Ep 252 | Don’t Rely (too much) on Cyber Insurance; MSP Economics Update for Q2; Should MSPs Represent Themselves During M&A Deals?
Weaver Outrage Meter: Low
Don’t Rely (too much) on Cyber Insurance
Barracuda surveyed 400 enterprise IT and security professionals globally, ranging from IT managers to CISOs, to discover the biggest cybersecurity challenges businesses face in 2023.
- Are organizations placing too much emphasis on cyber insurance?
- What should MSPs do about this?
- Are cyber insurance policies being used to target ransomware victims?
MSP Economics Update for Q2
We just had the latest MSPAlliance Inspire meeting last week in Boston and it was a blast. It was a little chilly, but the group went to a Red Sox game, had a fun time, and got a lot accomplished. One of the outcomes was an update of unanimous agreement regarding the economy and its impact on managed services operations.
- Is the Q1 slowdown still in effect?
- What does Q2 have in store for MSPs?
- What are MSPs doing to plan for the future?
Should MSPs Represent Themselves During M&A Deals?
We are in the middle of a curious period of MSP M&A. M&A deals seem to have slowed, and yet MSPs still report pestering from brokers and buyers trying to sign them up as clients. What can we make of this?
- M&A demand is still strong amongst the MSP profession
- Every MSP (buyer or seller) should have representation
- Don’t fall for traps that entice you to represent yourself
You’re entering the MSP Zone, a podcast for the managed services community covering news, analysis, and interviews from around the globe. Elevate your MSP game by staying in the MSP Zone. And now your host, Charles Weaver.
All right, time for another episode of managed services. Opinion, fact, best practices, all of that wrapped up into one, and not the least of which is news, and we’ve got a fair amount of that. The information on this episode is really important because not only do we have some interesting data on the economy and what MSPs are facing in the second quarter of 2023, calendar year that is, but we’ve got some other important input from the MSP market on things such as cyber insurance and its impact on potentially preparing for and getting through a cyber attack. What that means, what you would do, what you don’t want to do, and then some really interesting – I don’t know, this is out of left field type of stuff, but the most bizarre email and guidance that I’ve ever witnessed from a firm about mergers and acquisitions in the MSP space. And I’ll save that one for last, because that one’s a doozy.
So jumping right in – this first segment comes from our friends over at KnowBe4, and it was a blog post they did covering a Barracuda ransomware study that they conducted. I think it was this year. I’m not sure. I have to check on that. But yeah, it was a 2023 Ransomware Insights report commissioned by Barracuda and everybody does some sort of ransomware cyber study these days. In fact, it’s so common that they almost get lost. I hate to say it because it’s such an important topic, but everybody does one. I kind of take them all with a little bit of a grain of salt, but I try to pick out little bits of wisdom and little gems of knowledge, if available, in each of these reports because they generally all focus on one thing, one unique takeaway. And I suppose that that’s valuable. But just because of the prevalence and the amount of cyber-related research, some of these are not really research. I’m not talking about the Barracuda one. I haven’t studied it, but there’s a lot of stuff out there that’s a lot more propaganda than they are research. Again, I’m not claiming that that’s what Barracuda is doing, but I always just kind of look at it with a bit of a tempered view. But I thought that this was an interesting study for a few reasons.
Number one, and it fits into previous analysis and intel that we’ve been receiving about how bad actors operate within the within their community.
And the Barracuda Ransomware Insights report for 2023 focuses on one area in particular that I am very interested in and many of you are interested in as well, and that is cyber insurance policies.
And I’ll just start reading from the report because there’s a couple of bullet point takeaways that they listed here.
73% of organizations reported at least one successful attack in the twelve months. Okay. Fairly high. Consistent with many, many other reports of this type over the last several years that have been tracking, again, a very, very high percentage of successful attacks. Not that unusual. I hate to say it, but consistent with what we’ve seen.
Second bullet point, 77% of organizations with cyber insurance were hit by at least one successful ransomware attack.
Third bullet point, 65% of organizations without cyber insurance were hit by at least one successful ransomware attack.
