IF THE CATCHPHRASE, “I’ll see you in court!” makes you nervous, there are steps you can take to reduce your risks of talking to a judge.
Risk management for MSPs starts with requiring clients to carry cyber insurance, according to Joseph Brunsman, founder of Brunsman Advisory Group in Annapolis, Md., insurance brokers specializing in errors and omissions (E&O) and other policies. If your client’s own cyber policy pays for data recovery, lost business, lawyer fees, forensic exams, and other costs, they have little basis to sue you.
A lawsuit, explains Brunsman, who is the author of several books and videos on this subject and is currently working on a new book about insurance and risk management for MSPs, will establish injury in fact (maybe files encrypted by ransomware), traceability (you promised to protect them), and redressability (money to make the victim whole again). “If they’ve been made whole, there’s no advantage in suing you.”
You don’t ever want to go to court, he adds. Can your lawyer make a random group of citizens understand firewall policy, anti-virus software, and subnet masks? If not, you’ll lose.
And while you can advise clients to get cyber insurance, don’t tread into a lawyer’s territory, Brunsman warns. “Be familiar with your client’s vertical needs, but don’t give them legal advice.”
MSPs should carry their own cyber insurance as well. Justin Reinmuth, CEO of Techrug (Technology Risk Underwriting Group), in Columbus, Ohio, believes MSPs are paying attention to this, and maybe 65% to 70% have cyber insurance of some kind. “Smaller MSPs tend not to because they think, like many clients, they’re too small to be hit.”
Just having insurance isn’t enough, though. You need the right coverage. “Maybe about half of existing policies aren’t complete enough,” notes Reinmuth.
One problem is many insurance carriers have stopped offering cyber policies. “Over the last 18 months, maybe 12 insurance companies dropped them,” says Brunsman. This at a time when claims against MSPs are becoming more common. “Five years ago, nobody got sued at [the MSP] level.”
Insurers that still do offer cyber insurance are imposing increasingly steep requirements for coverage. According to Reinmuth, carriers are saying, “enough is enough” about the lack of a governing body and standards for the IT industry. NIST and the other guidelines are being ignored. The bottom line: Improve or face lawsuits without insurance backing you.
Reinmuth suggests MSPs enlist a risk management specialist to look at all the moving parts. Even your website marketing can overpromise and get you sued. For instance, if a nonspecialist agent writes a $2 million policy with 20% coinsurance, a ransomware target might owe $400,000 out of pocket, compared to zero out of pocket with the proper cyber insurance. Plus, Reinmuth says policy costs will double or more in the next several years. That’s not a risk worth taking.
Image: iStock
