MSPs and Cyber Insurance: Opportunity or Risk?

MSPs adding cyber insurance management to their services must understand potential pitfalls and liability.

Brett Helm

December 18, 2023

5 Min Read
MSP Cyber insurance debate

As computing technology continues to evolve rapidly, small and medium-sized businesses (SMBs) frequently struggle to stay current. Increasingly, they're turning to managed service providers to manage their computing infrastructure. Outsourcing IT functions to MSPs with specialized knowledge allows companies to focus on their core business. As the complexity of IT needs grows, MSPs are being called on to perform an ever-growing list of tasks.

Cyber insurance is the latest item MSPs are being asked to manage, another revenue-producing service in a progression from managing security solutions for customer networks. First, they can charge for filling out the insurance application. In many cases, additional security capabilities must be implemented to qualify for cyber insurance. MSPs can then charge for implementing and managing these additional security services.

Completing cyber insurance applications and managing ongoing cyber operations may seem like a natural way to increase revenue for MSPs, but providing this service may create unexpected risk for MSPs.

Cyber Insurance Applications and Mandates

Like other insurance coverages, cyber-insurance carriers must access and manage the risk of insuring a company. Part of this process involves an old-school manual questionnaire. These questionnaires are designed to gather critical details on the company's computing infrastructure and security practices and can be as long as 50 pages. The questionnaires are tedious and difficult to fill out. Despite the effort, they often fail to capture the true state of cybersecurity for the organization.

Related:Tips for Selling Cybersecurity Options to SMBs

Companies using an MSP to manage their IT infrastructure simply don't understand their networks well enough to complete these questionnaires. They will lean on the MSP for information, or simply hand the process over to their MSP.

Once the cyber insurance policy is in place, most policyholders will file the policy away, return to focusing on their core business, and assume that all is well. But getting a cyber insurance policy is just the first step. Companies must maintain compliance with cyber insurance mandates or risk a denied claim. Networks are dynamic. Even if companies comply when the policy is issued, that doesn't mean they will remain in compliance. MSPs play a critical role by managing ongoing compliance with cyber insurance mandates.

Cyber Insurance Challenges for SMBs

Many SMBs are finding it challenging to obtain cyber insurance. For those with cyber insurance, companies are finding that cyber insurance doesn't always provide the coverage they're expecting. According to the Delinea State of Cyber Insurance Report, it took more than 6 months to get cyber insurance for 7% of companies while 28% of small companies were denied coverage. For those companies with cyber insurance, 67% of companies reported increases in cyber insurance rates of 50% to 100% and the number of exclusions continues to grow.

Related:MSPs Need a Seat at the Cyber Insurance Table

Due to high loss ratios, cyber insurance carriers are limiting payouts. One change is adding exclusions to policies to manage their exposure. Often, these exclusions concern gray areas where carriers cannot accurately predict risk. Unfortunately, what is excluded is often where policyholders most need protection.

According to the Delinea report, cyber insurance claims could be denied because of:

  • Omissions and errors

  • Lack of security protocols

  • Companies failing to follow compliance procedures

  • Human error, including misconfiguration or lost cell phone/laptop

  • Internal bad actors

  • Acts of war

  • Acts of terrorism

  • Not reporting incidents to insurance companies first

These exclusions would result in companies not receiving a payout, or only receiving a partial payout on a claim.

There also are exclusions on associated costs in the event of a cyberattack. For example, many policies won't pay for incident response, communication costs for public relations or crisis response.

The combination of nonpayment or partial payment on claims, and excluded costs, can be onerous. The impact of the cyberattack, coupled with partial coverage by cyber insurance, leaves many businesses struggling to survive.

According to IBM's Cost of a Data Breach Report, the average cost of a data breach reached $4.45M per incident in 2023. This growing cost is driving the adoption of cyber insurance.

However, the high rate of denied claims leaves a gap for many small businesses that are hit with a cyberattack. When this happens, companies are likely to point the blame at their MSP. Policyholders are likely to be caught off guard if cyber insurance claims are denied. Inevitably, MSPs will face liability lawsuits, regardless of contractual liability limits.

A Possible Solution

An automated cyber insurance compliance-monitoring platform can aid in cyber-insurance risk management. Unlike traditional insurance categories, corporate computing infrastructure is dynamic. New applications are installed and updated, devices are added or moved and new services are enabled on a regular basis. Any of these changes can dramatically impact the organization's risk profile.

Automated cyber-risk management provides significant benefits to cyber-insurance providers and policyholders, including:

  • Ensuring precise premiums based on actual cyber-risk data

  • Eliminating the need to fill out and process questionnaires

  • Ensuring accurate data is provided to insurance companies

  • Improving infrastructure security by providing actionable information on vulnerabilities discovered

DragonFly Cyber Insurance Graphic

An automated cyber-insurance compliance platform allows MSPs to fix any discovered issues and ensure customer networks are complying with cyber insurance mandates. Ongoing monitoring ensures they remain in compliance. These efforts reduce liability for MSPs and minimize the effort required to manage cyber insurance policies. Additionally, this is another solution MSPs can offer to increase revenue.

Achieving compliance alone isn't enough. To ensure cyber insurance claims aren't denied, MSPs can use the cyber insurance compliance platform reports to:

  • Maintain a history of compliance status to provide evidence in case of a disputed claim

  • Generate compliance reports that can be shared with insurance carriers.

By measuring compliance with cyber insurance mandates and disclosing the results to the insurance carrier, MSPs reduce their risk of a lawsuit and protect their clients.

Services that Help Manage Cyber Insurance Risk

MSPs increasingly include applying for cyber insurance and managing compliance with cyber insurance mandates as one of the critical services they offer SMBs. With high rates of denied claims, MSPs will inevitably be liable for denied claims.

To manage this risk, MSPs can adopt an automated cyber insurance compliance platform to measure compliance with cyber insurance mandates and improve their service to limit liability for denied insurance claims.

Without automated monitoring to accurately assess compliance to cyber-insurance requirements, organizations remain at risk. Compliance platforms can accurately assess compliance to cyber-insurance requirements while automated tools can provide cyber-insurance carriers with real data to monitor their exposure.

Read more about:


About the Author(s)

Brett Helm

DraagonFly Cyber

Brett Helm is the co-founder and chairman of Dragonfly Cyber, provider of a cyber insurance compliance platform. He previously held CEO roles at DB Networks, Coradiant and IPivot, as well as senior management roles at Intel. You may follow him on LinkedIn or on X.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like