Cyber Insurance Changes Coming to MSPs
In this video, Brian and Peter from Lockton discuss the evolving landscape of cyber insurance for Managed Service Providers (MSPs). As cyber threats become more prevalent, MSPs must navigate the complexities of insurance coverage, focusing on essential security controls like multi-factor authentication (MFA) and endpoint detection to avoid high premiums and onerous exclusions. The conversation emphasizes the importance of understanding insurance policies thoroughly and preparing for potential incidents with well-defined response plans, highlighting the need for MSPs to educate their clients about cyber insurance requirements and foster strategic partnerships.<ul><li>The importance of cyber insurance for MSPs is increasing due to the rise in cyber attacks and the changing landscape of insurers' requirements.</li><li>MSPs need to ensure their clients have adequate cybersecurity measures in place and should actively engage in conversations about cyber insurance to mitigate risks.</li><li>Cyber insurance policies now require more detailed information on security controls, and the lack of basic security controls may lead to being uninsurable or having high premiums with onerous exclusions.</li></ul>
Guests
Video Transcript
All right. Welcome everybody to week 59, and it looks like we got the band back together. Gary, welcome back. Hope you had a great thank You. Good to see you. Um, okay. Hey, real quick, everybody, I put a poll up. I'd really appreciate if you could answer. I put some notes up in the chat if you un wanna know who, if you don't know who John Strand is.
But we're trying to get a gauge of, uh, John Strand developing a course and, and kind of putting some, uh, content together, specifically on core cyber fundamentals for MSPs. Love it. If you could answer that in the call to action. Um, is the cyber cast on control three for data protection? There's a part one and part two, if you haven't listened to that yet. It's really easy to consume 20 minutes a piece. We're going back into studio, um, in this upcoming week for control four.
Um, I think that's all I have on announcements. I'll have one more poll up shortly as we get this going around. Uh, cyber insurance specifically for your MSP. Um, so kind of just to set the stage. Hey, Andrew, before you jump in, is it all right if I make one public service announcement? Sure. Okay. Because I don't want the time to go by and I want to share with everybody listening what I've been sharing with my True Methods members, and this is our peer week starting tomorrow.
I'll be sharing with them, um, if you are an MSP and after all the things that have happened in the press leading up to the Kaseya incident, if you are not using this as a way to educate your team and to get in front of every customer and have that shared risk relationship, um, to making sure that this is a chance for you to explain in, in really vivid detail where this landscape is. And I'm saying, great time to raise prices. You have missed an opportunity, right? This is a luck event.
It, you could say it's good luck or bad luck event, but I think everybody has a chance. Don't like miss this opportunity. That's the, the thread here, uh, that I wanna make sure I share with everybody. Okay. And maybe Gary, you can roll that in a little bit too on when, when we get to you on how you'd position stuff, if, if you would, that'd be awesome. Yeah, AB absolutely. And, uh, and tied into what we're doing around cyber insurance for our peer groups next quarter. Okay. Fantastic. Okay.
Alright. Um, anyone else wanna interrupt me before I just kidding, Gary, It's awesome. Dustin said he's too busy fixing printers to worry about training or other things. Awesome, Dustin. Love it. Uh, too funny. Okay, let's set the stage here. Um, so Ryan had a conversation with Ryan and it was, you know, post July 4th incident. And, you know, I, I think it's, it's safe to, if you know Ryan at all, he's, um, I'm, this is my term.
I see Ryan as just kind of obsessed with learning all the time about si anything cyber. And so he reached out to Lockton, who is the world's largest, um, independent insurance broker and said, Hey, I got a question for you guys. What's gonna change or are things changing if you're an MSP? Uh, and you know, we went from SolarWinds to now another supply chain, uh, attack. And he had a very in-depth conversation with Brian and Peter. And, um, is Peter still with us, by the way? I don't see him.
We lost you for a minute. Alright. Alright, I'll bring a minute, um, as soon as I turn this over to Ryan. And basically, um, there was a lot discussed, and you're gonna be in for, uh, a real, I don't wanna say treat, but really an eye-opening kind of, um, some information today. Everything from understanding there is mass consolidation going on in this industry.
Carriers are leaving, uh, that, uh, premiums are escalating quickly that the days of answer a few questions and you're gonna get a cyber policy are over. Um, and in essence, the pendulum has swung from five years ago where you could, you know, ask a 250 million sub $250 million company, a few questions, and here's your cyber policy to completely the opposite end of the spectrum. Um, and that's really what we're gonna be talking about today. So with that, um, I'm gonna turn it over to Ryan.
I'm gonna find Peter and get him back up here. Uh, I know, I think the first question we was to Peter Ryan, so bear with me, but I'll let you take, take, take, uh, take things off of right now and let me, let me go get Peter for us. Yeah, thanks. So, yeah, I, I called up Brian. Uh, I had a couple concerns coming off the Casea incident. One was this anecdote that I was hearing that MSPs were being required to remove RMM in order to be issued new cyber policies.
And I was like, Brian, is this a trend that you're seeing? And he is like, no, it's not a trend, if anything that might be, you know, an overzealous carrier, an underwriter in a specific area, but we don't, we don't see that being anything. I was like, okay, few that, that makes me happy. And I was like, oh, tell me what's going on out there. And, and I was thinking about it more from like, you know, we're coming up on a renewal and I'm, you know, as part of my quant risk management of Datto.
And, but as we were talking, he started to make some really, I would say, bright line claims about Ms. P coverage. And I was like, okay, I still wanna understand all the things I need to understand to help Datto, but like, would you be willing to talk to MSPs about what? And he said yes. So, um, basically I want Brian to repeat some of his talk track here today, but I'm gonna tee him up with some real kind of broad kind of softball questions.
But the first one for you, Brian, is, you know, we talked about, Andrew, talked about where we were three years ago. Anybody could get an insurance policy answer by questions. Right? Here we are now. Um, and we might need to calibrate a little bit of where we are now, but my question is, where are we gonna be in three more years? Um, will it be possible for MSPs to get affordable coverage that is free of an onerous exclusion?
