03/22/2021
In this video, Andrew and experts like Justin Rymuth, Gary Pica, and Wes Spencer discuss the pressing issues surrounding cyber insurance and the evolving responsibilities of MSPs in the face of increasing cyber threats. They delve into the importance of MSPs ensuring their clients carry cyber liability insurance and adhere to industry standards, emphasizing the need for clear documentation and due diligence in vendor management. The conversation highlights the crucial role of proactive risk management and the challenges posed by new legislation and evolving insurance requirements.<ul><li>The webinar highlights the shift in accountability from MSP clients to the MSPs themselves due to negligence in implementing security measures like 2FA and EDR.</li><li>There is emerging legislation, such as in Connecticut, proposing incentives for businesses to follow cybersecurity frameworks, which indicates a broader trend toward regulatory involvement in cybersecurity.</li><li>Cyber insurance companies are becoming more stringent with policy requirements, demanding MSPs and their clients adhere to security standards and carry cyber liability insurance to mitigate risks.</li></ul>
Guests
Video Transcript
All right. Welcome, welcome. Week 42. Welcome all, and, uh, my guest, Justin Remu. Justin, welcome as always to us. Great to have you back. I appreciate it. Thanks, Andrew. Yeah, and co-host Gary Pika. Wes Spencer. And hello. We didn't hear that, Gary. What was that, Gary? Hey, sometimes less is more. Less is more. Okay. Fair enough. You're looking very, very clear there. Did you change cameras, Gary? Yeah, I'm trying to keep up with Wes. I'm not quite done. You got a long way to go, my friend.
Yeah. Wow, man. It's getting highly, But the glasses are helping. Thanks for, yeah, the glass. That's where you start. Thanks for the support, Wes. You're welcome. Justin. It's becoming highly competitive on the CY call. Like who can, who can get the best arms, race, audio, and visual equipment, you know? So I'm in last place, so I can create the suspense on that one. It's an arms race, but you gotta start with these, baby. Fair enough.
Okay, so before we jump into Justin, um, who I'm really excited to have back here is really timely. Um, I was on the phone with Justin and, you know, maybe Justin, you do a better job, but I'm gonna paraphrase and then ask Ryan a question on this new legislation that's being proposed in the state of Connecticut. But I, you know, you know, Justin, you kind of talk about, you know, every industry has some kind of consequence, right? You know, following standards. MSPs don't yet.
Can you kind of just give us that narrative and then I'll pitch it over to Ryan here on this latest thing? Yeah, sure. And, and like I said, I, I'll, I'll, it'll kind of probably lead up to what we're gonna talk about in the call, but, you know, we, we're in a situation right now where, you know, over the last year, you know, because of, you know, circumstances, some out of our control, um, you know, we're, we're finding that MSP's clients aren't wanting to do certain things.
Uh, and those certain things could be basic things like two fa on email. It could be EDR and active threat hunting. It could be a SOX M solution, you name it.
But what's going on now is that, you know, we are starting to see a turn of an MSP's client's negligence becoming the MSP's negligent, or I'm sorry, becoming the MSP's negligence because, you know, they don't either A, maybe have a cyber insurance policy in place, or b you know, we're finding a shift of attorneys getting into this space that are going back to the MSPs and saying, Hey, you know, there are standards out there for you to follow. I have to follow the bar.
Justin has to follow the department of insurance. Uh, you know, and a, a doctor has to follow the a MA guidelines, an accountant falls to follow the a ipa, uh, guidelines. So whether it's N-C-M-M-C, iso coate, why are you not presenting standards to my clients to follow? I'm a little lost here. Yeah, a great segue.
And So, and in my, I'm just saying in my, in my line of business, if I don't comply with the Department of Insurance, for example, in your home state of Florida, I just lose my license and I can't practice anymore. So they, there's no if, ands, or buts, I just don't, you know, and same thing, if I'm in Ohio, if a lawyer doesn't follow the bar and he gets disbarred, he loses his license and he just can't practice anymore.
And I think that's what I was trying to say on the call was that, you know, the MSP might get sued, but there's no license to lose. So they don't have to worry about that. So they then will just turn around and, you know, it, it's obviously stressful. It's, uh, an anxious time if you get sued, anyone that you know, might be on this call that's had it, it's not a fun time, but you don't lose your license or your livelihood if the insurance compensates you or helps compensate the client, right?
Yeah, yeah. Unless you do, Yeah, yeah, yeah. Right. They're not pulling a license unless you can't survive an event, uh, or a lawsuit, which I, I see happen every month. Yeah. So I put a poll up because these polls we did last time, and I want to get your guys' perspective. Has anything changed? So, Ryan, your great state of Connecticut, um, I wanted to ask you, I saw this this morning, put it up in LinkedIn, but really interesting.
And, and Wes, I wanna ask you too, 'cause you know, people are like, well, there's no teeth to this, there's no this, I, I think it's more so interesting that the state of Connecticut is proposing, you know, incentives to follow cyber framework, you know, frameworks ci. In fact, CIS are good friends at CIS who have been on here actually, um, uh, what's the right word? When they, when you, um, they put a press release. Um, yeah, Wes, but they, um, actually, uh, attended the, uh, legislation.
They, uh, testified. Sorry. Yeah, they testified in front of the Senate. And, you know, I know from the background of talking to Phyllis, this is going on in a lot of states. This is not just something that I think we're all, you know, the, a lot of the comments in LinkedIn were like, oh, this is no big deal, this and that. So, but Ryan, 'cause since it's in your hometown, there, any, any thoughts on, on the, uh, legislation being proposed?
Yeah, I mean, I, I think it's, you know, we've, we've been calling, we've been saying this is coming. We didn't know. And to some extent, we still don't know what form it is. Right? Um, you know, and I, I specifically read through the proposed bill's, very short's, like five pages, right? Um, They don't actually mention a framework. The only, the only framework they mention in any sort of kind of direct reference way is PCI, which I think ultimately they're gonna wind up modifying.
But I think really what this is, is it's, I mean, frankly, it's a, it's an issue we're, we're grappling with on the ransomware task force as well, which is how do you incentivize businesses to do the right things from a cybersecurity perspective without putting money in their pocket, right?
And so one incentive is, well, hey, if you have an adverse outcome, but you've done reasonable things to protect your business, we'll give you an affirmative defense, um, you know, and, and potentially limit your damages and further liability from, you know, legal or regulatory, um, fines and actions. Mm-Hmm. So I think like that's a, it's an important thing to acknowledge. I think ultimately the form this takes is gonna be interesting.
Um, the other thing that I found super interesting is they're actually proposing, uh, which this will likely change, um, change an effective date of October 1st. So what I think MSP should really understand here is legislators are trying to target some minimum standard of due care within the year. And that's really your signal that like, if you haven't started to get your house in order Yeah, it's, it's coming. So let me ask you a question.
