Share This:

cyber insuranceQ: My MSP business is growing, and I’m concerned about staying properly insured. I carry the required insurance on our service vans, and I have a general liability policy that a long-time family friend who is also an insurance salesman sold me. Is that good enough, or do I need something more specific for my MSP?

That would be an emphatic “Yes,” says Justin Reinmuth, CEO and founder of Columbus, Ohio-based techrug.

Cyber insurance is very specialized. Chances are the insurance agent on the town square who was on the same bowling team as your father and has sold policies to your family for years isn’t well versed in the relatively new arena of cybersecurity insurance. Cybersecurity insurance is vital in protecting MSPs and other tech-centered businesses from losses related to data breaches, malware, rogue employees, and staff mistakes, among other areas.

Reinmuth says data breaches are the headline-grabbers, but only 43 percent of cyber insurance claims are related to hacks, malware, and viruses. That means 57 percent of claims are filed for other reasons, such as a staff mistake, rogue employee, or stolen device.

Managed service providers are increasingly finding themselves handling huge volumes of sensitive data, whether it’s HIPAA-protected medical information or credit card information.  Throw into the mix the increasingly sophisticated army of hackers out there and the “human threat” (i.e. careless or malicious staff), and MSPs need to be protected.

“If I had to guess, I would honestly say that greater than 50 percent of MSPs are in the underinsured position. They either have the wrong type of insurance, or they are underinsured for the types of risk they incur,” Charles Weaver, CEO of  MSPAlliance, a coalition of technology service providers, told Channel Futures.

Boredom leads to a breakthrough

Reinmuth’s own journey into cybersecurity was a circuitous one. He was part of a technology company in Dallas in the late 1990s early 2000s, where he received a solid grounding in IT. But, Reinmuth gravitated back to his family roots in Columbus, Ohio, and began immersing himself in a different field: insurance. Reinmuth started out a as a generalist, offering the same usual potpourri of policies that many insurance agencies offer.

“But I was bored,” Reinmuth said. Until one day he was sitting down with an IT client to go over some policies, and the client was impressed enough with Reinmuth’s tech knowledge that he asked if he specialized in IT clients. The “lightbulb” went on, and the rest is history.

Reinmuth began focusing on Columbus’s emerging IT scene and grew from there to offering policies to cover managed service providers and other businesses that needed tech policies. In 2015, techrug began writing their own errors and omissions policies (E&O). And Reinmuth is no longer bored.

“Writing this kind of insurance requires getting to know your audience and writing it for your audience,” Reinmuth says.

The Wild West of cyber insurance

Unlike a Workers Comp or Auto policy where the coverages are pretty much the same, cybersecurity insurance is like the Wild West, unregulated and freewheeling. This means the buyer needs to be vigilant in parsing their policy. For instance, Reinmuth says some policies will have coverage for a rogue employee and some won’t. Or, a claim won’t be paid if your backup isn’t working. But some will. And on and on through the fine print.

“The biggest takeaway dealing with Cyber Liability E&O is that you need someone who specializes and they need to understand that this isn’t a ‘regulated’ product,” Reinmuth says. A typical cyber insurance policy contains a laundry list of adds-ons and exclusions that need to be closely scrutinized and gone through line by line.

Reinmuth’s client base is made up largely of MSPs, the ideal being ones that have partnered with strong security vendors and adhere to stringent IT best practices.

Five things you should consider when shopping for a Cyber Liability Errors & Omissions Insurance policy

1. Coverage for a rogue employee: “Employees can get you in trouble. You think you know people, but when their backs are against the wall, people do weird things,” Reinmuth says.

2. Client data loss: Be careful of exclusions arising out of the alteration, corruption, destruction, loss, deletion or damage to, or inability to access, data resulting from a network security breach or from a negligent act, error, or omission in rendering or failing to render Professional Services or Technology Services.

3. Full first- and third-party coverage:An MSP’s policy should run the full gamut of coverage as it relates to media liability, network security liability, privacy liability, privacy notification costs, public relations & crisis management expense, legal and forensic expense, network security and privacy liability (regulatory), costs for damage to data or programs, network failure income loss and extra expenses, cyber extortion.

4. Know the exclusions: Are you covered if you don’t install available software product updates and releases right away? What happens if you don’t perform due diligence on third-party vendors (audits, etc.) to ensure safeguards of protecting data? Let’s say you fail to ensure the backup of content for your clients?

5. Third-party vendors: We all use them. As a result of a security breach of client data given to a vendor, will you be covered? More and more MSPs and their vendors are becoming targets of hacks due to the amount of sensitive data being held.

Too risky to insure

Like many insurance policies, though, you aren’t guaranteed a techrug policy (or a policy from any cyber insurance company). Reinmuth and his staff have a vetting process to ensure a client is following best practices and not a walking risk magnet.

So, your network security in-house practices need to be sound and your backup systems solid. There are some businesses that can be doing everything right but techrug and others still might not write them a policy if their business is deemed too high risk.

Reinmuth sees the cyber insurance market evolving as the years pass and policies, in his view, may become harder to qualify for.

“This is a classic case where the bad guys are a couple steps ahead of the good guys. It is a cat-and-mouse game,” Reinmuth says.


Photo: Photon photo/Shutterstock.com


Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

3 Comments

  1. There are a number of options for encryption software. In fact, many computer systems on your network might already have built-in encryption. But a disjointed approach to system and network security will be more problematic. By opting for a proper and complete network security system, the administration can be de-cluttered and all devices on the network such as computers, servers, laptops, mobiles, and network storage devices will be encrypted. Depending upon the type of network security system that you opt for, you can even shut down USB ports individually to avoid losing data on a portable flash drive.

    Reply

  2. One question, does cyber insurance for MSPs typically include coverage for damages to customers? For example, the threat of ransomware through an MSP may impact business continuity for hundreds of customers. Do policies cover that damage?

    Reply

    1. Hi Mike, a Technology Errors or Omissions (Tech E&O) policy designed for MSPs (providers of technology services) (It’s kind of like Cyber Liability mixed with professional liability) Would cover Financial Loss impacts to your business from being sued from these customers.

      Ransomware hits you, the MSP, you can’t access your systems, dead in the water – First Party Cyber Liability

      Ransomware hits you, customers can’t access their systems, they are dead in the water – third party cyber liability (included in your Tech E&O)

      Physical damage is often excluded, but not always.

      Reply

Leave a reply

Your email address will not be published. Required fields are marked *