The second and the third bullet points are interesting. And here’s why I think they’re interesting.
Let me preface everything by saying cyber insurance has been an element in the MSP Verify framework for over ten years. A very, very long time. Okay? So we have been proponents of, and we are, we continue to be proponents and advocates of having adequate insurance for your MSP practice. Adequate across the board, not just, but also including cyber coverage.
But what’s happening here, 77% of the organizations, according to this study, say that they were hit by a successful ransomware attack and they had cyber insurance. 65%, so a lower amount said they were also hit by ransomware, but they didn’t have cyber insurance.
Can we draw any conclusions from this? Maybe. Maybe it’s speculation, but I think it’s useful to go down these paths every once in a while.
We have long known that the bad actors have modified their methods of attack and surveillance to include more surveillance. To say not just gain access to a network and then immediately trigger a payload or deliver a payload or inject the malware into the system. They do a lot of surveillance. They look around, they observe. If they can exfiltrate data, they do it. But if they can’t, they don’t want to without raising suspicion.
They look around, they look into files, they see financial reports, bank account numbers. Why wouldn’t you, right? Ultimately, they want to get paid. So that’s one of the first areas they go to. But what are some of the other areas inside the network that they like to go, that we know of? They like to go and see what type of insurance the organization has. Could this be relevant? Could this be in some way part of the profiling techniques of the bad actors before they actually go ahead and deliver the malware payload? It seems pretty logical, folks.
Wouldn’t you agree that if you were a bad person and you were looking to pull off a ransomware heist, that you want to get the most money possible, so you’re going to look for the entity that has the best capability of paying. And if you know that ransomware policies are going to be more likely to pay out because that’s their whole purpose, is to pay out, why wouldn’t you maybe ask for a little bit more? Or you might even, and this is the reach here, but I actually didn’t bring this up. I raised this same point last week at the MSP Alliance Inspire meeting, and someone else, I won’t say their name, and as soon as they said it, everybody else started nodding and saying, yeah, that seems highly likely. Maybe some of the cyber insurance carriers were compromised to obtain a list of providers, organizations, any entity who has cyber insurance, to get that list in the hands of a bad actor, you could understand why they would be looking at that with some amount of pleasure, because now they know who is covered, who isn’t covered.
And it doesn’t mean – because it wasn’t a huge distinction. 77% to 65% is the distinction between successful targeted ransomware attacks on those with versus those without cyber policies, but it’s noticeable, it’s a lower amount. And maybe it means simply that once they were inside the network and they gained access and they’re looking around, they see, oh, they got some good-sized bank account, but they don’t have cyber insurance. Maybe they don’t ask for as much because they know that the company is going to have to pay it out of pocket. Maybe they think that if they do have cyber, they’re going to ask for a little bit more because, again, that’s what the policy is there to do. It’s not that difficult to see why that might be a logical conclusion and why that might actually be the mindset of some of these bad actors.
And I don’t know if anyone’s actually ever I don’t think anyone’s ever studied the bad actors. I’m sure that there have been interrogations. I’m not aware of any type of report or research that has been done on interrogations of ransomware gangs or individuals who have been arrested or just interviewed and asked about their trade, their trade craft. Someone probably knows that out there, but I haven’t seen anything like that. Maybe law enforcement knows, but I think that that is a very interesting takeaway from this study and I especially like the fact that once I was presenting these statistics to the MSPs, they immediately were on the same wavelength and said, yeah, well, that makes sense. They would want to know if there’s an insurance policy and they might ask for more money. They might prefer to find an organization that does have cyber.
