YOU CAN’T FINANCE a car or get a home mortgage without insurance, but you can start a business without cyber insurance—but you probably shouldn’t. For SMBs evaluating the need for coverage, cyber insurance can seem complicated. That’s where MSPs come in. You can act as an adviser to help your customers find the right coverage, and qualify for it, while lessening your own business’s liability at the same time.
Unlike other business insurance policies with decades of claims to base premiums on, cyber insurance dates back only a few years. A common question is whether you can buy a “standard policy.”
“Absolutely not,” says Catherine Lyle, head of claims at Coalition Insurance, an “active insurance” company based in San Francisco. (Coalition describes “active insurance” as coverage designed to prevent digital risk before it strikes, combining technology and insurance.) “Cyber insurance’ is a broad term. It should cover an insured for cyber breaches, security failures, and the liabilities that arise from both.”
Charles Henson, CEO of Nashville Computer in Brentwood, Tenn., agrees. “Cyber insurance policies can vary widely in terms of what they cover, how much coverage they provide, and how much they cost. Some cyber insurance policies may cover things like data breaches, network outages, or cyber extortion, while others may not.”
The State of Rates
Although no two cyber insurance policies are the same, the consensus is that rates are stabilizing to some extent. Mat Kordell, COO of Cyberstreams, an MSP in Seattle, says the market is maturing. “Insurers have gained a better understanding of the risks involved and have been able to price policies more accurately.” As more companies purchase coverage, the insurers spread their risks across a larger pool of customers, which also helps stabilize rates.
“Cyber rate increases have definitely moderated for most of Coalition’s clients in recent quarters,” says Lyle. However, some carriers can price policies based on the security posture of a specific client, while others can’t. “Insurers will have notable different views of the appropriate price for the same risk,” continues Lyle.
Set the Example for Clients
MSPs, of course, will want to demonstrate to their customers the value of cyber insurance by being covered themselves. Shop around for your own policy, advises Kordell, who recommends “finding three brokers and having them all shop you with all their carriers.”
The proven way to negotiate the best rate for your MSP’s cyber insurance, says Lyle, is to demonstrate your network is well protected and can stop any malware from crossing over to your clients. She recommends regular attack surface monitoring, robust vulnerability patch management, and use of reputable EDR tools, preferably monitored continuously.
Mistakes to Avoid When Policy Shopping for Your MSP
“One of the biggest mistakes that businesses make when choosing a cyber insurance policy is failing to understand what’s covered,” says Kordell. “Take the time to understand the policy’s coverage limits, exclusions, deductibles, and other terms.” After the policy is in place, review the terms regularly since cyberthreats are constantly evolving. Update your policies as necessary.
“Choosing the wrong coverage amount would be one mistake MSPs may make when working alone,” says Henson. “Another would be not having the right type of coverage, including Errors and Omissions along with cyber liability coverage.”
Know the risk and cost of even a simple event, suggests Lyle. “Some entities will try to dip their toe into cyber insurance and get an endorsement or very low-limit coverage.”
There are also differences in how policies pay to make you whole once again. “Coalition’s are pay-on-behalf policies,” Lyle explains. “That means that when a loss occurs after the SIR [Self-Insured Retention]) payment, Coalition pays all remaining bills directly. Other policies are reimbursement policies, meaning they require the insured to pay the vendors or the ransomware extortion, and then seek reimbursement from their carrier.”
Coalition’s 2023 Cyber Claims Report found that policyholders using end-of-life software were three times more likely to experience a claim than those not. Those with an unpatched critical vulnerability were 33% more likely to have a claim. Phishing accounted for 76% of reported incidents.
Speak to your broker about all concerns, advises Dawn Sizer, CEO of 3rd Element Consulting, an MSP in Mechanicsburg, Pa. “They may be able to help you determine anything else you didn’t consider.”
Guide Your Clients
When helping your customers choose the right coverage, be prepared. For starters, search for an insurance carrier that has experience in cyber insurance and has a good track record of paying claims.
In addition, “Find a broker that can match a client to the right coverage for the type of business and risk aversion they have,” Sizer recommends. “The broker should be able to explain the pros and cons of different policies and be able to discuss risk with the client.” She suggests every policy should at least include a breach coach to help maintain the company’s brand and reputation after an incident.
Kordell also suggests you help your clients answer the insurance questionnaires honestly. “Something like 50% of claims are being denied right now due to misrepresentation of the covered environment,” he warns.
When renewal time comes, help your clients shop around, suggests Sizer, but be responsible. “Pick the broker and company that offers the most coverage for the least risk at the best price.”
The question of how much you can push customers do to the right thing applies to cyber insurance. Should you refuse to onboard a new client with no coverage? “You should have the conversation with your client about their risk profile and where cyber insurance fits,” says Sizer, but she doesn’t mandate it for her clients. “The client will choose to fire themselves if they are a poor fit for your business and risk tolerance.”
Henson agrees: “It’s going to be hard on us to say no to a new client,” His lawyer adds language to his Master Client Agreement that recommends the customer gets coverage, but it’s not mandatory.
Some regulated industries such as healthcare and finance may be required to have cyber insurance, adds Kordell. “Make sure your customer knows that your coverage does not inherently protect their business.” While your policy may provide some protection for clients affected by a breach of your network, they will likely have to sue to get any compensation.
Discussing cyber insurance with customers will not be a pleasant chat, because every type of insurance focuses attention on damage and loss. However, not discussing the value of cyber insurance will lead to a much more unpleasant meeting if a customer suffers a major breach and needs help but has no cyber insurance policy to help them recover.
Image: iStock / Visual Generation