You may want to define what an one's exclusion is, um, if they don't start following a security maturity framework. Yeah, I mean, that's a great question, Ryan. I mean, certainly when it comes down to the overall, uh, security and privacy cadence, there's a lot that goes into it. I mean, an application is gonna give you a set of questions that require details of how your security and privacy policies are, what you're using for mitigation tools.
And let's face it, there was SolarWinds, there was Microsoft Exchange vulnerabilities. The Kase ransomware attack brought a real sharp focus, uh, that change the landscape for managed service providers. So we're seeing a lot more targeted, um, and alarming sort of frequencies in claims. And each carrier has their own sort of underwriting guidelines to assess what is adequate in their for, um, overall mitigation tools and what is absolutely necessary.
So let's just, I, I guess take a step back and dive into what is, um, what are the things that underwriters are looking for, starting with the information and asset inventory. So what information is collected, created, stored, used, retained, destroyed, um, along with the information lifecycle? So how is the information collected? How is it stored, used, disclosed, retained? Uh, consider the vendor management program. So how often are you assessing, uh, the third parties that you work with?
Couple that with the regulatory mapping, uh, that is like how, or what regulatory requirements and how you're protecting the data privacy policies as whole. So is this being updated? Are you, uh, testing this? Are you, um, maintaining adequate escalation procedures within that? And the two last things I should mention, training and awareness. Obviously within this covid environment, there is a lot of issues with employees working from home.
And just simply clicking on that list, can't tell you how many claims have been as a result of that. And because of that, uh, the frequent education of your employees employee is highly important to avoid claims, uh, that are simply just clicking on that link. And, uh, lastly, security of data. So the appropriate control is in place. Underwriters will not really entertain, uh, uh, um, entity or risk if certain things are not in place.
So as a baseline, multifactor authentication can't stress this enough. This has been a sticking point for insurers to consider coverage, uh, endpoint detection and response systems. Another one, this is, if you don't have two of those in place, we can expect to receive automatic declinations based on those controls alone.
Data logging and monitoring is, is certainly a part of it, but those are baseline controls that if you don't have in place, you know, three years from now you're not looking, uh, to be covered. Or it'll be really, really expensive in restrictive language, including the policies. Hey Ryan, just real quick, my bad, but I'm glad Peter's here back with us. Can we just do a quick intro of both now? I got sidetracked when we lost Peter. My bad. But, uh, few quick, quick, quick intros.
Brian, let's start with you. Sure. So Brian fund, I help lead the west in all things related to the e and o. So obviously inclusive of network security and privacy and been in the industry for over 17 years. Awesome. Thanks, uh, for joining us. I really appreciate it. And Lockton's a a small company, I hear. Yeah, yeah. We're the world's largest private brokerage. Um, over 8,000 associates, over a hundred offices all over the world.
Extreme, uh, focus on, uh, client service and, uh, that with a flat organization has a brief overview. So it's define for me what an onerous exclusion is. Can we just Yes, can We just, uh, well, let's, let's get into pavers, uh, introduction and go from there. Yeah. Oh, sorry. I thought we just did that. Sorry. Yeah, sorry for dropping off. So I'm Peter ic, um, oh, I've got a big feedback. Is anyone else getting Alright, well go ahead, Try now. How's that?
I'm Peter with the Globals favor and, and technology team in London. Um, I've been with the company about five years, but my background's on insurance. So I was a CCO at eu, which is the largest communication company in the UK for about nine years. And, uh, same at at Visa and Visa Europe. So build security for both those companies. Thanks for joining both of us. Thanks for joining Ryan on with the show. Yeah. Again, onerous exclusions is, we're gonna use that word a little bit. Um, yes.
And it was, uh, honestly somewhat new to me, but you talked about MFA being baseline, EDR being baseline in terms of a requirement to get a, to get a renewal. Um, if you don't have those baseline things, there's two outcomes, right? You're uninsurable or you are insurable with a high premium and onerous exclusions. Define for me what an owner's exclusion is.
So one of the most onerous exclusion, uh, that I've seen as of late, uh, for an MSP or is, uh, excluding all losses attributable to transmission of any malicious code to any entity not owned. So that means, uh, whether it be tech e and o security and privacy related, even media, if, if there's something that's transmitted from your systems to another company that is not owned, no coverage. Okay.
So just to reiterate, if you don't have a security framework in place that includes baseline security controls, you can get a policy, you'll probably pay a lot for it and it might not cover you and your customers in the event of a ransomware attack. Yes. Okay. And for Those Not listening at home, that would be bad. Yeah, that would be really bad. Right. So just to clarify, Ryan ba basically, hey, here's your policy, Brian, just sorry to interrupt, here's your policy. You got coverage.
Oh, all of a sudden we find out that your RMM delivered malware encrypted a third party, right? Your client Tough. We're not covering any of it. Yeah. And the difference is when you go through a renewal, uh, you'll know what you have. So obviously in reference to this particular exclusion, you would know well ahead of time that this exclusion is going to be slapped onto your policy.
And that's, um, obviously in advance of any sort of discussion with your broker, uh, to truly understand the ramifications of your business. Now, certainly if, uh, you wanna have the coverage, ransomware is a big part of that, it would wouldn't be advantageous to, um, just say, okay, I'm gonna accept that language. But that's the direction that most insurers are taking without baseline sort of, uh, mitigating factors in place. Got it. Got it.
Ryan, can I throw in a quick question just to clarify also, 'cause they're coming in from the chat, which I think is really good, Mathias from Hawaii, I think it's the same Mathias, um, Mattias. So as when you were sharing about, uh, M-F-A-E-D-R, let's just say that's I'm working with you, I'm an MSP Brian. Is that me, my MSP? Or do I have to make sure to get that coverage all my customers? Or, you know, maybe if you could just clarify that. Yeah, ideally it would be all the way around, right?
Uh, because that's a relatively simple thing to implement depending on the sophistication of your operations. But, um, certainly as I mentioned before, how often are you assessing your risks with your vendors? Uh, so that could be a big piece of it. But as a company looking for insurance, you should absolutely have those things in place if you want to have, uh, terms and conditions that aren't the word of the day onerous. It makes sense.
