In a world where there are increasing numbers of regulatory and legislative actions driving compliance, we should not forget the influential role of insurance as a force of change. This is especially true with the managed services profession.
While many MSPs today are focused on CMMC (in the United States) and ISO (in Europe) as upcoming standards of interest, we should pay close attention to what is happening within the insurance sector. Insurance companies, particularly those involved in cyber liability insurance, are undergoing a significant re-evaluation of how they approach, assess risk, and underwrite MSPs.
Insurance companies tired of claims made by “self-described” MSPs have realized that a better system is needed for underwriting cyber liability insurance products. Cyber policies are issued to MSPs and their customers, but the MSP is an indispensable element of the cybersecurity defense ecosystem, and the insurance industry knows this!
What makes their job difficult is that insurance carriers have difficulty determining who is an MSP and who isn’t. More specifically, when an MSP applicant wants cyber insurance, the insurance company needs to determine whether the applicant is an MSP and whether they follow best practices designed to lower their overall risk profile.
Insurance is Forcing Compliance
It has been challenging to drive security (and other) best practices across some of the mess mature sectors of the IT services industry (note, these are not often MSPs). A common theme amongst less mature break/fix providers is offering compelling IT services to customers but frequently falling short on internal IT security practices. This is somewhat understandable since break/fix providers come from a place where they have not typically had persistent ongoing access to customer systems. Since the beginning, MSPs have been accustomed to this persistent ongoing remote access and have taken this responsibility seriously.
The insurance sector has a unique ability to force positive change across the IT services and managed services professions. As cyber insurance policies are being sought after and renewed at increasing rates, the insurance providers realize that they must have more information about the MSP applicants than they have previously received. Part of this is because insurance carriers are gaining more experience in their dealings with MSPs. This experience is not just due to receiving cyber claims. I believe it is because these insurance companies are being exposed to more MSP relationships, and as such, they are becoming more comfortable with them as a profession. Anytime you have more dealings with a particular group, you will inevitably gain more experience, knowledge, and wisdom about that group.
Insurance carriers are now asking more probing questions of their MSP applicants. Questions such as do you use multi-factor authentication, are you backing up your data, do you use encryption, and do you perform risk assessments are now becoming commonly asked as part of the cyber liability underwriting process. Note that all these questions are focused on the internal operations of the MSP, not on what they are delivering to clients! Insurance providers are catching on that not all MSPs are the same, and not all cyber liability applicants are MSPs.
Just in the last six months, I have fielded countless inbound inquiries from insurance brokers and carriers, each looking for guidance on how to minimize their risk exposure from non-MSP cyber applicants (the break/fix providers) and how to ask the best questions of these applicants to assess risk quickly. As this activity increases, I believe you will see massive widespread change happening throughout the world as MSPs (and break/fix providers) race to shore up their internal security practices, perhaps mainly to just keep their cyber liability insurance.