Like, if, um, we let, we talked about the, uh, exchange exploit the last couple weeks, and we said, what about when it's office 3 6 5? So what if it was, now it's something massive impacted businesses all over the world and all over our country. How fast do you think tech leaders would've been in the Senate? And how much do you think that would fast track all this stuff? Right?
It's slowly, you know, escalating and escalating, and now you see it almost every state, you're seeing it at a federal level. And that is without one massive event, you know, other than SolarWind's, pretty big event, but I'm saying it affected every single, you know, small business. Yeah, I mean, I, it's, it's an interesting question. I think, I think this is gonna ultimately wind up taking the federal stage.
I think states are driving the conversation as early adopters, but everything I've heard from my, from my colleagues and, you know, government and, um, policy is that like these conversations are being had and being driven at the White House. Yeah. And so I think, again, you know, you're prob MSPs will probably get caught up in some like broad sweeping thing about like, you know, do care and adoption of a framework.
I don't, I, I know there's separate conversations about regulating the MSP industry as a whole, um, that's definitely happening in Europe. And I think the conversations recently started in the US So, um, again, don't know exactly what form this is gonna take, but yeah, you can, you can believe that pretty soon a lot of people are gonna be starting to be called in front of, in front of the senate to, to testify and to help shape future regulation and legislation on this. Yeah.
So this, uh, this is the mechanics of our country at work here, right? Like typically you will see regulators at the state level kind of dip their toe in the, the water and say, Hmm, how did everyone react to that? And I think this is a great example of this, of Connecticut kind of being one of the leaders to say, we're gonna get something out there. And a lot of this does come down to iteration, right? Like, um, just like we build software, right?
We don't build software anymore in like version one, version two, version three, we iterate across the way, right? This is the agile method. And I think we're seeing very similar motions at the government level of like some states that are throwing something out there, kind of seeing how it works, getting feedback.
And you're gonna see this circle in, if you want, like examples of this even recently, look at like some of the privacy regulations that have come in for like New York Shield and CCPA and some of the others that like sort of say this is a pathway of how it could be done. Um, especially like in the financial sector with New York obviously leading so much of this, look at what SHIELD has done and look at what we're seeing, the motions come across federally.
And so I agree, I think that's the way you're gonna typically see this happen. The question is, if I were ever called in to testify in front of Congress, my big question would simply be this physician heal thyself, right?
Like, at what point does the federal government finally start doing something on their own to protect small and mid-size and even large government when we're traditionally, when you look at like the major news events like the SolarWinds breach and others that are, you know, we're, we're facing nation states. Why is it that cyber is still the only domain of warfare in which we as civilians are caught being the primary targets and the primary protectors of that?
Um, at what point does that change? Yeah. How does that change Yeah. Why we have, have force and not cyberforce. Yeah. Right. And so you see those extensions of cyber inside of Air Force and others. Um, but yeah, that would be my number one question to Congress is what are you doing to affect change? And what are you doing to protect the populace? If someone rolls in with a Russian Army tank in my front yard, we know it's about to happen.
If someone rolls in front with, you know, the latest zero day that nobody knew about because it's Russian state actors going after intellectual property, nothing happens. Uh, that's a problem. Well, listen, Andrew, we can go on this. I wanna, we have, we have Justin here, and I want everybody to, to get that. I'll leave it with this. The bigger the issue, the fast, faster it escalates. Did you ever think government acts so quickly as to get rid of Juul?
Yeah, I mean, literally they were gone in six months, right? It became an issue. It affected kids, it was outrage, it became political done, gone off the Shelf. Well, good, good. Thanks for, thanks for riffing on that, guys. It's really interesting. And you know, as, as someone once I, I heard say change happens slow and then it happens really fast. And, uh, you know, I, I could see that definitely being the case here. So Justin, awesome to have you back.
Could you maybe just tell everybody a little bit about yourself, what tech Rob does, and um, I highly encourage, you know, we don't sell anything on cyber call here, but I, me tell you, and, and you can't get referrals for telling somebody to go get cyber through you, but get it through Justin, he's awesome. Justin, tell a little about yourself. Well, maybe whoa, whoa, whoa. Justin will decide whether he's willing to do business with you. Alright. Yeah, that's true. Yeah.
Uh, no, I appreciate it. Like thanks for the kind words. It's great to see everyone again. Um, you know, uh, tech rug, we are our supply, uh, cyber liability errors and omissions insurance to just over 1700 MSPs across the United States. Um, you know, any more, like I said over the last couple years, I would say we're more in the risk management, risk transfer business, and oh yes, we offer insurance, by the way, as opposed to just leading with insurance.
Um, because, you know, just with everything going on over the last couple years, you know, I, I feel like, you know, if, if that's your lead, right? I mean, at the end of the day, the insurance policy is like calling, you know, the fire department at that point, your house is on fire.
So if we're not gonna be proactive about it, then, you know, again, thank God we've never had to live through this, but I've had calls from other MSPs where, you know, they've picked up business because an MSP didn't make it. Now, I don't know if they didn't make it because they didn't have insurance, they didn't have the right insurance, they didn't have enough insurance. Um, but you know, it, to me it has to be a holistic approach, right?
So, you know, the insurance is one piece of the pie, but you know, as you guys always talk about, and you guys hit on and, and, and various subjects is, you know, there also has to be kind of that risk management or risk transfer component, um, because if not, you know, with everything going on, I mean, Bitcoin a year ago was what, 10,000 ish? Now it's 50,000 ish or 60. I could be off a little there, but boy Russ. So it's going up and, you know, just go to the moon is all, yeah.
So I mean, you know, like for example, if we pay a year ago for, you know, to decrypt 10 servers, it was a hundred thousand, you know, now it's $600,000. So my point being is if you're just gonna look at insurance and you go through your, your client profile and how many hundreds of millions of dollars you support, you know, you better be willing to take out 10, 20, or $30 million worth of insurance. And most people just don't wanna do that. So we gotta focus on other things. Yeah.
And, and you know, you were with us six months ago, Justin, and you brought something up. Um, and, and even in the last six months, um, one of my clients in the vulnerability management space, cyber CNS, we're talking to a lot of companies about their cyber insurance renewals. Man, it's gone from a few pages to five six, I mean, and provide proof, documentation, et cetera.
So you said last time, four, there was kind of four options that the carriers were kind of going through these days because of the amount of the claims and the risk growing and especially when it comes, uh, to the MSPs. Can you just kind of, for those of those haven't been here to hear you or didn't remember that part from last time, can you kind of just refresh everybody what's happening in the carriers space? Yeah, absolutely. So, you know, um, you know, just in 2020, cyber crime was up 600%.
Um, and it's not going to stop in 20 21 1. So I think a great revenue gener, I mean, it's a, it's a good CYA exercise, but also it's a good revenue generating activity for the M ms P is, you know, demanding. I would say, you know, maybe put it in your MSA that the client carries cyber liability insurance, I would say as the CIO of the organization, you wouldn't find the CIO of Verizon not telling the CEO of Verizon.
