As organizations around the globe grapple with the consequences of data breaches, MSSPs have a unique opportunity to help their clients build and manage mature security programs and employ other necessary protections to keep their businesses safe.
An important, but unfortunately complicated part of that, is cyber insurance.
Cyber insurance covers expenses related to cyber event response and recovery and often also associated soft costs.
The challenge, however, is that many organizations, especially small- and mid-sized businesses (SMBs), don’t understand the constantly changing cyber insurance market, nor do many have a good understanding of what their policies do and don’t cover.
Some coverage examples may include costs associated with:
- Ransomware attacks
- Social engineering
- Credit monitoring
- Fraud response
- Data restoration
- Legal fees
- Electronic theft
- Income loss
- Privacy regulations
- Public relations expenses
While cyber insurance may be seen by some as a safety net if a breach occurs, it’s not compliance-driven, and having a policy doesn’t mean your clients are fully protected from breach fallout.
As an MSSP you’re in a great position to help your clients understand what they need and support security practices that meet their cyber insurance requirements.
But, where do you begin?
Today’s Threat Landscape
First, it’s important to understand today’s threat landscape, not just for your organization but for your clients as well.
The ongoing challenge here is that cybersecurity attacks are on the rise and security is—and will always be—a moving target. So, it’s important to keep up with current best practices to help your clients build programs that proactively defend against potential attacks.
Often, especially for businesses and executives that aren’t IT-focused, that begins with encouraging a shift in mindset that no organization is immune and it’s no longer a matter of if an attack may happen, but when.
In fact, according to Check Point’s 2022 Security Report, in 2021 cyber-attacks on corporate networks increased by 50% compared to 2020. The top targeted industries were education, government/military, communications, ISPs/MSPs, and healthcare.
Why are these organizations targeted? Often, it’s because they have low levels of cybersecurity awareness, making them easy entry points for bad actors.
And unfortunately, a lot of these industries aren’t making necessary security program investments because they don’t understand actual risks, especially at the executive and board levels. Attackers know this and they’ll go after the easiest targets, not necessarily the most lucrative ones.
As a result, cyber insurance carriers see a lot of the aftermath of breaches in their claims. While some occur through a technical avenue, for example, a vulnerability of misconfiguration, human error often drives a majority of these attacks.
It’s worth noting that according to 2022 Verizon’s Data Breach Investigations Report, 82% of breaches involve a human element. That’s why educating your clients—and guiding them in training their teams, is important.
Think of it like this… you can help your clients put locks on their doors and windows, but if one of their employees holds a door open for a cyber-attacker, it’s much easier for them to gain entry.
Common Attack Paths
Here are some of the many methods attackers may employ to target your clients:
Social engineering: Tricking employees into revealing privileged information (phishing). These types of attacks aren’t just increasing in frequency, they’re also getting much more sophisticated. Attackers are getting better at disguising these attempts to look more and more legitimate.
Ransomware and malware continue to be an issue; although nation-state ransomware attacks have begun to taper off, especially during the ongoing conflict in Ukraine.
Vulnerability exploits enable attackers to take advantage of weaknesses in your clients’ IT systems. These are generally simple fixes, but attackers know vulnerabilities leave a lot of open doors out there.
Credential theft is a growing problem. In some cases, this information has been stolen in an older breach, but because many people use the same passwords for multiple systems, threat actors can use that information many times later.
Tech Errors and Omissions Insurance
MSSPs have a lot of uncertainties around cyber liability insurance, not just for their clients, but for themselves. For example, some MSSPs don’t have a clear understanding of the differences between their cyber policies and their technical errors and omissions (E&O) coverage.
Think of your E&O coverage as professional liability coverage. For example, if your team does something wrong, say inadvertently takes down a network when they shouldn’t, your E&O policy may cover costs associated with that.
MSPs need—and should want—this coverage. It provides liability coverage for the services you provide to your clients.
For example, E&O coverage may also play an important role if you help clients complete cyber insurance applications, something MSSPs are doing more frequently in the last several years.