'cause you're, you know, the, the, the carriers like, you know, brokers like you, carriers are getting wising up saying, Hey, look, don't, don't you control the stack? Don't you manage all the EDR or AV if the customer, yes. Okay, well then step two, Yeah, I guess, but, but like someone brought up over here, like, um, you know, some co-managed customers that maybe are the largest customers we have and we don't control all those things. Andrew, this gets complicated real fast.
Yeah, very true, very true. But in those co-managed customers, again, are, are if they're using our tools anyway, so fair, fair. Um, anyway, Ryan, back to you. Yes. So you, you answered basically like you went, you went right into the question, which was what are the more common, uh, exclusion owner's exclusions that you're seeing in MSPs that are deficient, um, and, and how those affect MSPs that respond to ransomware.
So, um, that leads to another question that I, that I always have, which I, I think is frankly a deficiency. A lot of people go through the process of like, Hey, I'm gonna get insurance. And like, there's a process. Usually it's legal and finance and security and, you know, you're, you're moving when you get a policy, but people don't always understand what their policy actually covers.
So what's the best way, in your opinion, for an MSP to understand what their coverage will and will not cover before they suffer a ransomware incident? Sure. So I can break it down into, um, several insured agreements without going into incredible detail to, you know, dilute this call. Uh, you know, first and foremost when it comes down to insurance coverage and MSP should have some form of technology errors and emissions coverage.
Uh, e and o in conjunction with the cyber related insured agreements is something we typically see. You wouldn't wanna have two separate policies with two separate insurers to have the finger pointing going on in the event of a claim. So what that means is, uh, for tech e and o is any error or mission in the failure of your technology products or the rendering or failure of your technology services.
So that's basically the crux of getting the policy triggered for, uh, security and privacy related insurance. Agree, you're looking at, um, obviously privacy liability. So claims, expenses, damages emanating from a violation of a law or regulation arising out of a breach.
Uh, with that, the heart of the policy or what you'd call the event management or breach response costs, that's gonna be like the reimbursement for fees paid for forensics, uh, the PR firm, uh, legal costs, it reimburses for notification costs, um, voluntary notification, credit monitoring, call center services. You obviously have the regulatory piece in it. Uh, that's any sort of regulatory inquiry, uh, investigation proceeding a fine.
Uh, and then we get into the areas that everyone's more familiar with, the extortion of that, that's a bigger deal nowadays. And that's any funds or property paid in response to an event, the business interruption that somewhat goes hand in hand with any sort of ransomware event, which is, uh, reimbursing your lost income and extra expense associated with, uh, restoring your operations, falling an outage. You have that, uh, on the dependent side.
And, um, more coverages I guess talked about today, is there a security failure? So malware, uh, virus den denial, server attack, and then, uh, your system failure coverage. And that's gonna be an outage, uh, due to administrative error typically. Um, incorrect patching's probably the, or best way to describe that one. There's a lot of other nuances, but that's just a general high level overview of what, uh, some of these policies will cover. Okay. So over to Peter.
If I'm an MSP and I lack what I'm calling fundamental security controls, right? Like the stuff and implementation group, one of CIS version eight controls. So lack of MFA lack of logging and monitoring. Are those people approaching un insurability? It's a great question. And, and you know, without having a crystal ball, you'd say yes, it's getting, it's getting like that.
I mean, it, you moved from, when I came in into the insurance brokering business five years ago, you could get a quote with four questions, right? So what's your, you know, what's your name, what's the company name, what industry you're in, what's your revenue and maybe how many customer records you've got? And that's, you know, it was that simple. Now you're getting into, you know, a lot of detail around, um, I wanna know if you're using IDP, I wanna using mfa, what MFA are you using?
Endpoint detection? Tell me the, tell me the vendors that you're using about it. Getting very picky about the detail.
And if you think about the pendulum from risk, it's gone from the insurer's gone from, I don't really care too much about the risk because I'm not having the losses and cost of capital's cheap to, I really care about the risk now because, you know, I'm getting, getting a lot of losses, so I'm getting right into the weeds about quite strong technical controls, and I wanna know that detail. And that's gonna be gonna be two things.
One, is this gonna impact your, the premium you're gonna offer or the coverage. Or two is, am I gonna offer any coverage at all because I can be picky about it. So, you know, you'll get to a point. And some insurers completely stripe out industries. Now I'm not interested in manufacturing anymore because I've seen too many losses or the controls in there.
So you definitely get the point if you're not doing the basics right, it's not outside the realms of possibility that you're not gonna be able to get covered for sure going forward. Sounds like what happened with practice. It's, I mean, it's, it's, it's a good analogy, right? Um, a lack of basic security is becoming malpractice in the MSB space, for sure. Um, so let's take a look at that same question from a different lens.
If I'm an SMB, I'm under a master services agreement with an MSP, I have a cyber policy currently that I, as the SMB hold, could my s could my MSP be held liable for a lack of a key control in my environment? So let's say I have a policy, but the M ms P has not fully implemented MFA, what's, what's the risk to an MS P in that scenario? So normally I, I'll ask the first, Brian, then maybe you take that. The way that the policies tend to work is it's, it's, it's the insured's data.
So if I then decide to put that in another environment, the coverage is still, it still covers, but the insurer still wanna ask the question. So if I've outsourced IT to manage service provider, um, as an insurer, I'm gonna be asking this question. So as a client, I'm gonna have a set of minimum requirements that I need to get insurance. And if you are not providing that service, then I'm gonna need to go elsewhere, right? Yeah.
I think it Level service, I think it was like car insurance, right? If, if I'm in traffic, and also when we stop short and the guy behind me rear ends me and pushes me into the car in front of me, right? The approximate cause is the initial guy that hit me. I'm not the proximate cause of the person that hit the person in front of me.
