protocols as the top reason for denial. In comparison, larger organizations with greater than 250 employees noted a different reason. Forty-eight percent of large business respondents noted human error as the top reason for denial.

Helping your clients qualify for cyber insurance coverage is getting tougher, and the challenge goes hand in hand with compliance. The Delinea study also found that 33% of small business respondents noted “not following compliance” as the number three reason for insurance disqualification. The bottom line is that elevated cyber risk is not only a problem for insurance underwriters, but also compliance auditors.

Pick any cyber insurance application at random and antivirus will be one of the core requirements. However, any old antivirus will not suffice. Underwriters want to see tested and proven commercial-grade antivirus in play. Nowadays, signature-based antivirus will not cut it. The same applies to compliance requirements. Regulatory compliance including NIS 2 Directive in the EU and PCI DSS and HIPAA regulations in the U.S. require organizations to have up-to-date antivirus solutions. While the EU’s GDPR does not mandate that organizations have antivirus, auditors will expect businesses to take appropriate action to reduce risk and regularly update antivirus software.

Insurance companies seek specific indicators that show a business’s continuous readiness to mitigate cyber risks against sophisticated threats. At the top of this list is EDR. Particularly, EDR with behavioral-based and AI-enabled capabilities is favored by insurance and compliance auditors. Additionally, EDR with detailed reporting on incident timelines and response actions is helpful in getting valuable information to insurance agents and compliance regulators quickly.

Many leading insurance applications specify that all devices should have antivirus and EDR protection. You could find every one of your clients’ devices piecemeal, but that is time consuming and prone to error. Device discovery tools make identifying client workloads swift and easy. These solutions simplify discovering, identifying and protecting every device within your clients’ network using flexible scanning capabilities.

There is a mounting focus on curbing unauthorized access and privilege escalation techniques. Cyber insurers and compliance regulators want to ensure that businesses reduce their risk of illicit access and intrusion. Anti-intrusion, access control and multifactor authentication are becoming prominent requirements across insurance applications as well as HIPAA and PCI DSS regulations.

Backup technology dates to the 1950s if you count punch cards and tapes. Data protection has evolved, but the goal remains the same: protect against data loss, theft and compromise. The key is performing regular backups. Many businesses get dinged for not backing up critical data regularly. For instance, GDPR has many technical requirements regarding backups, including on data encryption, search, location and subject control, and recovery.

According to Upper Cumberland Business Journal, businesses lose over $250 million on average annually because of downtime. Recent studies also reveal the cost is nearly $9,000 per minute. Disaster recovery and business continuity plans are now required by a growing number of cyber insurers and compliance authorities.

Looking at your typical cyber insurance application, you will find questions such as “Do you use 3-2-1 backup procedures?” and “Do you have two different media storage types and one copy off-site for disaster recovery?” For insurers, it is not only a matter of implementing backup and disaster recovery, but also following current best practices to ensure cyber resilience. A robust business continuity plan signals that a company is proactive and well prepared, potentially leading to more favorable insurance terms.

The Acronis Threat Research Unit (TRU) Security reports that more than 15.3 million malicious URLs were blocked at the endpoint by Acronis Cyber Protect Cloud in August 2024. That is a 40% increase since July 2024. With email being the number one attack vector, the statistics are alarming. Cyber insurance underwriters and compliance requirements rightfully center on email security best practices. For example, HIPAA has its own policies focused on email protection.

Cyber insurance policies used to be easy to obtain and keep. Applying for a policy was almost a guarantee back in the early days. Fast forward 15 years and the cost to qualify for insurance is upwards of a few thousand dollars when you consider the additional expenses to manage and monitor must-have security tools. Nowadays, enterprises need to buy more solutions to meet policy requirements and spend more money to manage them.

In fact, premiums have decreased from 2023 to 2024, with experts hypothesizing that the price reduction is due to improved multilayered protection and greater investment in IT security, including training staff. As more enterprises prioritize protection, insurers increase their willingness to issue policies to those who are already well protected.

But what about resource-constrained businesses? All those enterprise-grade cybersecurity tools are typically too expensive and complex to manage for small businesses that struggle to keep pace with emerging threats. These organizations turn to MSP services and solutions to deliver adequate protection.

Most MSPs come to the realization that additional costs to implement and manage comprehensive protection services also hinder profitability. Profitability takes a hit because of expensive cybersecurity solutions like EDR and XDR that are notoriously complex, costly and inefficient to manage. Yet, cyber insurance and compliance is the golden opportunity for your MSP business.

In part two of this blog series, we will uncover the latest cybersecurity innovations and technologies designed to help you better protect your clients in alignment with their stringent cyber insurance and compliance requirements.