With ransomware attacks, social engineering, and data breaches at an all-time high, terms like “cybersecurity” and “cyber insurance” are being thrown around in conversation more than ever before. But what, in practice, do they mean – and how are the two intertwined?
At the end of the day, cybersecurity and cyber insurance are two sides of the same coin, and working to achieve both can offer protection before and after a malicious attack. Insurance can provide an additional layer of security for your business, but it is important to remember that “additional” and “optional” are not synonyms. Cyber insurance is often not prioritized as much as cybersecurity despite being a saving grace for businesses that suffer from any kind of data breach.
Apptega’s recent conversation with Robert Merva, owner and CEO of the security-focused managed services provider Avrem Technologies, and Mercy Komar, an insurance advisor and risk manager at L. Calvin Jones Insurance, details the relationship between cybersecurity and cyber insurance and what you need to know about both. The following is a transcript of the conversation edited for clarity.
Robert Hilson – VP, Apptega: Robert, what role do you, the managed service provider, play in helping these organizations meet their regulatory requirements?
Robert Merva – CEO, Avrem Technologies: We provide the perspective and expertise to guide people in the right direction. We bring new ideas to the table, and we are familiar with more technologies, so our clients don't have to do it alone. They can rely on us.
Our primary role as a managed services provider is to balance a couple of things: the outlook for the goals of the business, the need for security, the best practices around security, and the convenience around that security.
It's our job to balance all those things, keep them all in the correct perspective, and work towards the best interest of the business in terms of their outlook, growth, and goals, as well as the security that they need and the best practices they need to implement.
Apptega: Well said; and to the point of best practices, tell us a little bit more about what that playbook looks like and how these businesses can ensure that they are staying up to date with these regulations and requirements that are changing constantly.
Merva: For us, it all comes down to the frameworks. We're not trying to reinvent the wheel. There are governing bodies now that have dedicated their entire outlook to publishing these frameworks, keeping up on best practices, and coming up with new versions of these frameworks and these documents, which takes the guesswork out of the equation, as far as I'm concerned.
You must keep up to date with the frameworks and constantly reevaluate them. As MSPs, we're constantly looking at the prescribed treatment, identifying the gaps in your current protection, and then trying to correct those gaps. It's an ongoing and continuous process that, I will admit, I personally struggle with a little bit. I got into this field because I like solving problems and I like to get from point A to point B. The idea that this is an ongoing process is a little bit difficult for me personally, but that's the way it needs to be. This is an evolving and ever-changing industry and landscape.
The need is there to constantly reevaluate your position and your alignment to these frameworks, it is very much an ongoing process – and it is a lot of work, frankly.
Apptega: Mercy, let's talk specifically about the insurance component of this. Would you tell us more about the relationship between an organization's cybersecurity posture and how that relates to actually applying for insurance coverage?
Mercy Komar – Cyber Risk Manager, L. Calvin Jones Insurance: Insurance companies now base their coverage on security. We've split things into small-to-medium-sized businesses, which the insurance industry considers $100 million of sales or less, and large businesses.
The insurance company is thinking: How much are we going to charge you? Are you really good and secure? If so, we have one set of charges. If you are not good and secure, (they ask) are we going to cover you at all? Or are we going to charge you more?
Security is really the standard now, which was not the case originally.
They want to see MFA (multi-factor authentication) now. I joke, “MFA, MFA, MFA, MFA. If you're not repeating it in your sleep, you're not paying attention.” It is the multi-factor authentication that they want to see – and encryption.
Insurance companies want to see employees being trained and, in the next year, they are going to press on that much more. They are looking to see whether there are off-site backups and if you have a breach plan. If something happens, do you know whom you are supposed to call? Do you know what you are doing? It's all security-focused now, rather than just generally based.
Apptega: And Robert, how much are you thinking about ensuring that your clients meet the requirements of a framework versus getting them to an insurer and getting them covered? How much of the insurance piece is the end goal in your mind?
Merva: That is one of the end goals. I would say the primary goal for me is their security. I do not want to be woken up in the middle of the night because of ransomware or an email breach. That's my nightmare. Security is priority number one.
If something like that happens, though, a business' only recourse is probably going to be insurance. The dollar amounts we are talking about here for the smallest businesses are a million dollars in ransomware ransom or a million dollars in lost productivity. That is going to hurt most of the businesses that we work with.
If I can't protect them, and there's no guarantee I can, their recourse in these situations is insurance. Securing that coverage is our second goal.
Apptega: And this may go without saying, but for smaller businesses, some of these events are potentially existential if you're not insured, right?
Merva: These are business-ending events most of the time.
Long gone are the days in which cybersecurity and cyber insurance were siloed and optional. Cyber insurance offers an extra, and necessary, layer of protection for your business and a safety net in case of emergency.
Listen to the full conversation here!
To learn more about how you can empower your clients to meet their cybersecurity obligations in an affordable way, while also growing your business, check out Apptega, the only GRC automation platform purpose-built for MSSPs.