So, as the SMB, if I lack MFA, is the MSP liable, like, is my cyber insurance gonna go after their cyber insurance because they were the proximate cause of the breach? Yeah, I mean, there's always potential for subrogation In any event like that. Um, certainly it comes down to also the indemnity within the agreement that you have with them. Um, most cases it does boil down to a business decision to understand if that lack of controls is something that you want to ultimately live with.
And certainly in, in this environment, uh, the ramifications are high, uh, as we talked about with those lacking control. So, uh, that has to be heavily considered in any sort of business decision knowing, uh, the vulnerabilities at stake. Okay. Wes overdue. Hey, thanks Ryan. It's a good series of questions. So first, some commentary before we get started. Um, you know, we've been saying on the cyber call for quite some time now, game is changing.
Um, we've always complained in the MSP space, there's no barrier to entry. Uh, that barrier is present now and coming all the stronger. Think about if you were listening to this cyber call for the first time and you decide tomorrow you're gonna open the doors to be an MSP, um, you're already hearing the challenge of client acquisition and understanding what controls must be in place has changed significantly. The bar has been raised.
I cannot just simply go out, call my neighbor and say, Hey, I'm doing it now. You guys want to, you want managed services and expect it to move forward without risk. This, the game is changing. And so I think it's good for us to understand that it should be a little bit scary if you feel like you're currently lost in the winds a little bit here, and, uh, you're like, what's happening?
Um, I think when the dust settles here and we all understand how this thing is gonna work, um, and it's a moving target for sure. Um, these things are, um, I think a net positive for us. It's sometimes we just have to be pushed, including our clients kicking and screaming into doing things that we've not done in the past.
And so, um, I'm not saying I welcome our new insurance overlord, so to speak, uh, but I am saying that, uh, I understand why this has been coming and it's probably going to end up being a net benefit in the long run. So let me start. Um, I think Brian, with you first, you mentioned subrogation. Can we make sure, can you kind of describe what the subrogation, what it is and the process for it? And then once you do that, I've got another follow up question on subrogation. Sure.
I mean, when it comes down to any event, and you know, this doesn't have to be in the context of just e and o or cyber insurance certainly could take place in other insurance as well, but, uh, if you are involved with a breach or incident, first and foremost, what you have to do is figure out, okay, what happened? That's gonna be the forensic cost to figure out, okay, what, uh, actually affected our systems? How are systems affected?
Uh, and do the remedial efforts or, or investigation to do those efforts. Once you figure out what happened, if you figure out if it's someone else that caused that the insurance company could subrogate to that other entity, um, no different from how basically car insurance would apply, but, um, a little deeper when it comes down to these policies because of the, the nature of attacks in general. Wes, can I jump there two seconds?
Just because of something Chris Laer has said over and over and over, and that is being able to, you know, even have logs to do this, Brian, lots of MSPs are not doing logging, therefore there aren't forensics. And, and on top of it, um, you know, again, uh, you know, they're traditionally the, our industry is the, you know, wanting to come in and, you know, fix, fix the problem. So traditionally it's, well, let's wipe it, clean it, get it back up and running.
Can you just talk for a moment, Wes, sorry to scon this, but I think it's a really important point here about, again, logging and, and what happens now, if that's the mentality or that's the culture of the MSP, that that's what we do. We don't log or we clean it up as quick as possible. What does it, does that then just go out the window and, you know, so I hope it makes, well, certainly, uh, each individual, uh, operation is unique. The practices aren't a one size fits all.
There's frameworks that help obviously missed, uh, we talked about that. But when it comes down to just the policies and going back to the insurance is a big component of these, uh, policies, is just a breach event. Cost forensics cannot be cheap. Business interruption could shut you down. Uh, those are a crux of the, the policies to where, uh, you know, we talked about one area, just ransomware, but you think of the others in any event.
I mean, you could be out of business, so, uh, you can easily spend, if it's a, a bad attack, you know, million plus on forensics depending on your operations. So that's where that's onerous Yes. Worth the day. So, So, so Peter, do you wanna chime in maybe though the, because I saw you shaking in your head the criticality for MSPs these days, then logging for that particular issue, you know, starting where West's question is.
Yeah, and you know, it probably goes back to your previous question about minimum standards insurers are looking for and, and, and they are getting to that detail, right? If you're not, it's not asking, you know, do you log or your, do you just log your security advance? Is somebody looking at those security events?
So not only from a forensics point of view, if you have an issue, we can find out what's going on and try and contain that, uh, contain the attack and, and not have to guess do forensics on the whole infrastructure, but it's also about prevention. So who's actually looking at it in real time or near real time or using AI or whatever that might be to detect the security incident. And that's all about logging. You know, the amount of times I speak to clients say, yeah, no, I log all my firewalls.
It's great. Have you ever looked at it? Well, no. So, you know, it's, it's, it's, it's not only just the logging bag, it's, it's actually doing something about it. Yeah. Fair enough. Wes, back to you. But I, I love Gary when he gets to, I, I think the days of an MSP not having an MDR for themselves, the bare minimum are, are over, but of Wes, please continue. Yeah, no, it's good. Um, yeah, so back to subrogation then. So now we kind of described it.
Um, talk to me a little bit more like, Ryan had hinted at this in his series of questions, but I want to get into this a little bit more. If I'm an MSP, what areas clauses, sections gaps, what do I need to know in my service agreement with my cyber insurance coverage when it comes to subrogation? Because if I'm in MSP, I'm a little scared here that here I am trying to negotiate, um, service with a client.
They may want this, they may not want that they, you know, they may have things that they do that are going to be, you know, they're the ones that clicked on the phishing email, not me. Like, when I think subrogation, all of this, this man breaches are just a difficult thing to assess and where the fault lies and how subrogation works. Can you give us some words of wisdom here with all of this? Yeah, as a, a non-law, that's space just broke.
I mean, there, there's, um, two areas obviously that, uh, fall into play here. It's the insurance clauses themselves and what you're asking these, uh, entities to provide, and then the indemnification language. So you have to have strong indemnification language, uh, to back what you're asking for in insurance. But those are the two areas, uh, from uh, an insurance perspective that, uh, would definitely apply. Okay. Okay. Got it.