Hey, with everything going on, if they get through, we need really good cyber liability insurance. So I would say all the MSPs on this call as the CIO of Verizon, you need to tell the CEO of Verizon, IE your clients that with everything going on, you need cyber liability insurance, right? The revenue generating activity part is, you know, the carriers are starting to ask more and more detailed questions as you were alluding to.
And if the client isn't willing, so the MSP's end client, if they aren't willing to do certain things, option A is you don't get the policy, you get non-renewed. Option B is okay, you don't wanna have two FA on your office 365, we'll supplement your cyber crime. Everyone else gets 250,000, you get 25. So they're sub limiting and saying, Hey, we'll only offer you certain, you know, limits on those type of insuring agreements.
Then the carriers are also getting into and saying, you know, hey, we'll, we'll there's subjectivities. We'll give you 30 or 60 days to comply, work with your MSP to get this in place. If you do we'll, grant you the coverage that we quoted. If they don't, and you don't, you know, the carriers, a lot of 'em won't, you know, unfortunately, they're not gonna come back to check on it.
But if you don't do it in 60 days and 90 or a hundred days down the road, a claim happens, they'll just deny the claim because it was a subjectivity and a condition of moving forward with that policy. You know, so we're starting to see the carriers, um, and listen, I've been on these calls is, you know, they're a little irritated that clients aren't doing certain things, especially in the SMB space.
So they're saying, Hey, if the IT service providers aren't gonna do it, then we'll make the, you know, we will make their clients do it and we're gonna hold insurance kind of as the ransom. You don't get the policy if you don't do A, B, C, and D and, Hey Justin, can I tell you what happens in the real world? Because I get ds, you know, I, I talk to a lot of MSPs, our peer group through our community, we have as true methods, and here's in the real world, right?
Uh, the insurance company has that conversation with a customer, and if the MSP hasn't been talking to them about all the things we talk about here, they come back and say, Hey, we thought you were taking care of stuff. Why don't we have these things that we need for our insurance? You need to do them, and I don't want you to bill me for it. That's the conversation that they're having because the MSPs aren't educating them before they get to that.
'cause it shouldn't, it should be something that's, that's billable and you, and there's ongoing with it. You have to change your pricing relationship. And so it's just, again, when you translate it to the real world, Yeah, no, I mean, yeah, you're a hundred percent right. I mean, you know, so we've had that where, you know, again, some of our client or the MSP's clients will reach out and say, Hey, can you help out my client?
And then the client will say to me, well, we can't check these three boxes. Why isn't my MSP taking care of this? And it kind of puts us in a little bit of a, a tough situation. But yeah, I mean, I think, you know, again, it's a great revenue generating activity, but even be above and beyond the insurance. You know, MSP's going back to Andrew's, you know, standard question at the beginning of the call, you, they have to ask the client to follow a standard and make that available to the client.
Whether or not the client wants to follow that standard. That's not up to you. When we go to court, I've been in these cases, the the, the lawyer will ask you again, true or false, is there a standard available that my client should be following true? Why was my not client not following well, they didn't want to pay for it. My client doesn't remember having that conversation. Can you please provide the documentation? You know, and that's the problem that they run into.
And you know, we just recently ran into a situation where, you know, even an MSP that, uh, was brought into something, uh, with this whole exchange mess, is that the attorney now, the, the MSP's client didn't have a cyber policy. And so I think the claim between forensics and all that, it was, so it was in the a hundred thousand dollars range. And so the attorney for the other client came back to the MSP and said he pulled the vendor selection card. Why did you pick Microsoft over Google?
What was your due diligence in going through the vendor selection process, vendor A versus vendor B? Did you make my client aware that vendor A does these things and vendor B does these things and allow, and, and that's again, we're getting into that world now. Yeah. Humm, humm, humm. Yeah. Well, I'm glad you actually ended right there with that piece of the equation.
'cause as I hand it over to Ryan, you know, Gary man, we're being asked things that, again, I I would've never have thought, you know, going back a few years ago, right? I'm using Microsoft. What do you mean vendor due diligence? Are you kidding me? So, um, few takeaways that I really wanna make sure people focus in on today. Number one, vendor due diligence. Ryan's gonna get into that right now.
Number two, um, we're gonna have Gary, uh, involved in sales at the end, but really, uh, you're gonna hear Justin hammer this back and forth, and I, he just said it, you know how, you know, the defense attorneys are gonna say, is there a standard to follow? Right? And there is. And so you listen to the line of questioning as we go through this. 'cause man, this is what you wanna start to align your sales process up against.
And Gary, your what your, um, you call 'em network admins, but your alignment process has gotta be around. So really keep an eye on and, and ears open today into these key things. Ryan, why don't you take us away? Yeah, absolutely. I, you know, I'm gonna, I'm gonna call it early. 2020 one's gonna be the year of the supply chain breach.
Um, and you know, we, we talked about, um, in the MSP tech day last, last week, and I think even on our last cyber call, um, there's a crisis of confidence in vendors. People don't know which vendors are secure, which ones they can trust, which ones they can't, how they would even know, right? I have MSPs to talk to me and say, what chance do I actually have of determining how safe data is?
And I was like, well, as a vendor that actually cares about security, if you ask me a question, I'm gonna give you an honest answer. But like point taken, right? It can be pretty hard. So, uh, picking up on that theme of vendor diligence, you know, can you share anything around what or if the exchange exploit has kind of bought to the forefront, um, and how that's playing out kind of in your world? So that, that had just come in last week?
So I, I don't have an answer 'cause we're still, you know, we have attorneys on it and defending, but I don't think the question is necessarily, why is Microsoft better than Google or vice versa. I think the question is how, what process did you go through to make sure I, did you ask for recommendations, right? What was your onboarding process of that specific vendor?
If you can't show it, and it was, Hey, I just met 'em at a trade show and we thought they sounded good, that might not be the best answer if we go to court. Whereas if you say, Hey, these are the recommendations I did, you know, this is the process we went through in onboarding the vendor, um, you know, that might be a defensible position in court.
You know, so I'm not here to say that, you know, some of these attorneys and what they allege or, or crazy, I mean, yes, some of the things that we see are kind of bizarre. And I look at it and I go, how would you expect them, you know, to possibly go through all this? They have to run a business as well. But you know, you've gotta be able to still show that I went through a process to determine why I picked vendor A and vendor over vendor B.
If you don't, uh, we see, I've seen it in like, uh, I've got our director of risk management came from the, from the pollution industry. I mean, that's a very common, uh, allegation in a lawsuit in that industry. So, you know, other industries, and I think you're starting to pick, you know, as we see a shift from these personal injury attorneys getting into the cyberspace, I think they're bringing in some of these tactics from the other industries into the MSP space. Yeah, certainly.
