As cyber insurance requirements become more stringent, managed service providers (MSPs) are finding a need to make sure clients that don’t implement appropriate levels of security, either sign a waiver or find another provider.
When the first wave of ransomware attacks started to hit many organizations, rather than improving their overall cybersecurity posture, found it easier to simply increase their cybersecurity insurance. The providers of that insurance, not surprisingly, racked up huge losses as payouts increased. Now, the providers of cybersecurity insurance have either exited the business or are requiring customers to substantially increase their investments in cybersecurity, in order to have an existing policy renewed.
The cost of protecting the business is going up
Naturally, MSPs have become a cyber insurance focal point because those carriers are requiring even more stringent enforcement of cybersecurity policies, simply because the stakes are so much higher. A breach involving an MSP can have a massive downstream impact involving potentially hundreds of clients. Cyber Insurance premiums for MSPs are rising sharply as a result.
The issue, of course, is as requirements become more stringent there is less chance of payout in the event of a breach. MSPs are also employing waivers to indemnify themselves from any claims customers that may not have made appropriate levels of investment in cybersecurity, might decide to make in the wake of a breach.
In general, there is something of a virtual cybersecurity cycle in all this. Many IT and cybersecurity professionals have been asking their organizations to make those investments for years. Cyber insurance carriers are now forcing the issue in a way that should ultimately benefit MSPs. After all, the fewer security incidents there are, the less overall stress there should be for IT and security professionals that work for the MSPs. Hopefully, that reduces the level of staff burnout and subsequent turnover MSPs currently experience. The cost of achieving that eventual outcome, however, is not insignificant. MSPs are being required to add the layers of defense that they then need to find more cybersecurity expertise to manage.
MSPs shouldn’t sell themselves (or their customers) short
Despite those costs, however, MSPs would do well to remember they are a primary target for cyber attackers. In fact, a new report from Barracuda Networks finds 14 percent of the ransomware attacks discovered in the last 12 months were aimed at IT service providers. Cybercriminal gangs well understand that any successful attack against an MSP could pay massive dividends. The challenge is that malware might linger in an IT environment for months before it’s activated.
Of course, the level of cybersecurity investment will vary by MSP. There will always be MSPs claiming to offer a level of cybersecurity at a cut-rate price that is impossible to achieve. MSPs should ignore those rivals because any customer that is buying cybersecurity services solely on price is probably going to be more trouble than they are worth. The chances that customer really appreciates cybersecurity enough to make any additional ongoing investments is slim to none, which means it will inevitably be left to the MSP to do the right thing regardless of the cost incurred.
Photo: VideoFlow / Shutterstock
Great article about the challenges of having clients improve their cybersecurity.
All MSP are a prime target, especially the any RMM tool, once they have access to that it’s a massive vector point for mass access
I agree with this 100%. The cyber liability carriers are finally coming up to the level of requirements that better MSPs have been requiring of clients for some time. And, all MSPs are not created equal – particularly with cybersecurity. There is a higher cost for better cyber talent.
We’ve had to fill out a lot of cyber security insurance forms this year. Nice to see clients listening to recommendations and understanding the risks.
Very insightful article!