INCREASINGLY STRINGENT requirements for cyber liability insurance are our new reality. This is not necessarily a bad thing, as it can lead our clients to better security practices. We like to think that nobody runs a business without comprehensive insurance coverage, but many owners still consider cyber liability coverage optional, if they consider it at all.
As MSPs, we have a vested interest in getting our clients proper coverage, and we must face the fact that some clients believe our own cyber liability coverage protects their businesses and obviates their need for cyber insurance, which of course, it does not. But how many of you have had that direct conversation about this with each of your clients?
Maybe you decided to place a statement requiring each client to carry adequate cyber liability coverage right in your Master Services Agreement (MSA) as we did until 2020. But the harsh reality is that we don’t get to tell our clients how to make their business decisions, and many will not cotton well to being told how to run their business.
Net Sciences switched to a paragraph in our MSA exhorting clients to carry their own cyber liability coverage and explicitly stating that our policy does not extend to them. Now you might tell me that your client would never sue you for a such a loss. If so, I would ask that you now replace the phrase “your client” with “your client’s insurance company” and think about it.
Remember when a firewall, managed patching, and anti-virus constituted a solid security posture? Today, without at least multifactor authentication (MFA), privileged access management, and user training, we are showing up to a gunfight with a pocketknife. The challenge has shifted from getting clients to pay for security to getting them to brook the inconvenience of it, and that can be the real showdown.
A New Ally
We have an emerging ally in this struggle—the insurance industry and their rising efforts to enforce secure behavior on the part of their (and our) clients. These providers are doing their level best to verify that the companies they insure are taking reasonable precautions to secure themselves. Doesn’t that sound familiar?
I am asking you to do some creative thinking here, to leverage your client’s desire to secure their businesses against loss to drive them to behave more securely. Imagine what it might be like if, instead of your trying to sell them on more secure operations, they were instead coming to you to buy peace of mind. That’s the good stuff.
As MSPs, we tend to get excited about features and technology. We forget that clients aren’t enthused about MFA, but they are excited about using their email on the road or working securely from anywhere. Again, while few folks want to buy a quarter-inch drill bit, lots of folks want to hang up their new flat panel safely on their articulating TV mounts.
You should look forward to filling out those cyber liability forms with glee. You will no longer be the bad guy selling security practices they may resent, but the good guy who provides those very same services your clients now want to buy. The very things you’ve been trying to get done for years will now become the very things your clients want you to do for them.
Incident Response Plans (IRPs)
It is easy to overlook how a client’s cyber liability insurance affects your response to an incident. Most of us have the mindset of first responders, expecting to rush in and perform immediate triage. This mindset must change once insurance (or compliance) is involved. You must not destroy evidence in your remediation efforts.
For the most part, the only safe move you can make prior to communication with your client’s insurance provider (and law enforcement) is to disconnect all machines from the internet and maybe isolate a computer or two. Having an existing relationship with a firm that specializes in this sort of response is also a good idea; seek one out before you need it and heed their counsel.
But all of this assumes you have an IRP in place. Do you have such a plan with all your clients? Are they static or periodically reviewed? Do they meet the requirements of their cyber liability policy? Finally, have you had at least one (and preferably several) frank discussions with each client about just what will happen in the event of an incident?
Sometimes we find ourselves in a “build or buy” situation where we must make a judgment as to whether to develop in-house expertise. But risk analysis and insurance sales are clearly not in our wheelhouse. Ready to do gap analysis and coverage comparisons? Do you have someone to hold your hand throughout incident response, helping you stay calm and collected?
For these reasons and more, it makes sense to partner with an expert. Find a partner who can provide the expertise to identify the security risks your clients face, guide them to address the requirements, and provide the safety net of the insurance they need should the worst happen. That might seem like a lot to ask but the right partner can do all this and more.
For Net Sciences, that’s DataStream Cyber Insurance. Their toolset helps us identify risk at client sites. They can shop a large market on our client’s behalf to help them find the right coverage. Finally, their experience as an upstream “reinsurance” provider allows them to mine a very large dataset of loss experience. That loss experience enables us to proactively prevent (not just mitigate) loss for our clients. This sort of proactive services is just what we are supposed to be all about as MSPs, is it not?
Our world of IT and technology is awash in risk, and with the relentless increase of cybercrime, it has only gotten more profound. But in a sense, our job as MSPs has not changed. We still need to identify and mitigate risk, and provide the safety net our clients need if all else fails—truly effective insurance coverage.
The good news is that we can leverage insurance requirements to get our clients to do what we have been encouraging them to do all along. We can enlist insurance professionals to help guide them along this path, advocating on our behalf. That does not relieve us of our duty to plan, communicate, and prepare our clients for the worst, but it’s nice to have a safety net.
JOSHUA LIBERMAN is president of Net Sciences, MSP 501 member and the best little MSP in New Mexico. A former mountaineer, martial artist, and lifelong photographer, Liberman is widely traveled and speaks several languages. He is an ASCII Group board member, writes and speaks publicly, and raises Siberian Huskies. His wife, Heidi, calls him the Most Interesting Geek in the World.