I think, you know, it's, it, I wanna hit on a nuanced point there, right? There's, there's kind of diligence from the technology and technology effectiveness perspective, like how well does this technology work relative to your needs? But really what you're saying is now there's also a questioning of why not only why did you choose that technology, why did you choose that vendor, right?
So for MSPs that maybe aren't really thinking about the, the vendor choice from a security risk reduction per, you know, protection perspective, what steps would you recommend that MSPs take in vetting those, those vendors and the steps that they should document, um, in case they do have to revisit this during litigation? Microsoft probably not, you know, Microsoft is Microsoft, but we have 10 other vendors that the insurance company never heard of. Datto could be one of them, right?
Yeah, yeah, Yeah. I mean, like, you know, there's every, every, every week in the IT channel there's 10 more startups with four people on staff, right?
So like, how do you know MSPs have traditionally been very open to to, to exploring and helping grow that, that company, which is why I think the innovation and, uh, is so alive and well still and, and the IT channel, but what do MSPs need to do in order to, to kind of avoid transfer some of that risk that's, that's coming their way because of these types of questions? Yeah, I I mean there there is, there is a formal vendor management program.
You know, that that, I mean, we ask it on our risk assessment as an MSP, do you go through that formal vendor management program? So there, there are templates out there, right, that you can follow. Uh, I'm not an attorney, right? So I don't have access to one. Um, but you know, just showing that you did your due diligence, you know, is a defendable position in court as opposed to, well, you know what, we, we just thought that they were the right person for our organization. Well, why?
You know? And you start getting into that game where you just have to provide some sort of paper trail, you know, if this particular, again, this is new, so I don't know what the outcome is yet, but if this particular MSP has paper trail of it, we're probably fine. You know, 'cause like you said, at the end of the day, you're not gonna be able to go in. I'm laughing at that.
Well, But you might, you can't go in and, you know, you're not, probably not, yeah, you're not gonna be able to audit Microsoft systems, you know what I mean? There's just certain things that you're not going to be able to do, you know. But again, you know, I would check with an attorney or check with someone that's earlier in the space and ask them, you know, about a, a formal vendor, uh, management program. 'cause they do exist. Yeah. Yeah.
I mean, you know, I'll share a couple of my experiences when I, you know, I came to Datto four years ago and built the security program. We had, you know, we were bringing in vendors left and right. And one of my questions was, well, what's the process of of vetting a vendor? There you go. Right? And, um, and, and they're like, oh, well, we make 'em fill out a packet and then we, you know, we put 'em in the system and then they're a vendor. And I'm like, cool.
So who talks to them about their technology, about their security? And they're like, well, you do. And so for a while it was just me. And so, you know, I, I didn't have time to send out a hundred question questionnaires. Every new vendor, I would just say, I need a half hour phone call with every vendor.
And I would just literally, I would learn what they were doing, how they were doing it course, and I would just pepper them with questions and take notes, and then the half hour is done, I'd move on to the next thing. At least had those notes from that phone call that showed, I did some diligence of that vendor. And, you know, luckily now we have a guy that all he does is do this and he's doing it way better than I did it to begin with. But like, you don't have to go super complex to start.
It can just be a documented half hour conversation that you can point to and say, I asked reasonable questions and tried to get reasonable answers. Um, and like that, that's at least that that sniffs, it smells like due care and due diligence, right? Um, which is really what they're after. So, um, I'm gonna, you know, no, I don't know if I wanna do that. Um, So yeah, talk to us about business interruption in a cyber policy.
So, you know, I think maybe these questions actually relate, so maybe I do wanna do this, right? Okay. One of the challenges cyber policies is rarely does the insured actually understand the situations under which the policy does and does not actually, uh, become effective or what it will and will not cover. Right? And so business interruption is different from the actual recovery of the event itself. And so there might be different policies or even different portions of a policy that kick in.
Talk to us a little bit about that and also what you recommend MSPs to do in order to understand the limits of, uh, of their policies in terms of what it will or will not actually cover. Yeah. Well, perfect timing. My light. I wasn't moving around enough so it's automated and it turned off, so I apologize about that. Give Us 10. Give us 10 burpees. Yeah, exactly. Well, if I could come back on right now. Um, so no, to answer your point, I mean that, that there, there's period of restoration.
So, you know, one policy might have a period of restoration of, you know, 30 days versus 180 days. And what that period of restoration is, is how long the insurance carrier will pay. Come on, Mike. Um, Wes, here we go. Nick, make a Note that we send him a ring light and then have him close his blinds.
Well, Luckily we're moving out May 1st, I can't get way 'cause this is, I'm the, I'm probably the only office building when it's hot outside, our heat kicks on and when it's cold outside, our air kicks on. So this is just par for the course. But, um, does that shut your lights off though? Because the electric bill, I don't, I don't know. I mean, we don't own the building, right? I mean 90,000 square feet. But, you know, this is one of the nine reasons why we're moving out May 1st.
But, uh, to get back to his question, um, you know, the, the, so the policies differ, right? I mean, you know, some carriers may take, you know, first of all, they're gonna have the period of restoration within so many days. You know, some carriers might offer coverage for things like service credits, other carriers might not. Um, you know, some carriers will pay for, hey, if a client leaves you as a result of the event, we'll cover up to so many days. It could be 30 days, it could be 60 days.
Um, you know, again, I'm not trying to dodge the question. There is coverage out there, but these are unregulated policies. They're not a standard cyber policy. You know, one of the big things that we point out to clients now is, you know, the definition of computer systems, okay? It used to be forever where, you know, a computer systems was, is defined as owned, operated, and controlled by the insured organization.
Well, what happens if I'm working from home on behalf of the organization and I'm using a personal device, does that trigger coverage? Depends how computer systems is defined. So you, you really gotta get into the intricacies of these policies and make sure that you're dealing with someone that truly understands what's in 'em. Because if not, obviously there's unintended consequences for, you know, not picking the right policy.
So I know, again, and, and we tell clients all the time, you know, you're, they're, they're, they're trained to look at price, right? But I don't really care if the coverage costs three or 400 more dollars because typically if you get into a ransomware event or a client is shut down for a period of time, uh, because you accidentally left a port open or, you know, the, the backup wasn't configured correctly.
You know, usually when I'm getting these calls, these are hundreds of thousands and millions of dollars of calls for 300 bucks, you don't care. So, you know, make sure the coverage is right. Forget the $300, whether I'm on the winning side of the $300 or the losing $300 side of the $300. You know, I would tell MSPs to prepare yourself for two tornadoes. The ransomware attack internally that pivots and hits the client, right?
And the other one is, you know, if, if a client is not doing certain things right and a third party vendor is affected, will your policy pick up the acts of Amazon DA Azure? You pick the vendor. Those are the two things I'd really pay attention to in this environment. Hey, uh, and, and Justin, you know, you said last time, and I loved how you said it, the devil is in the detail. And you know, Gary, I is gonna pick up a little bit on this.
