It’s every MSP’s worst-case scenario: a client calls in a panic because they’ve been hit with ransomware, suffered a data breach, or discovered suspicious activity on their network. If they have cyber insurance, the first question is: What happens next?
Unfortunately, many SMBs assume that having a cyber insurance policy means they’ll simply file a claim and their cyber insurance claims will get reimbursed. But the truth is more complicated, and that’s where your role as their MSP becomes critical.
The First 24 Hours: Time Is Everything
When a breach is discovered, the insurance carrier needs to be notified immediately. Most policies require prompt notification, sometimes within 24 hours or less, or the claim could be denied. This is not the time to try to clean things up quietly before calling it in.
As the MSP, you should:
- Urge the client to notify their insurer or broker immediately
- Help the client gather basic incident information (time, impact, symptoms)
- Be prepared to speak with the insurer’s forensic or incident response team
- Avoid taking major remediation steps before the insurer authorizes them
Why the caution? Doing too much too soon can interfere with the investigation, make evidence inadmissible, or lead the insurer to reject the claim.
Insurance Companies Bring in Their Own Experts
In most cases, cyber insurance policies include access to incident response teams, breach coaches, and digital forensics firms approved by the carrier. These experts take the lead in managing the response and gathering evidence.
What you can expect:
- An intake interview or call with the insurer’s team
- Requests for logs, system details, and network diagrams
- Guidance on what not to touch until forensics are complete
- A timeline for investigation, containment, and remediation
As the client’s MSP, you become a critical technical liaison. Your knowledge of the environment, access to systems, and historical context are invaluable. But you’re no longer driving the recovery effort alone.
Who’s Responsible for What? Spell It Out Before the Breach
When a client experiences a cyberattack, their first call is almost always to their MSP, and understandably so. But what happens next can quickly become chaotic if roles, responsibilities, and expectations haven’t been clearly defined in advance. This is where the fine print of your MSA (Master Services Agreement), or lack of one, becomes a critical issue.
If your contract doesn’t spell out what you’re obligated to do during a cybersecurity incident, you risk being blamed for delays, costs, or failures in areas that were never truly your responsibility. Worse, if the client assumed you were handling protections they declined or downgraded, you may still end up in the crossfire.
That’s why it’s essential to:
- Clearly outline what happens in the event of a breach. Including your incident response scope, timelines, and any additional fees for remediation or forensics work.
- Document which security tools and policies you’ve recommended (like MFA, endpoint protection, and backup), and whether the client has opted in or declined them.
- Establish, in writing, whether breach response services are included in the client’s service package or billed separately under an hourly or emergency rate.
- Include language that limits liability when clients deviate from your recommendations, especially when they decline coverage or choose cheaper alternatives.
- Ensure your plan aligns with the client’s cyber insurance policy, including any obligations you may have to support claims documentation or forensic evidence gathering.
Don’t wait until you’re in crisis mode to sort this out. A breach is stressful enough without having to negotiate what you’re owed or what you’re expected to deliver after the fact. A clear, written agreement protects both parties and ensures faster, more professional responses when every minute counts.
Documentation Is Key. Before, During, and After.
One of the biggest factors in a successful claim is whether the client can prove they had appropriate controls in place before the breach occurred. This is where your documentation, or lack of it, will be scrutinized.
You should have:
- A list of security tools deployed (EDR, MFA, backups, etc.)
- Records of patching and updates
- Proof of user training or phishing simulations
- Backup logs and testing history
- A written incident response plan (even a basic one helps)
If a claim is denied due to “failure to maintain required security controls,” it may come back on your MSP, whether legally or in terms of client trust.
What’s Covered, And What Isn’t
Cyber insurance is not a blank check. Many clients are shocked to learn that certain costs are excluded, or that coverage depends on specific conditions being met.
Covered items may include:
- Costs to investigate and contain the breach
- Ransomware payments (in some cases)
- Legal fees, regulatory fines, and compliance support
- Notification costs to affected individuals
- Business interruption and recovery expenses
But excluded items often include:
- Costs incurred before notifying the insurer
- Breaches caused by unpatched vulnerabilities
- Incidents tied to non-compliance with policy conditions
- Lost reputation or lost future revenue
Make sure your clients understand these nuances ahead of time, not after a denial letter arrives.
Your Role After the Breach
As the situation stabilizes, you’ll likely resume a more active role in rebuilding and restoring. But you should still defer to the insurer’s process until you’re explicitly cleared to proceed.
Post-breach, your responsibilities might include:
- Coordinating with the insurance-assigned incident team
- Rebuilding or restoring systems once evidence is gathered
- Supporting root cause analysis
- Updating security controls to prevent future issues
- Helping the client respond to regulatory inquiries, if needed
This is also a smart time to update your service agreement language around breach response support, recovery limits, and insurance cooperation — so you’re protected too.
Clients Remember Who Showed Up When It Mattered
In the aftermath of a breach, your client won’t just remember the technical fix. They’ll remember who guided them through the chaos, helped them understand the insurance maze, and stayed calm when things got scary.
By understanding how cyber insurance claims work and your role in supporting them, you position your MSP as an indispensable partner, not just a vendor.
And if the client didn’t have coverage? That’s a conversation worth having during the next QBR.
ChannelPro has created this resource to help busy MSPs streamline their decision-making process. This resource offers a starting point for evaluating key business choices, saving time and providing clarity. While this resource is designed to guide you through important considerations, we encourage you to seek more references and professional advice to ensure fully informed decisions.
Featured image: iStock