So anyway, yeah, the, these are, that was the number one question I wanted to ask is that series of questions, because I, I think it's something I'm, I'm, I think a lot of us are gonna, um, we're gonna encounter, we need to have these conversations with our providers. So I wanna jump to a question, um, actually that Kelvin asked, and he, he was talking about, you can see this in the q and a, it's the second question that's on there.
And his question was with his, uh, hi Hiscock, I can never say them. Um, they, they have now started excluding specific tools as being adequate. And I asked him, can you gimme some examples of like, where and why? And he said, well, maybe some antivirus providers, he is not gonna name names that have proven to be, um, not as, uh, their efficacy is not quite where it needs to be.
Are you seeing this and are you seeing eventually like a, almost like a do not do business with this list of vendors or these kinds of technologies, or do you see these exclusions taking place? Do you want me to take a stab at that one first, Brian? Yeah, So not, the answer is not yet, but it's a really interesting question because the insurers are asking, who are your vendors and who do you use? And we kind of go, well, I like these guys, right?
I might be a crowds strike, or it might be whoever the flavor, and I like them, but they're not coming out and saying, you have to use them. And they're not coming out and saying, if you use X, Y, z, we are not happy. It's, it's a real gray area, and it's kind of like, you know, it, it's like the old one that you, you know, never got five for buying IBM. It's, it's that sort of, if you're in that garner magic quadrant, you're probably okay.
If you've done the other end, you know, there is an op, there is a, even if it's not come out and said, you know, actually this AV vendor isn't kind of best of breed, it might be subtly done in the premium. When the underwriter's looking at it going, well, actually it, you know, I don't like this one as much, so I might increase the premium a little bit more.
But it's very, I've not seen anything come out very clear, but just by the nature of asking those questions, and you know, you'll see an underwriter that says, do you use, you know, do you use, uh, for example, this one, there is a, even if it's not a, um, conscious bias, unconscious bias there, I think for some of these, these vendors, that's how I've seen it anyway. Yeah. Okay.
Yeah, that's in that, you know, I'm, I'm used to working with federal regulators and they're very similar in those emotions, right? Like when they come in and they do their, their examination process, they're not gonna tell you what they think you should buy or not buy, because if antitrust becomes a huge concern, and yet you're just like, I wish you would tell me, I know you have something up in your mind, just tell me. But they won't do it. Yeah, Exactly the same.
And there's, there's two ways of looking at this. Um, pre breach, if you're trying to add a certain vendor, uh, to your, I guess, breach response team, and then there's the aggregation of data in the submission process, that is an understanding of what dependent businesses you use. So with that, um, there's no sort of, you can't work with, um, dependent business. It's just an aggregation of data for the insurers.
Understand, okay, should something happen, how is it gonna affect our book of business? Um, the, the pre-work to use a certain vendor for, let's just say forensics, um, if it's not on their particular panel, that's when the negotiation has to start to add them to, um, I guess their list. So you're not penalized for using them in the event of a breach.
And that's highly important because in claim scenarios, if you are using a vendor that's not on the list, and you're incurring costs and submitted to the insurer, they could deny it. So you wanna make sure that, um, you're, you're appropriately addressing who you work with in the event of these breach scenarios.
And I feel like that's gotta be even more important this day and age when insurance companies aren't always as familiar with cybersecurity providers in the channel that typically work with MSPs only may not be as well known, right? Yeah, yeah, absolutely. Right. So something for us all to think about for sure. Um, okay, good. So, um, let's see, another question over to Peter. You know, changes are here, right? We've been talking about this, right?
How, how do insurance carriers make these changes? Do they get together in like the secret council of insurance, elrond and like, you know, have the meeting of the minds? Or is it a bunch of ad hoc stuff? Like how, how are, how are these changes developing? Yeah, interesting. Uh, interesting question. Um, uh, most of it is driven from losses. So we, and this is where you see the difference across the insurers, right? It's, it's not all the same.
So, you know, you get maybe one of the insurers that have done a lot of the really big heavy industry, someone like a IG will have a set of questions that drive more on where they've seen losses. And so one of their things throw out would be service accounts. So, you know, how many service accounts do you have because they've seen losses in service accounts without actually maybe asking the question about the risk behind service accounts and where you're mitigating it.
So it's driven by, by where they've seen the losses. And, and, you know, and broadly, um, that's where the question sets are. You know, most of the insurers that we see, and it's changing now, don't have people from the industry and are not in cyber, right? They've come from other lines. So they're not experts in cybersecurity. So, um, they've, they've gotta get two points. One is they could ask a cybersecurity professional, tell me what you would be looking for.
But the other one which would really drive it is, is the losses. So where the, what was the cause of the loss, and then that becomes the, the primary question set that's asked. Got it. Um, my last question, and because I wanna make sure we leave time for both Gary, and there's a bunch of questions that have come into the q and a.
Um, you use this opportunity, Brian, to talk to us about a couple notable scenarios that you can think of, whether it's a story or an incident or something that you're like, man, that's a lesson learned for all of us where the cyber insurance claim wasn't covered and the lessons learned of why. Can you just give us one or two examples? Yeah, I mean, uh, first is the example I just gave. If you're, uh, well, late reporting number one, oh my gosh, I can't stress this enough.
Anytime you have a breach incident, what have you, and you, you think, ah, we have a contained, it's, it's not, uh, gonna be that big of a deal. You don't inform the broker, therefore you don't, uh, inform the insurer, or you don't go directly to insurer. And then over the course of the next several months, uh, you realize, oh, crap, this is a lot bigger than it what, uh, we intentionally or thought about.
And, um, then you're hit with just, uh, a lot of expenses, which could likely be denied by your insurer. So that's, that's number one, sort of, you're not gonna get penalized for informing your insurer of an incident, uh, so therefore just, just do it.
And, uh, you know, the second one is when you think about just this coverage in general, um, as I mentioned, if you have a preferred partner or a firm that you use for, um, I'm picking on forensics, but, um, let's just say public relations or something like that in the, uh, event sort of, um, response phase, make sure that is known to your broker to negotiate, uh, to your policy, because that also has been a pretty big denial of coverage because they're not on the panel, and it's a silly reason to get a denial.