'cause we did these two polls last time, and I'm really, um, would ask, if you haven't answered these two polls, could you just take a moment folks and answer 'em, because it's really important and it's gonna set the stage for some really interesting things to come. Um, Ryan, do you wanna go again or do you want us go over to West? No, I was gonna say, I'm gonna hand it over to Wes to keep, keep pulling the thread on this.
Yeah, yeah, we, So I, I do want to continue to pull this thread just a little bit. So devil is in the details, right? Justin? Uh, yeah. So talk to us about maybe even some things that may be new and emerging. Like what are some of the big things that need to be looking for inside of the policy? Like, uh, what are some, whether they're gotchas, whether they're minimum requirements. I mean, not all insurance policies are the same.
And usually, you know, most of us are slapped with, you know, 10 to 50 pages for the policy and we don't know what we're reading, right? So what are the big things we need to be looking out for, Right?
I mean, I, I know one thing that we just did on our recent policy form was, you know, we added, uh, uh, coverage for cyber squad, you know, um, so, you know, I, you know, without getting into the, the nitty gritty details and all that sort of stuff, I think, you know, from a high level, if you were to ask me where do we see 99% of our claims, you know, they still come from a, you know, the ransomware attack.
So within that ransomware attack, you know, and when I say the ransomware attack, I mean against the MSP, um, and then pivoting and maybe hitting a couple other clients is, you know, once one of those Dominoes falls and I, and when the, I mean, one of the dominoes in terms of the cyber extortion, you know, you're gonna have to make sure that you have insuring agreements to cover the forensics. 'cause you gotta make sure PHI and PII wasn't compromised.
We're finding that a lot of times they don't care about the PHI or PII if ever. I mean, you know, the, the end game is this turns into a kidnap and ransom policy real quick. Um, but you've gotta make sure you got forensics. You know, make sure that you've got things like pr you're gonna have to hire a PR team to come in and work with you on a, a message because clients are gonna be calling every hour for a day, two days, three days. We've seen it up to a week.
You know, because the, the people on the other end are really good at en encrypt, or sorry encrypting, but they're horrible at decrypting, you know, and with all the data, it just takes time.
So, you know, making sure that you've got a budget for PR expenses, you know, making sure that, like you said, you've got coverage for business interruption, making sure that you've got coverage for the cost to reproduce or, you know, recollect that data that was hit, you know, making sure that you got coverage for the breach, uh, consultation service that you're gonna have to use. You know, IE like a solace.
I know Chris has been on these calls, you know, um, you there, there, there are probably six or seven dominoes that fall. Um, I think I, something I would point outside of the ransomware is making sure that your policy covers client data loss. We've seen it policies recently, and I don't know how the MSP answered the question was, it had a failure to backup exclusion.
What that failure to backup exclusion when you read it read was if you are in charge of backing up the client's data and the backup doesn't work and the client sues you for the cost to recreate that data, don't come knock on our door and tie to turn in that claim. So, you know, I think coverage centered around the ransomware attacks against the MSPs and then, you know, the, the client data loss still are the two most common things we see.
What we've seen in 2020 has been the year of, oh, you didn't tell me I need two FA on Office 365, you didn't tell me I needed that. You know, we just had one in, in, in Pennsylvania three weeks ago where MFA wasn't on OWA and the client said, why do your other clients have MFA on OWA and my client doesn't? Uh, yes. And that, so that gets me into an off script question that I have for you. I'm just looking up earlier.
So Kevin in the chat was talking about a Dutch, he, he just said there was a Dutch MSP, they got sued and they lost even with the signed waiver by the client. And I asked Kevin, I said, me being somebody did not familiar with like Dutch law, what was the causation there? Was it just negligence? What was it? And, and Kevin said, I'm just curious your comments on this and I realize you're not a, an attorney, right? Yeah. But comments on this.
So, so Kevin said, according to the judge, any vendor has to protect their clients against themselves. Builders don't build stuff that's not up to code. Electricians don't do, you know, similar stuff. So MSP should not be allowing insecure solutions even with a written waiver that says, we understand.
Do you think, like, have you seen, um, and obviously you're not party because you're, you're you're just on the insurance side, but have you, do you see that coming here to the states where, you know, right now we still have this prevalence of allowing an end user client to dictate what kind of security they do and don't have in court saying that's not good enough. As you, as the practitioner of the EMSP have to set that minimum standard regardless of assigned wafer.
Do you see those wins coming here in the States? Yeah, I mean we've seen lawsuits like that, right? Well, the other side would argue what we call that contract is contrary to public policy. So in other words, if you say, and not so much the waiver I haven't seen, but if, if you're not gonna recommend solutions to my clients based on industry standards and you wanna limit your liability to nothing, we're asking you judge to throw this out.
You know, and we've seen lawsuits where, you know, it, it has happened, right? Where they will say, Hey, you can't limit your liability to nothing and do nothing for my client. It doesn't work that way. Now if you're, you know, going through the normal processes of recommending solutions and you know, sticking to standards, um, me personally, of our 1700 clients that we've seen in lawsuits, I've never seen anything like a document like that not hold up in court.
But again, I'm 1700 people, I'm not, you know, I don't have access to 500,000, you know, policies and things that we reviewed. But I would tell you that, you know, in terms of, you know, just even documentation when we go to, you know, court or if it ever gets to that point, you know, documentation is absolutely vital. And that's where we go back to, you know, setting, you know, the standard for the client and asking them to follow.
I'm not saying your clients, I don't live in Utopia, they're not gonna pay endless amounts of money for security solutions. At some point they're gonna say, enough's enough, I'm only willing to spend X. But that still doesn't absolve you of the liability of not recommending that they put those things in place. You know?
'cause at the end of the day, big picture, you know, they are the CIOs of these large corporations, whether it's American Express, whether it's at and t, you know, you've gotta make it so that the CEO and board of directors are allowed to make decisions based on the information presented. If you don't, then I think that's what gets our, our, our MSPs into trouble.
And a lot of times we have to bail out and settle because if we go to court, we feel like the damage could be worse than if we just get out and we settle. Yeah, I got it. That makes sense. And Kelvin, sorry, maybe one day I can read I was mistyping, um, uh, Phyllis's name as well from CIS I'm, I'm very guilty of that. So Justin, great points there. And I wanna follow up just a little bit more on this. So, um, insurance companies are in it for the money, right?
You are a, insurance companies are for-profit companies. And I, I think we have to come to this conclusion like, I love playing Monopoly cheaters edition with my kids. 'cause I always win 'cause I'm the best cheater of us all. Uh, but, um, that get outta jail free card's pretty nice and cyber insurance should not be seen as a get out of jail free card. Like, if you interpret it that way, then I think we're gonna, we're we're, we're almost going to have this, well, they should cover it.
