Providers of managed security services may soon find themselves working more often for cyber insurance companies that are getting involved in cybersecurity both before and after a breach.
To begin with, the requirements for renewing cybersecurity policies are becoming more rigorous in terms of the platforms and processes required to qualify. Further, some cyber insurance companies are now requiring organizations to contact them before anyone else, including law enforcement agencies, in the event of a cybersecurity breach involving a ransomware attack. Finally, cyber insurance companies must then evaluate to what degree data can be recovered versus needing to pay a ransom to recover what has been encrypted.
A new route to market for MSSPs
In some cases, cyber insurance companies are contracting with managed security service providers (MSSPs) to help them make that evaluation. And in effect, they are creating a new channel through which providers of cybersecurity services are being engaged.
It’s not clear yet how prevalent this shift in the relationship between cyber insurance carriers and the organizations they protect has become, but what is apparent is that the dynamics of how cybersecurity services are being delivered is changing.
Many organizations, rather than investing in cybersecurity themselves, decided it was easier to take out a cyber security insurance policy. The challenge is now that many of those same organizations want to renew those policies, they are discovering that carriers that have already chalked up billions in losses have become a lot savvier about terms and conditions. In fact, many organizations may discover that cyber insurance policy claims are going to be at the very least initially denied.
Striking a balance as conflicting priorities arise
Managed security service providers (MSSPs) could easily find themselves caught up in a conflict between two proverbial masters. Should they decide to partner with cyber insurance providers, they might find themselves at odds with the interests of the end customer so MSSPs will need to tread carefully. There may even come a day when MSSPs will find themselves on opposite sides in court as they testify in support of one party versus another.
In general, the increased influence cyber insurance carriers are starting to have is a good thing in the sense that it will require organizations to invest beyond what might merely have been required once to meet a basic compliance mandate. However, there’s no doubt contracts will become even more complex than they already are. One of the most important assets any MSSP can have now is a law firm well-schooled in how the nuances of contract laws might be applied to cybersecurity services.
In the meantime, MSSPs will also need to up their game to also qualify for cyber insurance. The total cost of being an MSSP will rise as premiums increase. Cyber insurance carriers, meanwhile, will naturally look for any legitimate reason to deny a claim. The challenge for every MSSP is finding a way to strike a balance between meeting those requirements and the need to consistently turn a profit in a security services sector where competition remains cutthroat as always.
Photo: Jakub Krechowicz / Shutterstock
There are also new governmental and supply chain compliance issues driving the need for an enhanced Cyber Security posture for all U.S. businesses. It is time we as a country stepped up to meet the challenge of the new risk landscape.