Exactly what is and isn’t covered—and at what limits—varies greatly depending on a range of factors. As an MSSP, you should have this conversation directly with your broker. Ask, for example, if, as part of our master service agreement (MSA), we help a client complete a cyber insurance application and something is incorrect, are we covered? It’s critical to know exactly what your policy covers.
The Evolution of Cyber Insurance
So, how did we get to where we are today with cyber insurance? As an MSSP, you may remember a time when getting cyber insurance didn’t use to be so complicated.
That’s right. Years ago, quite simply, to get a cyber policy, all your company had to do was demonstrate you have revenue and a website. Back as early as 2015, the insurance industry was still trying to understand what cyber is. There weren’t a lot of cyber events occurring then, so companies wrote a lot of policies quickly with little information.
But it didn’t stay that way. By 2019, carriers saw a sharp rise in claims. Ransomware was on the rise and at most organizations, both awareness and defenses were still low. Carriers, insurers, and re-insurers weren’t prepared. Everyone lost money.
As incidents continue to increase, so does the demand for cyber insurance. As more breaches occur and more payouts are made, insurers continue to lose money. It’s driving the evolution of modern insurance underwriting. That’s why today it’s getting increasingly difficult to get cyber coverage.
Unfortunately, carriers aren’t operating on a consistent framework to evaluate risk. Different carriers have different risk appetites. Some will cover certain industries, while others won’t. And premiums and limits vary just as greatly.
Cyber insurers are all about understanding risk. And they’re not just looking at which risks exist today, but also who is managing them.
In the past, insurers and carriers relied heavily on their agents as boots-on-the-ground to get as close to client risk as possible to help with underwriting. However, today, as an MSSP, you’re likely the actual risk advisor for your clients. Why? Because not only do you know where your clients stand today in terms of their security programs, you should have a solid understanding of what’s being done to manage that risk.
The MSSP Role
Data and headlines show not only are breaches on the rise but there have consistently been rate increases from 2015 to today. So, as your clients’ risk advisor, what’s your role as an MSSP?
Earlier, we mentioned how important it is to work with your clients to shift their thinking into assuming a breach mindset. As such, it’s no longer about if your clients need cyber insurance, it’s getting them to think about when they will need it.
That begins with helping your clients build a culture of cyber resilience, meaning they’re enabled with the plans, processes, people, and technology they need to continuously operate, even when faced with a range of disruptions such as a cyber breach.
Your MSSP can help your clients see the bigger picture of cybersecurity and its impact on operational resilience so they can have a better understanding of the need for and role of cyber insurance.
How can you help your clients better understand this?
Remind them that cyber breaches are no longer just things they hear about in the news. Breaches are negatively affecting organizations of all sizes across all industries—often to the tune of millions of dollars, reputational damage, and sometimes regulatory and legal settlements.
You may be surprised that some of your clients feel so confident in their cyber defenses, they’ve never actually considered what might happen if a breach were to occur. Many, especially at the executive level, have never done tabletop exercises, which leaves them wholly unprepared to respond and recover when one does.
First, it may be helpful to describe some real-life scenarios that have already affected other businesses. Here are some examples to draw upon:
- An employee inadvertently transmitted a virus to customers and suppliers. The company was sued for failing to contain the virus and losses totaled more than $3 million.
- An email that appeared to be from a long-standing vendor relationship directed a company to update banking information for their account. The company paid more than $200,000 to the fraudster. No funds were recovered.
- A hacker gained access to an employee email account at a small accounting firm. The hacker used the email address to compromise several of the firm’s client organizations. Their affected clients sued the firm to the point of bankruptcy.
With those real-life examples in play, consider conducting tabletop exercises that may reflect actual events that could happen to your clients. Here are some examples. Ask your client to think about what would happen if:
- A hacker gains access to a staff member’s email account and that employee has the authority to direct other staff members or communicate with clients or partners.
- Imagine your reputational damage if your connections to other partners or clients were then exploited and it led them to a breach.
- Imagine the disruption to your business if all of your files and records disappeared suddenly and your systems used were inaccessible.
These tabletop exercises should put your clients’ response and recovery plans to the test, help identify any gaps or weaknesses, and trigger a review of critical components such as:
- Crisis management services
- Legal counsel
- Public relations
- Potential affect client credit monitoring
- Fraud response
Why are these exercises important? Quite simply, if your client experiences a cyber event, they can easily refer back to the tabletops so they already know what they should do. But to get there, they have to practice.
Reducing Client Risk
There are some things your MSSP can also do to help reduce client risk. If you haven’t already, consider employing these five must-have security controls for your clients. Interestingly, across all insurance carriers, these are the top controls they have unified on.
When these controls are in place, it may increase a client’s chance of obtaining an adequate insurance policy with the best rates.
- Multi-Factor Authentication (MFA) — remote access
- Segregated backups
- Endpoint Detection and Response (EDR) and Next Gen Anti-Virus (NGAV)
- Patching and vulnerability management
- Cybersecurity employee training
More importantly, if your clients don’t have these controls, it’s unlikely they’ll be approved for insurance. And, even if they are approved, they’ll probably have limits and exclusions added to the policy. For example, instead of $1 million in ransomware coverage, it might be only $250,000.
Also, cyber insurance is a hard market right now. That means costs will keep going up. New controls will be required. Insurance is not making money on cyber insurance yet, so expect things to change quickly and often. You’ll need to stay on top of these changes to offer the best value to your clients.
Talking to Clients About Cyber Insurance
Cyber insurance is getting more complicated and a lot more changes will occur in the future. What we know now and can expect going forward:
Data is king.
- Expect everything to be measured. Your clients will have to constantly prove they’re doing what’s required to maintain that policy.
- Right now, what this looks like is messy and unaligned (for example, external vulnerability scans)
Many carriers will reduce their maximum limits.
- Think $3 million total.
- Syndication may be the only route.
Carve-outs for acts of war
- Act of war vs. terrorism
The good news is some cyber insurance policies are beginning to align with, and are driven by, common industry controls such as CISv8 and NIST CSF. Cyber requirements are also more closely aligned with the same types of security questions clients get from third parties and government and other compliance requirements.
How a GRC Platform Can Help
As an MSSP, the more clients you have, the more controls and frameworks you need, and the more difficult it becomes to manage. This is a place a SaaS-based GRC platform can help.
A GRC platform can help increase efficiencies by managing all of your client controls and frameworks in one place. It can help prove that required controls are not only defined but actively managed, and increase efficiencies by 30-50%.
By mapping controls together within a single platform, your MSSP can prove for cyber insurance coverage that your clients are:
- Managing all compliance-related components in one place
- Leveraging guidance and policies to accelerate adoption and ongoing management
- Managing internal program goals, tasks, and risks, as well as third-parties risk
As an MSSP, it’s important that you understand your company’s cyber insurance policies and coverage, and that your clients do too. Not all cyber policies are equal, so make sure you understand that coverage long before a cyber event occurs.
- When it’s time for renewals, get in front of client policies at least 60 days in advance.
- Understand sub-limits.
- Align with a breach coach now so you’re poised to work together when a breach occurs.
- Preemptively plan for a security event.
- Leverage a SaaS-based GRC platform to improve efficiencies and manage all client controls and frameworks in one place.
Remember, cyber insurance can play an important role in controlling recovery costs, but insurance carriers are likely to continue raising security expectations. As an MSSP, you must stay on top of these changes because ultimately, failure to meet core controls may lead to denied coverage or claims, for you and your clients.
Need help breaking down the complexities of cybersecurity by simplifying some of your existing practices? Schedule a custom tour. Learn more on how Apptega can simplify day-to-day cybersecurity and compliance management for your clients.
Watch our latest webinars on cyber insurance to hear from industry experts.