I should be fine. No big deal, right? It's almost like, and, and maybe I'm crazy to say this, but like, if I'm an MSP, I almost want to view it as adversarial, right? Like, let me think through just, just how I treat a bad guy. How is a bad guy gonna try to get around these controls? How is cyber insurance gonna try to get around something here? Like That's Wes I think it's your point.
I don't know if it's get around, but the thing you gotta pay attention to is you're dealing with billions of dollars of companies. So if they feel like you contributed in the loss by not doing something, the carrier might pay the MSP's client, but they're gonna do what we call subrogation. They're gonna subrogate and come back at the MSP and say, Hey, listen, we feel like you contributed to the loss, so therefore we just paid out a $200,000 claim. We think you're on the hook for 125.
Here's your lawsuit. Right? And, and they will subrogate against the MSPs. We, we've seen It. Yes. Okay. And that's exactly what I'm getting at. These are some important maybe just frameworks to think about and to even get your clients to think about some of this as well is, you know, Gary, a quick question for you.
Does that work in a sales conversation to say, do you really think Mr client, that your, your cyber insurance is gonna buy that, you know, you don't want x, Y, Z, this is a minimum standard. We provide this for everybody. Um, cyber insurance is never going to cover you, um, in a situation like this with this kind of decision making. Does that, does that hold weight, Gary? A hundred percent. A hundred percent. It does. I mean, it has to because that's where it is.
We, we have an expert on here right now who does this all day long, who's telling us in reality what's happening. We need to take these stories and we need to share 'em the same way. We need to take the stories of, you know, uh, exchange and Azure and SolarWinds. These are all things we need to do to paint a picture to both customers and prospects right now. Um, and we better do it soon, Wes. Yeah, agreed.
So, uh, there's a fight in chat over Kelvin and Kevin here and who's who, but, um, I'm just gonna say I think the L is silent in Kelvin. So you're both Kevin's from now on. Uh, just, just saying, you know, silent LS is very common, uh, in, in English, I think, you know. All right. So Justin, uh, I'm gonna come back to due diligence. This is something that's kind of near and dear to my heart.
And by the way, Andrew, um, I have a really good friend who is the CEO at VIN Minder, um, that Prima primarily focuses on vendor due diligence inside financial services. And I bet she'd be willing to come on as a guest at some point. Um, but let's talk about this for a minute, right?
So thinking about due diligence, like talk to us, Justin, about some of the expectations that should be involved from MSPs working with their vendors like Perch, or if they are party to a contract, um, and they are now fourth party because their client has to say, has questions back to you as the m MSP of things that are in place. Like vendor due diligence is an important thing.
And I can't just take an Excel spreadsheet like, you know, the, you know, like the big long, um, uh, SIG light for example, or the full sig and just answer. Yeah, I do, I do, I do, I do all this stuff, right? Because obviously the absence of documentation, um, and we get into some kind of deposition and I show, I said I'm doing that, but I'm not. Uh, and now I, there's gonna be problems there.
Like, let's just talk to us in a, in a more encompassing light, how is vendor due diligence starting to change, whether it's the MSP vetting, uh, their vendors or the MSP being subject as fourth party for their clients? Can you talk more about this? Yeah, so the, the vendor due diligence, right? I mean, like I said, that's new to us. You know, we hadn't seen it until recently. Um, but you know, I know on our risk assessment we do ask about a formal vendor management program.
So, you know, I think it's a great idea to have your buddy on there because he could probably go through, you know, there's templates out there that are available. Um, you know, I had somebody talk to me when I brought that up the other day. They said, you know, man, you know, it, it's really hard for an MSP to do business in this space.
But he said, the other side of me wants to say that I think we had it easy for so long, you know, so now it's requiring some work, you know, and like I said, I mean, you know, even us do I enjoy sending out e and o applications and my staff and we got 113 point risk assessments and we added a ransomware supplement and we gotta review the MSA and I mean, can't I just renew the policy? I I we, you can't, right?
We have to go through that process and once you get it in your head and it becomes just kind of the cost of doing business or this is what I gotta do, then it just becomes, you know, operate in your normal business. You know? So, you know, again, I think every industry, there are certain things that you just don't wanna do, but you just have to do. And this could be one of those things, again, to me it's too early to tell, but this could be one of those things.
The formal vendor management program, you just have to do it, you know, and you didn't have to do it a year ago. Well, I just went to the dentist the other day and I didn't have to get my temperature taken and go through this COVID checklist to get my, what I did today or you know, last week. So things just change, you know? And so I think that the MSPs, we have to be well used to able to just walk onto a plane.
Yeah, I mean, we have to be willing to adapt and change because, you know, as good as, you know, I always say this, as good as our attorneys are at defending you when you start shutting people down or there's business email compromises in the two, 300,000 million dollars, you know, we had a couple months ago where two $1 million wire transfers and they're coming back at the MSP, you know, their attorneys are pretty good too.
So they're gonna pull out every card in the deck that they can to win that lawsuit for their client. 'cause that's what they're paid to do, you know? Yeah. Yeah. And I'm sorry, your other question about the the fourth party, were you saying, yeah, I mean, just how MSPs are you seeing changes in how MSPs are now having to navigate being fourth party?
So when a client comes to them and says, well, hey, you do X, Y, Z for me, I need to know how you handle this and that, um, the, these are like things that are becoming more and more systemic as, as regulations continue to mature across all industry verticals, you're seeing more attention to the MS P and there more fourth party requirements and due diligence in checking and processes in place for them, right? Yeah.
Well I think, you know, and I don't know if this is gonna answer your question, but, uh, to me, you know, I think sometimes when we see on these nasty lawsuits is sometimes the MSPs get into one stop shop or creative marketing or putting things on Facebooks, you know, that make them maybe look, represent that they are, you know, essentially they're trying to make it so that they're white labeling a particular type of service.
So I would think, and tell me if this answered your question to get outta that, why don't you just tell the client, Hey, I actually don't do your backup. It's da, here's DA's terms and conditions. Okay, here's Azure's terms and conditions. We actually don't do that if there's a breach on their end, if I gotta live with these terms and conditions.
So do you, and I don't think there's enough transparency, and it sounds cute, but once you get into a lawsuit, I can tell you they're gonna point, we see it all the time to your Facebook, to your website and say, no, no, no, you told us that you did that private cloud. You told us that you did that backup. You told us that you did those things. And I don't understand why you just don't say, I actually don't do it. It's a third party.
And since Ryan's on the call, I use Datto, it's Datto, here's Datto's terms and conditions. They're actually the ones that host your data. So if they have a breach and I have to live with these terms and conditions, so do you, does that answer it? No. Yes, it answers it. I'm gonna share a link here in chat for those of you guys that wanna see it, um, around Microsoft's, um, shared responsibility model. Like the answer to that question is, it's complex.
And, and, uh, Andrew, I'll let you take it, but, um, it's very, very complex because I have my responsibilities at perch. My MSP clients have their responsibilities. The clients do shoot AWS that we host with, has their responsibilities inside of it. So do even, even the, the vendor integrations that we have in place have their responsibilities. And so it becomes very, very, very complex. And take a look at that link.
If you guys have never seen Microsoft's shared responsibility model, because that's what they're addressing. They're trying to make sure it's clear what are your requirements in minds. There's no confusion when something like this happens.
Andrew, And, and Wes, one thing I know Andrew wants to chime in, but one other thing you gotta pay attention to is a lot of times in these vendor agreements MSPs, there are also end user agreements, which means the ultimate end user of this product is agreeing to the hold harmless indemnification language that's in the contract. If you aren't sharing that with your client, and again, we go to, you know, God forbid we get pulled into something, Microsoft's gonna say, Hey, I'm a little lost here.
When you sign the contract MSP, you told us that you would share the hold harmless indemnification language. Now they've got you in a breach of contract system. So, you know, we always talk at tech rug, we're into full transparency, right? We want the client to survive the event and we want the Ms P to survive the event because ultimately if the client can't survive the event, then our MSPs have no one to offer services to. And we can't offer insurance to any MSPs 'cause no clients are left.
Yeah, you've gotta be transparent with the, the days of, in my opinion, of white labeling and not being transparent with the client. If the tornado comes through town, I'm telling you on my side of the desk, it will catch up to you. Yeah, it's really good stuff. Hey, the reason I was chiming in is I really want Gary to have some, some, some time here and it's a great segue to talk about what's going Microsoft's shared responsibility. Gary, how many times have we talked, right?
You have a client? Oh yeah, well I'm in the cloud, I've got my dynamics in the cloud, I'm good. They're protecting everything. And maybe that'll lead into some of these, you know, polls. Gary, and what's different this time, last time So, Yeah, well, uh, unfortunately Andrew, not much is different this time. I mean, look, we asked this same question. How many months ago was it? Six? Yeah, six months ago. And we're getting the same answer.
So Justin, when I tell you that 88% of the people that are here, and believe me this puts them in the upper, they're on the cyber call. So they're heading in the right direction. And even under that 87% of them, do you know if every one of your clients has cyber insurance? And the answer is no. What do you think when you hear that? Be prepared for a lawsuit? Yeah, Because I, again, I shared with you in 2020, you know the cyber crime is up 600%. 92% of the malware was delivered by email. Okay?
So if your client doesn't have a cyber cherry tree to go pick off in their backyard, guess whose cherry tree they're gonna come pick on? So I'm just warning the MSPs, if you're not cautious, you're gonna be carrying liability for billions of dollars of vendors. And if the SolarWinds, Microsoft doesn't show this, I don't know what does. And then all of a sudden you got your clients, if they aren't willing to do certain security and carry a cyber policy, they're gonna come back after you.
I mean one week we had five business email compromises of our MSP's clients show up at our, on our doorstep because they were alleging to the, and they were all centered around of lack of two FA on email and they were pointing to the MSP and they were saying, why does the client down the street have two FA on their email?
And we don't, in other words, to use an employee analogy, if you gave one person who had a child six months off and another person that had a child a week off, would you get sued? Of course you will. So why are you discriminated against your clients? Now again, I'm not in the argument of will the client pay for it or not? That's fine. But you know, you need to sit down with them on a detailed statement of work and say, you know, we call it the three layer cake.
You know, here's the standard we follow nist, iso coate, CMMC, you name it. Within that standard, here are the 40 things that we can do for you here. The third layer of the cake, or here are the five things you're doing. So we agree in 2021, you want me to look at these five things because don't come back to me on May 15th and tell me on March 2nd that we didn't sit down when you sign this document and you told me you want to look at these five things.
And, and again, that's the problem is I know the client isn't gonna comply with all 40 of those things, but you not making them aware that they can purchase those 40 things is a big problem. And again, not having that cyber Gary, if 10% have, there will be, if if cyber crime's up 600%, there will be people on this call in the next couple weeks where their client's gonna have an event and if they don't have a cyber policy, they're going to come back at the MSP.
And even if they do have a cyber policy, you still run the subrogation issue with the the, the insurer. Yeah. So listen, and a year ago people were at that point where they're saying like, Hey, we like the movie to two A, it's gonna cost us months and then your people are gonna have to, you know, and they, and the customers were still saying like, well I don't think I wanna spend it and my people don't like that.
They don't, it's inconvenient when they have to go to their, you know, that's not the conversation right now, Justin is what you're saying that you can have. Well, yeah, I mean, again, I At that point you are not articulating the risk that both of you share in this. And it's simple as well, what if I told you that this will happen and your insurance and my insurance isn't gonna pay out? What would you say? Do you still feel it's inconvenient? Yeah. Yeah. Right. Yeah.
I mean, like I said, people, Yeah, it's just, you know, at some point, right? And you know, a good way is making sure that your MSA just requires the client to carry cyber. Um, you know, again, I would highly recommend as their CIO that you're talking to them about the importance of cyber with everything going on. But you know, there are a lot of things like you said, I mean, ever since Covid, right?
I mean there are things that we have to do that are inconvenience or like you brought up the airport, you know, there, we didn't have to do that at a, at a point in our lives, but we do today. You know, and I know with our clients, we ask them on our risk assessment a series of questions, right? And so we educate our clients, you represented to the insurance carrier that you were doing A, B, and C with your clients.
If you aren't doing A, B and C there, that's technically grounds for material misrepresentation. IE you lie to the carrier to get a rate or achieve a policy you couldn't have otherwise achieved. Now again, have I ever seen the carrier pull the card on the three questions that I'm talking about? No, I haven't seen it. But you know, if you are going to tell, you know, I don't care if it's a bank getting a line of credit or it's an insurance policy.
If you're gonna tell them that you're gonna do certain things like provide security recommendations and writing to your clients and you're not doing it, then you've technically voided your end of the, the the bar or I'm sorry, your part of the relationship with the insurance carrier. 'cause at the end of the day, the insurance policy is an insurance contract. It's just creatively called an insurance policy, but it is still a contract.
So think about it, we were talking in, uh, a previous cyber call about, you know, how your competitors are now teaching your prospects of what questions they should be asking you. Now today we're talking about the insurance companies are gonna force your customers to ask you different questions. So the common theme is here there won't be any of us that can escape being able to answer some of these questions. That's just where it is.
And I think also what you've kind of said here today, like this is a big onion to peel back, but defensible is the word you keep using. You have to have some type of process around vendor selection. You have to have some sort of standards you're putting in place. You have to have some policy about what you will let your customers accept and what you won't let them accept. Right? In terms of recommendations where they are with standards and some of these key controls.
