The critical role of cyber insurance in safeguarding MSPs and their clients

Managed service providers (MSPs) play a crucial role in ensuring that businesses of all sizes operate smoothly and securely. As trusted technology partners, MSPs handle a variety of IT-related tasks, including help desk support, system updates, hardware refresh cycles and, importantly, cybersecurity. Each of these services carries an element of risk because each carries the potential for cyberattacks and data loss.

Given the rapid increase of cyberthreats, it’s imperative for MSPs to understand the significance of cyber insurance coverage, both for themselves and their clients, and the role that cyber insurance plays in the market.

It may seem obvious, but it is worth stating that MSPs are businesses themselves. And just like all businesses, they need to protect themselves with various kinds of insurance. There are many kinds of insurance policies, from company health care and employee disability plans to property and vehicle insurance and more. But there are specific insurance policies directly related to the work MSPs do every day for their clients.

·      General liability.

·      Errors and omissions (E&O).

·      Cyber insurance.

·      Liability “umbrella.”

Understanding these policies can be helpful to MSPs in protecting their businesses and also in understanding the needs of their clients. Let’s start by briefly reviewing each one.

Sometimes called “commercial general liability,” this kind of policy generally protects a business against property damage or loss and personal injury that occurs as a result of business operations or on the business’s premises, among other things. General liability policies always have specific exclusions — too many to list here. But importantly for MSPs, general liability policies almost always exclude professional and cyber liability.

Errors and omissions policies are designed to do exactly what name implies — to protect the company and its managers from mistakes made in good faith. For example, if a manager accidently deletes an important part of a contract, if a client claims that they received bad advice, or if an administrator made an honest mistake while configuring an endpoint device. E&O policies do not protect businesses from intentional acts. Because of the potential blurred line between E&O coverage and cyber insurance coverage, many insurance carriers strongly recommend or insist that a supplemental cyber policy document — often referred to as a “rider” — be purchased with E&O insurance.

Cyber insurance is designed to protect business from most cyber events. This can include data loss, ransomware, data corruption or exfiltration, the consequences of social engineering and phishing, and more. Importantly, an MSPs cyber insurance coverage does not extend to client data or systems — it protects the business, data and systems of the MSP. It is also important to note that cyber insurance does not cover physical devices. Just like any other business, an MSP will need a property insurance policy to cover any damage or loss to a physical device.

A liability umbrella policy is designed to pick up where all of a business’ other insurance policies leave off. For example, if a business vehicle is involved in an accident and the damages exceed the face value of the vehicle insurance policy, then the umbrella policy would likely cover the difference to the limits of the umbrella policy. Likewise, if a cyber event creates internal data loss for the MSP or impacts a client — and thus creates liability — then an umbrella policy would support the E&O and cyber insurance policies to fill any gaps.

Now that we have defined the major kinds of business insurance, we will focus on cyber insurance for the remainder of this article.

Any business seeking to qualify for a cyber insurance policy — including MSPs — will be required to follow cybersecurity best practices, document all related policies and procedures, and deploy a defined set of professional cybersecurity solutions that support those best practices and policies. In short, you will be required to understand what you are required to do, document how you are going to do it, and then ensure that the plan is implemented.

During the cyber insurance application process, you will be required to complete a detailed questionnaire that covers many aspects of cybersecurity and the cybersecurity measures that business deploys, along with things like the value of the data covered and the revenue of the business. All answers need to be truthful and transparent. Generally speaking, the more cyber protection measures properly deployed and documented the lower the cyber insurance premium (cost) that will be charged by the insurance company.

The specific kinds of liability and loss covered by a cyber insurance police vary greatly depending on the insurance company’s templates and their assessment of the risks of each policy. But in the case of a covered cyber incident, most cyber insurance policies cover:

·      Lost revenue due to business interruption.

·      Helping clients or employees recover from identity theft.

·      Recovering compromised or encrypted data.

·      Restoring compromised computer systems.

·      Costs associated with notifying regulatory and / or law enforcement agencies.

·      Notifying impacted individuals about possible data breaches.

·      Recovering and restoring identities and personal information.

·      Incident-related legal fees.

It is important to remember that an MSP’s cyber insurance policy covers the MSP’s business. The client’s cyber insurance policy covers their business in the same way. If a cyber incident occurs and an MSP is found liable in any way, the MSP’s E&O, general liability and liability umbrella policies would come into effect to defend and support the MSP.

It’s not possible to estimate the cost of a cyber insurance policy for any business here. The cost of a cyber insurance policy is a function of their level of cyber sophistication — how many cyber security and data protections are deployed — and the amount of potential loss to the insurance company. Since cyber insurance policies cover things like downtime, data recovery measures and lost business, the amount of data involved and average daily lost revenue are all factors in the cyber insurance premium cost. Incident deductibles — the amount that a business must pay out of pocket before insurance coverage kicks in — are also a factor. The higher the incident deductibles, the less risk is carried by the insurer and thus the lower the potential premium amount.

That said, as of this writing and by way of example, we have seen annual premium quotations on E&O policies with cyber insurance riders of between $2,000 and $4,000 for businesses with the following basic attributes:

·      Eight or fewer employees.

·      Less than $1 million in annual revenue.

·      Minimum security measures deployed.

o   Active protection with antivirus.

o   Endpoint detection and response (EDR).

o   Email security.

o   Comprehensive backup for company data and systems.

·      Annual security awareness training for all employees.

·      Documented security and recovery policies.

·      Annual security audit and risk assessment.

·      $2,000 deductible.

Obviously, this is just an example. There are many variables that affect the premium a business will pay for cyber insurance. That’s why insurance companies have sophisticated risk management systems to estimate premium costs.

It is fairly common for a client to ask an MSP to help them complete the insurance questionnaires so that a client can qualify for cyber insurance. This is understandable. When an MSP has a good relationship with their clients, it is only natural that they would ask their trusted advisors for some help filling out the forms.

If an MSP chooses to help a client complete their insurance qualifying forms, there are some important things for the MSP to consider.

The MSP should not only clearly define the cyber products and services that they provide to the client, but also the ones that they do not provide. If an MSP answers an insurance form on behalf of their client and affirms that a cybersecurity measure is deployed, then the client may confuse that with the services provided. This could also raise liability and coverage issues in the event that a cyber incident occurs.

Stipulate in writing, as a part of your MSP service agreement, that even though the MSP is helping to complete the insurance paperwork at the request of the client, the information contained in insurance forms are not a declaration by the MSP. When the forms are submitted to the insurance company for consideration and underwriting, the information on those forms are a declaration of the client business.

All businesses should be fully insured — including MSPs and the clients they serve. Cyber insurance is an important part of every insurance and risk management strategy. Having a clear understanding of insurance types and the coverage included can help MSPs avoid confusion and protect their businesses and serve their clients better.

This article is for general education purposes only and reflects the research, experience and opinion of the authors. Acronis and the authors of this article do not give financial, legal or insurance advice, nor is this article an offer or solicitation for the purchase of any financial product or service. Readers should consult their legal and financial professionals before purchasing any financial product of service.