Written by: Charles Weaver, CEO of MSPAlliance
Insurance companies are in the business of understanding risk, so the title of this article may seem contradictory. Still, I believe there is a discussion to be had on insurance, cybersecurity, and managed service providers.
Early Years of MSP Insurance
MSPs went through a long period of having primarily errors & omissions insurance products. E&O policies mostly cover the MSP when it comes to mistakes (I.e., the negligence of the MSP) when delivering their services. During the value-added reseller conversion to MSPs of the early to mid-2000s, insurance companies mostly viewed tech companies as providing consulting and project work related to computers and infrastructure equipment. The insurance profession considered this work to be primarily performed onsite. While this assumption was, for the most part correct, it did not allow the insurance companies to see the massive and global transition from onsite “computer work” to remote managed services taking place during this period.
Liability arising from such “onsite” work was limited (for the most part) to physical injury or damage to hardware, software, or data. The E&O policies of that era generally went out of their way to exclude incidents which today we classify as “cyber” events, usually involving hackers from far outside the liability zone of the policy. Enter cyber liability insurance.
MSP Cyber Insurance
In late 2007, MSPAlliance began working with the insurance profession to create a purpose-built MSP cyber product designed to cover the typical events MSPs were subjected to as a result of their normal operations. By this time, most of the work in the IT channel involved remote managed services and had little to do with a physical storefront or damage, which would happen in a physical location. Cyber events were on the rise, but nowhere near reaching the levels we see today.
Insurance Companies Do Not Understand MSPs
In the wake of significant global increases in cyber attacks, including specific attacks targeting MSPs, several prominent insurance companies have publicly stated they will be writing less MSP business or leaving the profession entirely. I think this is a mistake. MSPs need insurance as a crucial risk-mitigation tool. Cyber insurance allows MSPs to spread risk in such a way as to encourage end-user organizations to embrace IT outsourcing and gain the cybersecurity protections they so dearly need.
Insurance companies have one of the most significant opportunities over the next several decades to underwrite and protect against risk, particularly cyber risk. Given the rapid rise in cyber attacks, insurance companies can have a role in risk mitigation to organizations by providing cyber products.
The exposure to risk as a result of being in the cyber business is much higher without MSPs than with them. Let me explain. If insurance companies want to lower their cyber risk, then working with MSPs is a necessity. MSPs are often the front line of defense against cybercriminals, mainly when dealing with small and medium-sized businesses with minimal or no internal IT departments.
The fact that cybercriminals have targeted MSPs in the last few years was inevitable. Given the prominent role MSPs have achieved in our communities, any cybercriminal must deal with the MSP to achieve their nefarious ends. Put differently, the criminal must break down the front door to rob the house. In this analogy, the MSP is the front door.
Understanding MSP Risk
For insurance companies to effectively and profitably conduct business in the cyber world, they must understand the role MSPs have in protecting business. Beyond understanding the role MSPs play in protecting organizations, insurance companies need to understand the fundamentals of how MSPs operate so they can appropriately and accurately determine MSP risk.
There is little understanding on the part of insurance companies regarding how MSPs operate as a business, what their best practices are, and how they differ from other entities, namely their clients. The insurance profession must come to a rapid understanding of the managed service provider market for the insurance profession to make advancements in cybersecurity.