And Justin, I'm and you're dealing with it every day. We're already to that point where MSPs need to be there at least in the minimum of this defensible situation. Yeah, I mean, you said it perfect, you know, I mean, you know, I'm about ready to throw my computer out. If I get one more email, the client wants to sue me 'cause they didn't have two A on the office 365.
It's just, we get 'em, we get 'em almost daily now to the point where it, it's just email, Hey, here's what happened to my client. What should we do? Well that's a client problem. Did they get with their cyber insurance? Oh they don't have cyber insurance now we're like, be careful how you communicate and answer with this client. You know, it just turns into this and it, it's just a, I'll go back to the statistic. Cyber crime was up 600% in in in 2020. It's not going to stop.
So if the client isn't willing to do certain security, like Gary says, or if they aren't willing to carry cyber insurance at some point, you might have to ask, is that client necessarily the best client? I mean, I could tell you at Tech rug, we don't take on every MSP that we get. We wanna make sure that there's six, seven, and 800 credit score MSPs. 'cause if they're not the discounted rates that I negotiate with our Lloyd syndicate, I don't get that anymore for our clients.
But they expect us to take our clients through a process. And if Justin, I have I'm SP and I stink it's sales, I can't afford to lose that client and my margins are too low and my price is too low. Do you know how I tell people now I can You afford to lose your business? Yeah, exactly. Can you afford to lose your business? Like you're almost don't have a choice now.
And you know, look Andrew, you know me, I ask people questions and I like to sometimes be, you know, a little more than direct to make a point, right? A little clunking. And so one of the things now I'll do is just talk about, someone will tell me, yeah, well we do this for security and that for security and this. And I'm like, are you offering, do you also do support for your clients? So you do a full fixed fee? Yeah. Can I ask you what your seat price is? Oh, it's 120. Yeah.
You're not secure. And they get offended. Which is the point, right? That we call that an inflection point in sales, right? Is to say, listen, you don't know you, you either are making no money or your customer's aren't secure or both. Like I, I can take you through the math in 30 seconds to tell you what the cost per seat is for all this stuff. And you're just, you're just not there. Do you know what I mean? And so this is the reality that we're in.
Justin, the last question I had for you is, um, we've been beating this drum around cyber resilience. So it's funny, you're almost saying the same thing from an insurance standpoint 'cause you're dealing with it, you know, right of boom. The same way when we had Chris Luron, which is one message is that all MSPs need to work backwards from what you're talking about, about what's gonna happen after there's an incident. Right? And they need to start to work backwards from that.
Well, and that's why I was getting into the risk management, risk transfers, you know, at the end of the day, you know, this been insurance policies a reactive policy. So once we get to that point, something catastrophic has happened, right? So like you said, let's take the two or three steps ahead of that to make sure that insurance, while it's here to protect you, that it, that funding mechanism is the absolute last resort. Right?
And so, you know, let's make sure that, you know, the clients are carrying cyber, let's make sure that we're making the clients aware of all the services they can offer. Let's make sure that we're sitting down with 'em saying, no, no, no, I actually don't host your data. It's data and here's their terms and conditions, right? Start going through these exercises.
'cause Right, I'm telling you, we've worked with clients for years and once you get to a point, it's just as it's normal business practices, it might be a little bit tough at the beginning, but, you know, change has changed. I mean, under that theory, we, I don't know else to be listening to eight tracks in our car. We don't anymore. You know? And so you just gotta change and you gotta be willing to adapt to change.
Because if you don't, I would tell you on my side, you know, 50% of the carriers that were in the MSP business that would return our phone calls for clients that were outside of our program. Something we just didn't like, but they wanted to work, work with tech rug. They don't return our phone calls anymore. And the ones in there, the rates are going up three, four, and five times. I mean, you're dealing with billions of dollars of insurance companies.
Well, they'll go, you know what, this just isn't profitable. We're gonna go sell more land people, bigger policies. I mean, they'll just pivot and go do other things. This isn't, they aren't completely all in on this type of business. And so they're either gonna make Justin the same thing that happened with flood insurance. Yeah. Right after we had eight, you know, a hundred year floods in 10 minutes. Right? It's the same thing. Like we're having, this is a hundred year flood.
We had 300 year floods in cyber in the past two months. And we just wanna make sure that we keep the affordability of, of, of the insurance there and the availability of insurance there. Because if we continue to operate the same way we've been operating, my fear is that the availability of insurance isn't going to be there. And you're gonna be left with four carriers sitting in a hotel room on a random Saturday in Chicago going, Hey, the new minimum premium's 10 grand, right? And off you go.
And now all of a sudden you got four people competing for your business and we just don't wanna get to that point, right? So, you know, we need help from the MSPs making sure that we're doing certain things so, so that we can continue to negotiate discounted rates, keep the coverage broad. We don't have to worry about subliming things, we gotta do that. So, uh, first off, Wes, I know you just, I saw you smirk, you, you like my a hundred year flood analogy, don't you? Yeah.
You're gonna make, you're gonna make it your own, aren't you? Yeah. And I saw ray's, common flood insurance is a bad word in Florida and I'm thinking you can't have flood insurance when everything in Florida's a swamp. Yeah, absolutely. So Andrew, I'm gonna end on this 'cause we're over. Yeah.
Is that, um, and again, I don't wanna sound like a broken record, but I, the MSPs that we work with that are down the line on this, okay, the ones that are out there where they're average seat price now is getting up above, you know, between two and $300 a seat, are selling the most new clients, they're having the most success because this conversation is so powerful and I'll end on this in the big scheme, I've told you a hundred times of our customer's business, whether they pay us 3000 or whether they pay us 4,000 is inconsequential as an expense in their business and it's more inconsequential to the risk.
And the only reason they wouldn't pay 25 or 30 or 50% more is 'cause we haven't translated the risk to them in the right way. It's our fault. It's not theirs. This is not just the right thing to do. This is good business for MSPs that understand it Really well said Gary. Boom. Hey, so Justin, really thank you so much as always to bring your passion, knowledge, um, sharing. I really, really appreciate it for on behalf of the folks here, um, uh, our, our co-hosts.
So thank you so much and, and again, uh, our audience again, thank you for, um, for being with us week after week. Um, again, Justin is your guy if you need to know about cyber. Um, I can't stress it enough. I can't tell you how many MSPs have told me you're the guy. So with that, everybody, Justin, thanks a million. Great seeing you. No, I appreciate it. And hey listen, I wanna give, 'cause you know, these vendors are on this call, right?
So don't just, I mean we have a lot of great success with Gary's group. You know, Datto saved us a couple times on backups, you know, where they've been able to pull and we didn't have to get into a claim. Perch has done an excellent job. So I think, you know, just these three gentlemen, pay attention to them because within their industry, our industry, they do some really great things and they actually make my job a lot easier too. So, Very cool.
Thank you for saying that everybody have a fantastic week. We'll look forward to seeing you next Monday. Take care.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois