‘Cyber-Liabilty’ Insurance Covers New Risks to MSPs

Not long ago, managed service providers (MSPs) mostly just needed to protect themselves against lawsuits for common mistakes or physical accidents, like a monitor falling onto a customer’s foot.

Fast forward to the present and those same MSPs face a host of new and complex sources of liability, many stemming from the growing volume of sensitive customer data they’re charged with managing.

As a result, the general liability, and errors and omissions (E&O) policies that once offered MSPs all the protection they needed, are increasingly inadequate for today’s IT landscape.

“If I had to guess, I would honestly say that greater than 50 percent of MSPs are in the underinsured position,” said Charles Weaver, CEO of MSPAlliance, a coalition of technology service providers. “They either have the wrong type of insurance or they are underinsured for the types of risk they incur.”

More and more, channel firms recognize the need to evolve their offerings and revenue models to meet the changing demands of customers.

But too few are adapting their insurance policies to keep pace, Weaver said.

“The major challenge in the mid 2000s was there were a lot of risks that MSPs were assuming that they didn’t have to worry about as VARs,” he said. “Specifically, there were a lot of risks that they were taking on that were not covered by their E&O policies.”

‘Cyber-Liability’ Coverage

Weaver recounted a recent example that illustrates the evolving financial threats to tech service providers.

When all of the independent, redundant computer memories of a raid drive failed, entire data sets of multiple customers were rendered inaccessible.

The unavailable data triggered a ripple of costly repercussions totaling hundreds of thousands of dollars.

“The client is in a regulated industry and the MSP and customers argue over who should pay,” Weaver said.

“It happens with stuff that has nothing to do with the MSPs fault,” he said. “A raid drive failing is in no way the fault of the MSP.”

Traditional general liability and E&O policies don’t cover such events.
“If you don’t have insurance, you better have enough cash reserves to pay that fine and those legal costs,” Weaver said.

Another common risk comes from the growing number of cyber-attacks.

For instance, an MSP could fail to lock down a firewall port, resulting in a lawsuit for costs associated with a subsequent data breach.

In verticals like healthcare or financial services, the MSP might be deemed liable for the cost of the response, including public notifications, fines and lawyers to help contain the crisis and ensure compliance with state and federal remediation requirements.

Cyber-liability policies are designed for precisely those situations.

“The entire cost of that breach is covered,” Weaver said.

Shopping for MSP/Cloud Insurance

MSPAlliance, also known as the International Association of Cloud and Managed Service Providers, offers an insurance plan underwritten by Lloyds of London that is designed specifically for MSPs and cloud service providers.

Similar coverage can be obtained from many well-known sellers of business insurance, though most have little or no experience dealing with the specific and evolving needs of tech services providers.

“We had a huge outcry from MSPs that couldn’t find agents that understand what we do,” Weaver said.

Launched in 2008, the MSPAlliance Insurance Program offers coverage that picks up where general liability and E&O policies end.

Premiums are based on a firm’s managed services revenue, and Weaver estimates the added protection makes policies about 1.5 times more expensive than those without.

But more education is needed to overcome many service providers’ continuing resistance to buying cyber-liability protection, Weaver said.

“I wouldn’t even say it’s a cost issue,” he said. “They say, ‘I don’t have anything that’s important. Why would I be hacked?’”

He recounted a particular discussion with one MSP during a March 2008 conference in Atlanta, where the first-of-its-kind coverage was rolled out.

“The guy said ‘why do I need this? I’ve never been sued,’” Weaver recalled. “That’s like saying I’ve never been in a car accident so I’m not going to buy auto insurance.

“We just don’t live in that world.”

Send tips and news to [email protected].