Okay. It's good. Two really good examples. Uh, thank you, um, Dr. Pika. Yeah, thank you. Uh, first off, this is really good information. Um, you know, we've been tracking this little poll we've been doing on and off the past year about how many MSPs know if every one of their customers has cyber security, uh, secure, uh, or not. And you would not wanna see the answers, you know, to it.
And so the urgency now, um, in fact in our peer group this quarter, uh, this coming quarter, we're doing a deep dive where they're gonna have to go out as a project, uh, and, and, and ask those kind of questions. Just to Clarify for Brian, cyber insurance, Brian, we asked do Cyber insurance If you have cyber insurance across your customer base. Oh, okay. Yeah, About 80. Have you had that conversation with every customer, in other words? Yeah, and give or take, 85%, we've done it multiple times.
85% of MSPs do not know if their clients do or don't across the board. Yeah. Oh, wow. So, uh, Brian, the first question I had is, even with the rising cyber attacks up until now, other than a couple, one-offs, people got dropped in terms of how much coverage they need, how much they pay, it hasn't been changing dramatically now that we're starting to see consolidation, right?
In carriers, are you expecting one, do people have to re-look at what their coverage is on some of these things on their policy based on all the things you've talked about at the expenses and two that along with, uh, the, you know, less, less, um, carriers, how will that impact, you know, you don't have a crystal ball, but how do you see that impacting, you know, cybersecurity rates?
Yeah, I mean, uh, as we discussed before, the submission process, which is inclusive of the application, um, particularly for first party coverages like extortion to business interruption data, RA restoration, that was just thrown in for 10 to 15% additional premium with really nothing to it. Uh, nowadays, uh, you have various supplementals, so that means discuss your potential vulnerabilities with SolarWinds, discuss your Microsoft Exchange, uh, vulnerabilities if you suffered anything.
How did, did, did you remediate that the ransomware supplemental, which dives down into your actual controls in place? And, uh, what, what do you use to help train employees? And how often do you test your business continuity and disaster recovery plan? All those things, uh, are, you know, yes, no questions, but keep in mind, a lot of instances, it's, it's neither yes nor no, it's maybe in progress, right?
And it has to be described in an addendum to where an underwriter can say, okay, this, this makes sense. I could see where you're going. But considering that now insurance is, uh, basically, uh, provided at this point in time. So as an example, if you're like, MFA is six months from now, EDS next year we're creating our business continuity plan in three months, underwriters say, oh, good for you. We're not providing terms.
So that's, uh, one area where I can see, if you don't have these controls in place, you're likely not gonna have insurance down the road. Now, if, um, you're even working towards those things and you can escalate it to the point to where you can potentially get it done within 90 days, that's a little bit better.
Uh, but with the, with the, I guess overall appetite of, of insurers and syndicates throw in London and other, uh, world markets, you're not seeing a lot of insurers that are willing to provide primary terms. So that means is either the first 10 million, 5 million, and along those lines, insurers typically provide 10 million to start. Now we're seeing such a reduction in appetite to where 5 million is a new 10 million, in some cases 2.
5 million because of their willingness to get down to what they perceive as the burn layer. So we're seeing an increase in, in, um, well decrease in overall limits, an increase when it comes down to, uh, retentions waiting periods, typically we're like eight to 12 hours. Now we're seeing 18 to 48. Uh, we're seeing, uh, more supplements and things that we traditionally didn't see 'em in, such as the security failure, uh, dependent system failure, uh, bricking and, and quickly.
That's basically the, um, the, uh, renderings your laptop as, as an example, into a brick falling a, an event. Um, you, you saw some of that with full limits. Now we're seeing a million, um, at the lowest. So there, there's quite sweeping changes. And one of the biggest changes that we've seen more frequently from these insurers is the introduction of co-insurance. And what that means is a certain percentage, uh, and some insurers start as a baseline of 15% or 50%.
So on top of your, uh, retention that you pay, say your extortion demand is, uh, a million, well, you're paying 50% of that. And, uh, oh, by the way, that also affects your business interruption. You know, there again, you're paying 50% of it. So it becomes a lot more, um, of a renewed focus to put controls in place to eliminate things like co-insurance, otherwise it's just unavoidable. Yeah. You know, it's almost like it's becoming like health insurance, right?
So the carriers only have a few levers, right? They have rate, they have coverage, they have exclusions, right? On a, on a broad scale, and they have to figure out how, which of those levers, uh, they're gonna pull. And then the MSPs and their customers are left trying to navigate that. My fear is that they haven't asked enough questions to really even understand their exposure prior to, uh, an event.
I mean, I dunno, one thing I always tell the MSP, at least for them, like they should be calling their insurance company and walking through, okay, I, let's assume I just had a breach. Can you walk me through exactly what would happen in this policy? And can you tell me those things that would create an issue where this wouldn't pay? And what would be my total, you know, personal, my business exposure in this?
And I don't think that's a question too many people are asking, but if they don't know as much as you do about insurance, they're gonna have to figure out a way to get these answers, right? Yeah. And, and certainly when it comes down to scenarios, gosh, there's just so many different things that can trigger the policy in multiple ways.
Um, but like, let's just dumb it down to the submission process in order to get insurance as a baseline when it comes down to these ransomware supplements, if you don't answer, uh, let's just say 25 to 27, uh, questions as a yes, then underwriters might have issues and not provide the insurance to you at all.
And most cases I've seen, particularly in an acquisition to where, say company's acquiring a a security firm and they don't have MF MFA in place, they don't test their business plan, they don't train their employees, they have no sort of, uh, endpoint detection. It's like you're a security firm and you don't have any of those things. So what's gonna happen is, um, you seek any criminal is gonna seek the least passive resistance, right?