Now, some of you are already thinking, “Charles, are you saying that we should advocate to our customers that they ditch their cyber insurance?” No, I’m not saying that. But think back last year, I think it was last year, where we had a conversation with a state CIO who first raised the issue of ditching their cyber insurance policy and going the self-insured route, the captive route. And you can’t ignore that. You can’t ignore the incredible pressures and the – I’ll just say it, the unsuccessful attempts at the cyber insurance industry to understand and come to grips with the organizations they’re attempting to serve and it doesn’t mean that they’re not smart, but they have been unsuccessful. That is a patently true statement. You look at many of the major platforms out there who offer cyber insurance, who have retreated from the cyber insurance market, not necessarily exclusive just to MSPs, but they just don’t like it because they don’t understand their risk exposure. Again, not new themes. We’ve talked about this so much, but this is just one more layer, one more facet or angle to think about as you are guiding your MSP customers along the path of good cybersecurity hygiene. And if they start to ask you, “Hey, MSP Trusted Advisor, do you have any advice for me on should I, should I not get cyber insurance? If I should, where do I go?” These are all important things to think about and I’ll leave you with this. If you have cyber insurance, what I absolutely wouldn’t encourage is you to think that that cyber insurance policy means that you can do whatever you want because someone else is going to cover you and write that check. That is the worst possible way that you could view not only your own cybersecurity posture, but also that cyber insurance policy, should you be fortunate enough to get one at a price that you can afford. We’ll keep covering this, but I just wanted to present that to you. We’ll include a link to the no before blog post and also to the underlying Barracuda Ransomware Insights report. Take a look at it yourself. Tell me what you think.
On to the next bit of news. We just had our second of the year MSP Alliance Inspire meeting in what I’ll say was very fun, but somewhat cold. Boston, we were there late last week and we got to see Red Sox game, which was really epic. Great ballpark at Fenway. Everyone had a blast and we had a fantastic discussion. And part of our research in the managed services market, the ongoing research that we do, is – most of it’s informed by discussions with MSPs. The MSP Alliance Inspire group happens to be a cross section of the larger MSP community globally that we like to call on because we have access to them, number one. And number two, we can ingest a lot of data from them and draw conclusions rather quickly based off of the type of cross section group that we have.
What does that mean? Some vendors out there and some research analysts, they’ll say, well, our sample size has to be 100, 200, 2,000, 5000, depending on how big their overall group is that they’re wanting to statistically sample. And that’s appropriate for doing a research study of any type. But we also have other means of talking to and ingesting data. And I’ll call that maybe more anecdotal. Except this is more than anecdotal. These are MSPs, whose really only commonality between all of them, other than the fact that they’re all MSPs is they all have the MSP Verify certification, which means that they’ve all passed a threshold level of certification review by a third party. Beyond that, they come from different geographic areas across the world, mostly right now, North America. They are different sized companies. They have different types of customers, they have different types of service offerings, they use different platform tools, different RMM, different ticketing, different backup, different security, et cetera, et cetera. So they all have – And not saying that there are not some commonalities between them, right? Some of them may use the same RMM, but it’s not across the board. It’s not like if you go to a peer group for a particular vendor, you’re going to see predominance of that peer group. Using that tool. Stands to reason. Not so with Inspire. There is a lack of homogenization across this group, which is that’s less important to me than the different types of customers, the different size organizations, right?
So this isn’t a size issue. And one of the indictments that I have of the peer group model is that when you try to look at a financial comparison and I get why they’re doing it that way, and I acknowledge that there’s some merit to doing that, beyond that obvious financial examination of a group of $5 million MSP organizations, that’s really all you’re getting. When I have in front of me a group of MSPs, some who are at 150 employees, some are at 15, some are at 50, some are at 75, some are at 30. There’s a huge mixture. They’re all over North America and they have different customers, they have different tools, they have different service offerings, they have different levels of maturity to an extent. And then when they start to have commonalities of the things that they’re seeing, that’s when I say, that is an interesting data point. Because now I can rely on that data a bit more than I could if I just talked to ten MSPs of they’re all one size. They’re all $5 million companies or they’re all ten or $15 million companies. Right? And if they’re all using one RMM vendor, or if they’re all using one ticketing, or if they’re all selling the same type of service, you could see why you’re going to start to get a diminishing level of quality of the data.
So one thing that came out of the Inspire meeting in Boston last week was the question was asked, “Hey, look, in Q1 of this year, there was still optimism, but there was a fair amount of everybody acknowledged that there was a kind of a wait and see or a postponement of discretionary projects. Managed services was still strong. They were still getting new customers, they were still keeping their existing customers. But the spending kind of had been put on pause, at least in terms of, as I mentioned, discretionary project spending.
So I asked, “Has anything changed in Q2?” Across the board, across the board, the phrase was the floodgates have been opened again. So whatever the pause in Q1 and there’s some reasons why. I think there’s a lot of uncertainty. There was a lot of inflation and economic and recession discussion and fear. Not saying that all of that has gone away, but I think in Q2 now, there is enough confidence that the floodgates have been opened, quote, unquote.
And I thought that was really interesting because MSP sentiment is often a really good indicator of not just how MSPs are doing, but how their customers are doing. And again, remember, these are customers across many, many different vertical markets. This is not just MSP customers in retail in Boston, or in finance in Chicago or New York, or in entertainment in California, or hospitality in Florida. They’re all over. They’re all over the map. The customers are global customers in this tight group. The customers are all over the world. They’re buying all types of services from these small group of MSPs.
And that’s what I found really interesting, is that they’re all reporting largely positive and open – I’m going to say open checkbook. But the floodgates are open, the deals are flowing. The work is being secured at a pace, I’m pretty sure they said this, at a pace that they’re having difficulty keeping up with. Very different than Q1. And I thought that was really important and enough to express it to you all here. It’s good to know.
Could it change? Absolutely. It could absolutely change. And we keep asking this question. So if it does change in Q3 in the San Diego meeting, we’ll let you know. Absolutely. We’ll let you know. But it’s a good enough indicator, along with other economic and data point indicators, that we have to say, “Which way is the wind blowing in the MSP sector? What is the pulse? Is it good? Is it healthy? Is it unhealthy? Is there something to be concerned about?”
I think that that was one really good takeaway from that Inspire meeting. And again, I hope that all of you can take that with some measure of confidence and hope and begin to adjust your Q2-and-beyond strategies.
Again, I think that as we go through these somewhat difficult economic times, I’ve said it before and I’ll just cap the segment off by saying it again, if you are in any way on the less mature side of the managed services evolutionary scale and you have any hope or sense of self-preservation and you want to be around tomorrow or next year, I can’t stress this enough. You need to get more and more involved in managed services. And you need to ditch as fast as possible any reactive work or customers that you have as quickly as possible.
I’m not saying fire your customers if they can be salvaged, if they can be saved, if you can convert them to managed services, customers do it, not only will they be safer, but you’ll be better off. But if they can’t, you need to get away from that type of business model and that type of customer profile as quickly as you can and get as quickly as you can towards more managed services customers. Because not only are they going to be safer, you’re going to deliver a better service to them and have a better relationship on the whole, but also your revenue and your MSP financial security will be far better. Especially during up and down economic times when you don’t have to rely on projects, when you don’t have to rely on reselling hardware or software, and you have a core-stable, sufficient managed services, recurring revenue base to keep you afloat. That’s a really good position to be in and it should give you a ton of peace of mind no matter what the future may bring. So, bit of advice there.
And then finally to the cherry on the top. This was as close to a crazy email that I got as I’ve ever gotten in the last couple of years. This is an email that and I’m not going to mention who the company is because it would be unfair, but some of you may have received this email. This was an unsolicited email. I didn’t sign up for this. These guys just spammed me. And it was top five M&A best practices/tips for MSPs, something like that. It’s close to that, but it was M&A focused for MSPs, top five list. Okay, so I thought I used to do M&A. Curious to see what the community is up to, so I clicked the link, I went in and put in my information and I got a small couple of page report, white paper. I started reading…
Number one, have good financials. Check. All right, I’m with you so far. Step number two, be able to show a good trajectory for your business. All right. Pretty common sense, nothing new. Check. Move on. Three, four. Both followed the first two and they’re very not wrong, but not revolutionary stuff by any means, but it was sound advice. Okay. And this is going from five down to number one. So the five through two were fairly normal. Nothing extravagant, nothing wild, nothing innovative, just good old fashioned advice for M&A MSP candidates.
The number one.
And at this point, I couldn’t believe what I was reading because it was so stupid. It was so dumb. And I caught myself looking at things. Is this a joke? No. Nobody puts a joke in a white paper. This is real. They’re serious and they don’t know how bad this makes their firm look.
What did number one say? The number one advice for MSPs looking at selling their company in an M&A deal in 2023… Don’t have anyone representing you. That was the advice. Don’t be signed on with another broker. In other words, just go to them. Don’t use anybody else. Go to that firm, have them represent you. And that is the number one advice that they could give you.
And actually, when I think about it now, it’s a bit tongue in cheek, but they weren’t meaning it to be tongue in cheek. They were really serious. They actually articulated in this best practice that when you are represented by someone else, it makes it really hard to negotiate a deal. So it’s better off to just use them. And that way you don’t have to worry about selling at optimum price. They’re going to represent their buyer and help you get there all by themselves.
So I thought about it and I thought about it and I said, should I really talk about this on the podcast? Is this worth? Yeah, I probably should because God forbid somebody reads this white paper and comes across this and they say, yeah, this is probably a good idea to do it. Let me tell you something right now, for the record, it’s not a good idea. It’s a stupid idea. You should always have someone representing you.
And I’m not just talking about legal representation. You should have someone who is helping you to negotiate throughout the entirety of the process, including the part involving the lawyers. Because I guarantee you, on the opposite side, there’s going to be someone representing the buyer. And this was a sell-side operation. I could tell. I’ve been doing this long enough. This is a sell side shop. They’re looking for MSPs who want to sell and they don’t want to deal with anybody else who’s out there representing you. Fine. I mean, if that’s really how they want to play their game, then so be it.
I just wouldn’t want any MSPs out there to be thinking, hey, this is a really good idea, that I just go at it by myself and hope that this firm is going to do well by me. I just think that that’s not right.
And so it got me thinking and I did talk to the Inspire Group in Boston about this and this is kind of what they had to say. They said M&A demand is still strong. The brokers, the intermediaries, the bankers are definitely finding it more difficult to find qualified MSP sellers. So they’re having to resort to these methods to recruit more sell-side opportunities.
Number one, that in and of itself is really interesting because it tells me that with inflation, with some of the recession discussion and fears that are out there, there could be a bit of a pullback on the stick, right? Those of you not in aviation, they’re easing back on the throttle, they’re slowing down or they’re hitting the pause button on the M&A a little bit. A little bit. Just to say let’s wait this period out before we start continuing at an aggressive path, which if that’s true. It certainly explains these types of emails and aggressive recruitment strategies by consulting firms trying to get sell-side MSPs because they’re not a lot out there. Deal flow might have slowed down a bit.
The MSPs there all said, “Yeah, you got to have representation. Whether you’re buying, whether you’re selling, have somebody in your corner who can be level headed, talk you off the ledge, applicable to both buyers and sellers, and really help you with a keen dispassionate mind through what will ultimately be a very passionate and emotional period.” I’ve never seen an M&A deal that didn’t have – even with the coolest minds in the business – passions can run high frequently and often.
And finally, don’t fall for traps that kind of entice you into dealing with a broker, where they’re telling you don’t represent yourself, where they’re saying don’t have someone representing you because obviously they want someone to represent you. They want them to represent you. They want to represent you going to market as a seller, fine. But make them argue for why they’re going to be good at that. Make them argue and show you why they understand your business model. Make them tell you why they have a good list of MSP buyers and what their level of knowledge is of the MSP profession to even make that type of list functional for you in getting a good price for your MSP practice.
It was just a crazy, crazy thing. I’ve not heard of this firm before, so again, my gut tells me that either they’re new or they haven’t been really successful. But if you ever run across them, just be careful, right? Do your due diligence, ask good questions, ask for references, and proceed at your own pace.
And I think that’s a good bit of advice, but definitely have representation.
Until next time, thanks for listening. If you enjoyed today’s episode, please give us a like, make sure you are subscribed to the podcast so you will get notified when future episodes are released. We will see you next time in the MSP Zone.