The daily stories about breaches, hacks, and ransomware have continued unabated in 2024. But how much of the damage wrought by cybercriminals is protected by cybersecurity insurance?
Network Assured has compiled some startling statistics, including:
- The global cybersecurity market was USD 7.60 billion in 2021 but is expected to triple by 2027.
- Twenty-seven percent of data breaches had some exclusion in the policy that prevented part-payout or full-payout.
And Warren Buffet recently declared cybersecurity insurance too risky for his company to invest in.
So, where do industry experts stand on cybersecurity insurance and its viability?
Shaun McAlmont, President and CEO of California-based NINJIO Cybersecurity Awareness Training, says that cybersecurity insurance provides great protection from the dangers lurking online because those dangers can be costly.
McAlmont cites a study by IBM showing that the average cost of a data breach in the US is $9.48 million. “The degree of risk today is such that cyber insurance is a business necessity and, as long as that risk continues, there will be a market for cyber insurance,” he says.
However, policies will be governed by more stringent rules in the years ahead. McAlmont adds, “We will certainly see more cyber insurance policies place even stricter requirements on policyholders to demonstrate due diligence and care on the part of every member of their organization. That will require more investments in both technical solutions and awareness training that meaningfully reduces risk.”
McAlmont believes that all of these factors, plus more stringent reporting requirements by the U.S. Securities and Exchange Commission (SEC), point to the need for cybersecurity insurance. “The SEC’s new rules for breach disclosure underline the importance of cybersecurity and risk mitigation for business continuity, shareholder value, and overall economic strength. That contributes to the ongoing need for cybersecurity insurance,” he says.
An MSP’s viewpoint
However, there is some confusion over which parties need to carry the insurance and how to best implement it. For a deeper dive, SmarterMSP.com caught up with Steve Griffin, co-founder of L3 Networks a California-based managed service provider (MSP) that specializes in cybersecurity, to help us sort out answers to more questions.
Who should carry cybersecurity insurance: The MSP, their client, or both?
Griffin: Both, and it should be required in your master services agreement (MSA). The client is often at fault when a security incident happens, either by their direct action or policies. The MSA should specify that the client’s insurance is primary and noncontributory and both parties waive any rights of subrogation against each other.
How important is it, in your opinion, that an MSP carries a cybersecurity insurance policy?
Griffin: MSPs should carry insurance to protect themselves if they are directly hit by a cyber-attack or, more likely, one of their vendors is causing an issue for the MSP. Consider the Kaseya incident in July 2021 or any zero-day vulnerability exploited on one of your vendor’s products. This will be a straight line back to the MSP; the insurance will help with the legal issues and pay any claims to settle where warranted.
What are the most important factors to staying compliant with the terms of the cyber insurance policies?
Griffin: MSPs should work with their clients to review the insurance application together. Ask questions of the client’s broker and carrier; they are usually happy to help with clarification. Good written communication about areas that are not clear will help avoid misunderstandings that may lead to an undesirable outcome if a breach occurs. Go above and beyond where you can, especially in recovery. You may not be able to stop every breach, but you should always be able to recover.
How onerous are compliance requirements on a cyber insurance policy?
Griffin: Applications vary depending on the carrier. Some still have the 1 to 2-page basic questionnaire, which is less common now. Most carriers now require an incident response plan, documented testing of the plan, employee training, and more. These modern applications focus on the processes just as much as the deployment and management of the technology, which is the biggest shift. Depending on the business, this can mean significant changes in the qualifications for cyber insurance.
What should an MSP look for in a cybersecurity policy?
Griffin: We like carriers who are engaged, accessible, technical, and know the MSP business. Having a conversation with an insurance company with the right resources is a significant advantage. It cuts through the learning curve you may encounter with those carriers who are not properly outfitted to serve MSPs.
MSPs should be aware that cyber insurance protects against direct cyberattacks or incidents caused by their vendors. However, compliance does require proactive adherence and collaboration with clients. It is also important to understand that modern insurance applications demand comprehensive measures beyond basic questionnaires, including incident response plans and employee training, so MSPs must plan accordingly.
Photo: Alexander Supertramp / Shutterstock