Those that have the, the most vulnerabilities to exploit and underwriters are quite savvy to it. I was talking to one insurer the other day. They said they've experienced 400 ransomware claims in the last 18 months. So considering the overall, um, payment, which used to be nuisance payments, you know, you're talking about three, three digits occasionally, six, now it's limit losses more consistently.
And, um, that's why Peter was mentioning you're seeing more exclusions as a result of that, of poor controls. That is What, uh, last question I had was, and I had wanted to share one kind of perspective, what set of facts during a ransomware investigation might lead an MSP coverage? Um, not to take effect.
Like what are some of the top things where there's an event and there's an issue where the insurance company would question, you know, you mentioned one, which is timing, but is there a couple other big ones that are obvious ones that even if you have insurance could trigger an, an issue where it would be that exemption? Uh, it's hard to say because, um, first and foremost, as I mentioned, you have to do the forensics to figure it out.
Um, that piece of it, if it falls onto another vendor that you use, obviously you have a contract in place with them. So there's uh, some ways to go back to that, that particular vendor. But aside from just late notice and using a firm that, uh, isn't on the panel, I don't think there's another sort of like Gotcha. You know? Right.
You know, uh, Andrew, I'm sitting here as I'm looking at this and um, you know, I'm just doing some math in my head, like just to have some type of, of, of, you know, the basic blocking and tackling being, you know, proactive with your customers before we get the tools right. Just to, to manage the, the controls. Yeah. Maybe one person can do that for 15 or 20 clients that's paying upon your average client size.
That alone is gonna be 10, $12 a seat that is adding 30 to $40 to your seat price right there. We haven't added a tool yet. Now we're adding another $15 to $20 in terms of per seat cost per tools. You know, I am, I think we're heading to a point where to stay insured and keep our customers insured, we're probably gonna have to be at least $200 per seat. And that's double what a lot of people are at. That's a long way to move.
Like we have to all work together to get this messaging down for MSPs to their customers to put these things in place because, uh, as you said, uh, Wes, it's not gonna be a luxury. Like these are potentially you or your customers get or don't get insurance. Gary. Oh, just clar can, just something to clarify, you said before we get to tools, you know, co you know, cost of sale is 12. I'm, I'm paraphrasing what you're saying, Just to pro just to have a proactive role.
I'm saying like, like a, a proactive role is gonna cost, you know, it's gonna cost you probably 10 to 12 bucks a seat for someone who is purely proactive. Got it. And that's what you need in order to do and maintain the 98% that we heard on our last cyber call, the, the, the basics that are impacting 98% of those, you know, 400 breaches. Yeah. Brian can maybe just, just, I'd love to ask you this. I'm a MSP, I don't know whether my client has cyber insurance or not.
Let's pretend an event happens, right? It's not even let, let's keep, keep it somewhat ambiguous and, and I'm just gonna ask you to walk through a few potential scenarios, right? Customer gets hit with, because of an RMM, and it's not even our fault, it's a vulnerability. The RMM, we find out that the, uh, the RM accident, you know, delivered the, the malware.
Now we find out the, the client 40 employee law firm didn't have cyber insurance, but the MSP does, like, if you could maybe just walk us through potential scenarios there. You're the insurer locked in of the MSP, what, what you foresee potentially happening. And then, um, so let's just start with that one, because again, these are questions that, that aren't being asked.
And then maybe Gary, you could just kind of role play it out how you would use, how you would ed educate and how you're educating your peers on what, what this opportunity looks like and how, how to have that conversation. But starting with you, Brian. Yeah, I mean, certainly as a broker we're, um, we're in the middle between the insurance company and the client.
So in, in that sort of scenario, uh, it would just be a notification whether directly to the insurer or through us to where we can work with the insurer and the insured to uh, uh, go through the, the situation. Go ahead, Sorry. Yeah, I was just gonna say, pretend you're not the broker, like you're the carrier right now.
Can you, can what, what again, what, what do you foresee, again, not holding you to it, but a situation like this where the MSP isn't asking the right questions about their coverage, et cetera, et cetera. Yeah, well, in any sort of claim scenario, you, you're going to have to work with the insurer. So you, you'd notify the events, the details at at least that you have there.
There'll be, uh, a discussion with, um, usually attorneys that come down to what are the next steps we're gonna take, whether that's, uh, we're going to conduct forensics right away, we're gonna set up call center, we're going to, uh, have maybe a PR announcement about what happened. All these things take place after, um, becoming aware of the incident and, uh, how it could potentially develop. So nothing is, no decision is made in a vacuum.
The insurer's not gonna say, Hey, we have this claim, we're gonna run with it, and we're just going to, you know, send you the bill to pay. It's, it's very much a collaborative process to where there's an understanding and a, uh, collaboration of next steps to mitigate any sort of breach scenario. Got it.
Hey, uh, so appreciate that, Brian, Gary, in the remaining time, you know, could, could you maybe just role play it with Wess, if you will, like Wes being Well, I mean, we have some, let me just real quick get the logic, so I Yeah, yeah. I'm Saying, but I'm in front of every customer right now and I'm walking through with every customer. How much do you know about your cyber insurance? What are your policies covered? Can I tell you, we're gonna ask you to sign something.
Here's the minimum coverage for us to be able to be your vendor because we don't want to have it, you know, come back on us. Um, and then what are those things that are in that coverage? I mean, think about it. You have a customer, let's say they have cyber insurance and they haven't, and you don't know that means they haven't asked you any questions about it, right? It almost seems preposterous, right? From that standpoint.
And so, again, this is an opportunity not only to protect your business, but to change the relationship with the customer. 'cause once we do that, whether they pay us 2000 or 3000 or 4,000 a month and the big scope of their business isn't that big of a deal, right? It isn't. We, we become like a strategic partner. But this is that opportunity right now, Andrew, to have it.
And this insurance is a great, if you haven't had those kind of conversations with customers, this is a good starting conversation. Then we can move on to the other things that are gonna be on that list that they need to do. Now, if they haven't taken, people say to me, well, they're not taking my recommendations. Yeah, that's your fault, man. 'cause if they understood what their risk is the way we do, they would take every one of your recommendations. Yeah.
I, I would think this is a great time again, if you, especially if you're an MSP that you know has, you know, your list, you well structured and your CRM on, you know, has some marketing and even if you don't, but what a great time to maybe get your broker on a webinar even. Hey, so talk to us, what are the minimum requirements that you're gonna be asking customers for? Let them even p hey, you're gonna need MFA everywhere. You're gonna need EDR, you're gonna need logging.
Um, what are your, By the way, Andrew, I'm having the same conversation with every prospect to drive a wedge. 'cause if their vendor hasn't had the conversation, I'm telling you, and by the way, I'm training other people to go to your clients, just so you know, to people on this call. And when they get there, they're gonna ask these questions. So I'm saying you should ask them first, Brian, or let me ask Peter, 'cause Peter, hopefully we can hear you, Peter.
Um, talk to us about, you know, we talk about post boom, we've, you know, not on the, on the cyber call quite a bit, you know, post, you know, we've had a breach, there's now been an incident. How important is it now or, and or going to be to have instant response plans, tabletops, some type of resilience that you can demonstrate to the broker? Yeah. Or strip back and even forget the broker. Just think about how important it's to your business, right?
You know, the, the, the companies that survive these sort of incidents, the ones that have thought about it beforehand, the ones that really struggle is at 2:00 AM on a Sunday morning going, oh, we've got an incident, right? So what should we do? Right? You know, time is not your friend when you have an incident, right? It's your enemy and you wanna try and get as much of that back as you can. And the way that you get that back is that you have your incident response plans.
You know who you're gonna call at 2:00 AM and on, on a Sunday morning, because trust me, they always happen at 2:00 AM It's never like 10:00 AM on Tuesday where you're all sitting around ready for coffee with the whole team in place, right? So, so it's the more that you think about what business decisions, 'cause it's a business issue at that stage, right? What business decisions you need to take to get your company back on an even keel? Think about those in a nice comfy environment.
Make sure that you've got them planned, you've got the things in place, and then you'll recover much quicker from these incidents and a good chance for your company still be around that. And you, you know, if you don't believe me, you just have a look at some of the big companies that had issues and look what happened to their share price. And the share market is a classic example of showing the ones that did it well and ones that didn't.
So, you know, for me it's, it's great you've got technical controls in place, et cetera, but the biggest one and the one that often gets missed, and maybe not in MSPs but other industries, like, oh, this is just an IT issue, right? It's a business critical issue and you have this and you've got a plan, you've gotta test it and gotta make sure that you know what you do when you have that. Yeah, that's At 2:00 AM on Sunday.
Wes has already had like a half a bottle of bourbon, so hopefully you have your plan, Wes. 'cause I don't think you're thinking went up that right then going for the third bottle by then. So, um, well, Peter, you, uh, you, you made my, I know Ryan weak smile because that's a big part of his, uh, mantra and just beating it, you know, about resilience and having those things in place. And Wes as well. We've done tons of stuff on tabletops and ir.
Maybe just in closing, if I could get everybody to give a yes or no, would you like maybe the upcoming cyber call for us to really focus on positioning this conversation now that we've gone around, you know, we've done everything from third party risk, having insurers come on, brokers come on, et cetera. Just a quick why or end if you guys want us to really set the stage on how these conversations should go, the, the business positioning, uh, prospect customer.
Um, I, I, I know you guys can do better than that, or they're very delayed. Here they, here they start to come. Okay. So Ryan, you wanna kind of start to close us out here in the last minute. Any thoughts from you? And thanks again for coordinating this with Peter and Brian. Yeah, no worries. So again, I think everyone on this call has an advantage over the rest of the industry.
Many of you have already started walking down the path of a resilience framework, building controls in which means you're likely already going to be in a situation where your renewals come up. Um, or when you're seeking your first policy, you won't be in a position where, um, you'll have an onerous exclusion or your premiums are gonna double or triple. Now, that said, it's important to understand the market is not soft anymore.
The number of providers are consolidating, and it is more difficult to get higher levels of coverage in general, which means in a way you're gonna need to self-insure. And the best way to do that is to get your house in order, right? That's what we're hearing today. Um, insurance is a safety net. And that safety net, whether or not, you know, it is to decaying and needs maintenance. And the best thing to do is to not need that safety net.
And so, uh, we're gonna, you know, it doesn't mean don't go get cyber insurance, but understand the actual safety it's providing you and how that safety changes over time. And the best time to do that is at your renewal. So hopefully, you know, if you're not up your renewal soon, you'll dig this out of the archives and you'll watch it before your next renewal and you'll have 50, 60 questions you need to ask your broker, um, uh, to help you get the best possible policy.
So, um, really appreciate, uh, locked in folks making time for us. Um, they didn't have to do this, right? They're not, they're not, they're not selling insurance policies right now. Um, they're educating and that's, um, that's really important. Uh, and we appreciate them for doing that. Yeah, that's great. Um, okay, so, uh, Brian, Peter, uh, thank you so much. I really, really, really appreciate you guys coming on and, uh, being selfless with your time. I know you didn't have to do this.
So, Brian, any closing thoughts from you? Yeah, I, I, I completely echo what Ryan is saying. Um, start early and if, if anything, get those applications and supplementals early, identify, uh, those areas that would be a pain point to insurers. Your brokers can help you through that. And, um, make sure that if you can mitigate anything prior to the inception date of that policy, that's gonna go a very long way and, and coverage. Awesome. Alright, everybody. Gary, you're on mute. You're on mute.
Gary. Maybe he doesn't know. He is on mute. Okay. I was gonna say, I just want to give kudos to Wes and Ryan. They have been pushing all of these key things that came up today that you need to do over this past year. You know, you and I have been trying to help them do that, right? And, and, and, and get that messaging out. But, um, it just, it kind of really validates, uh, yeah, the, the work that um, we've been doing that they've led. Yeah, absolutely. Great. Thank you guys.
Alright Brian, thanks a million, everybody. Have a fantastic week, Gary, you and I'll be working on, uh, positioning in next week's cyber call. Take care everybody. Bye.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois