Skip to main content
Right of Boom
January 30, 2025

Using Changes in Cyber Insurance to Get Your Clients to Say “Yes” & Drive More Security MRR

In this video, industry experts discuss the evolving landscape of cybersecurity and its impact on MSPs and SMBs, specifically focusing on cyber insurance and the need for a resilient security posture. The conversation highlights the importance of understanding and adapting to new insurance requirements, while emphasizing the role of education and strategic planning in mitigating risks. Through role-play scenarios and expert insights, viewers gain actionable strategies to enhance their security frameworks and ensure business continuity amid increasing cyber threats.<ul><li>The importance of being proactive with clients regarding cybersecurity and insurance is emphasized, especially with the evolving landscape of cyber insurance requirements.</li><li>MSPs should position themselves as knowledgeable advisors, guiding clients through cybersecurity challenges and insurance requirements, rather than just vendors of services.</li><li>The need for MSPs to build internal security maturity and treat themselves as 'Client Zero' to effectively serve and advise their clients.</li></ul>

Guests

Andrew Morgan

Video Transcript

Welcome everybody. It is week 60. Gosh, it is flying here at the cyber call. Lots going on. And, um, really excited about today. We have a special guest, two special guests with us. Um, and I'll get into that momentarily. Just a few things real quick. I put a poll up. We've got two total polls. Um, really appreciate it if you guys could actually, uh, answer them. They're not too long. It's typically a yes no. Um, also call to action. Uh, John Strand will be back to talk about core sock skills.

He's already provided a discount code, uh, for guys like Jason Slagel who just chimed in there, uh, and anybody else that really wants to get foundational. That's, uh, he's gonna give like, basically his huge discount off the cyber range. Um, his core, so skills class at the end of the month, he's gonna be talking about it, but it's real foundational stuff to help you and your team, uh, really have the best foundations.

He said it's the literally his most, his favorite course to start for core fundamentals. So more on that to come. Um, went back in studio and we're gonna have the, uh, control four from the cyber cast out. This one's really, really good. Um, uh, I see Ryan shaking his head. Ryan, any quick thoughts on it and why You're shaking your head. I, I really like this one.

Yeah, I think it, it felt really good because we've done enough that it's starting to build and we're putting the puzzle pieces together and it's starting, like things are starting to click. And so I'm excited for the people that are following along. I think it's really action oriented and it's really helping to contextualize why frameworks order the things the way they do. Yeah.

And this one on secure configuration, I'm excited 'cause we're gonna be talking about how to, you know, use some of the free stuff from CIS on hardened images and how do you use your leverage, your RMM tool to actually do it. So with that, um, I'll put up that next poll question shortly. So let just set the stage. Last week we had Lockton on largest independent insurance broker, uh, in the world on talking about the sweeping changes of cyber.

This week we wanted to bring on Justin Remo, uh, who does a ton of cyber for SMB and a ton of MSPs, thousands. Um, Gary posed a question, or rhetorically said, look, you need to be in front of every single one of your prospects and customers now, uh, with this sweeping changes in cyber insurance. And I really wanted to poke into that. So we're gonna do a sales call, role play at the end with Dustin Bond, who's gonna come on, um, and do that with Gary. But in setting the stage.

So Lockton says, Hey, look, uh, a lot's going on. Uh, there's, um, obviously, uh, limits that are being imposed on the amount of coverage. Uh, Justin's gonna talk about that briefly when he introduces himself. There's consolidation. Uh, there are controls that are becoming, you know, what we would consider your customers will probably consider owners, uh, in nature. Um, you know, so we'll talk more about that.

Um, and you know, as, as Peter, the ciso, uh, that came on from Lockton said, you know, gone are the days of four or five questions in getting a two $3 million cyber policy. Justin's been seeing this for a long time, but now, uh, Gary has a special project going on in his peer groups. He'll talk about it. And I saw a, uh, a renewal, uh, form a, a renewal questionnaire. I mean, there was privileged access management, Wes as a control. There was, there was, it was Five pages, Andrew.

So it was one of my members forwarded it to me. Yeah. Yeah. And it was five pages. Uh, it's not what we've seen before. Yeah, I've seen six and seven actually too. And Jason Slagel, his go to 11. Um, if you like Spinal tap. So Justin, um, for those of, uh, our audience that doesn't know you, uh, thanks for coming on again. Um, you are just a huge wealth of information and knowledge, so I'm excited to have you with us.

Quick intro about yourself and maybe you could tell us a little bit, uh, something you said to me yesterday about something you've never seen in all the years of doing this. Yeah, no, I appreciate it. Andrew's gotta be back and see everybody, uh, Wes, Gary and Ryan. So, um, yeah, no, um, you know, a little bit about tech Road. You know, we work on, um, obviously cyber insurance, but risk management, risk transfer techniques with our 1800, uh, MSPs across the United States.

Um, you know, kind of what you and I talked a little bit about, um, you know, that yeah, for the first time after, uh, this Kase event, you know, we have three program carriers for our client base. Um, and they had come back and said, Hey, you know, until we kind of get our arms around not only the Kase event, but the things that's going on in cyber, uh, Tera cannot issue any more policies above $2 million. Our underwriting team were capped in terms of the limit we can offer.

Um, there's still going about, without getting too much detail, you could still buy higher limits. It just would be third party coverage, meaning if a client sues you versus first party coverage. Meaning if the MSP wants to take advantage of the cyber policy, um, 'cause again, a lot of these MSPs, you know, have to understand that, you know, most of us, when we buy insurance, we have to buy two policies.

We have to buy medical malpractice, and then we gotta make another phone call by cyber liability insurance. Or an architect or engineer has to buy a and e professional liability and then buy cyber liability. Me as an insurance agent, I gotta buy insurance agent agent EO and cyber liability. They, they get two in one, right? So it's good and it's bad.

It's good in that, you know, people probably don't wanna hear this, but the pricing that you're still paying compared to a $5 million, uh, you know, architecture engineer or law firm or, uh, doctor's office, they're still gonna weigh, pay way more than you are in terms of traditional e and o and cyber, you know, but they do have two separate policies, which allows 2 million limits for e and o and then 2 million limits for cyber, right?

If they buy a 2 million with you guys, you have to share it, right? So the policy can go quicker, you know? Um, so that would be one thing that I would caution. It's just pay attention. It's one big bucket. If you have a $2 million policy and you use 1.

7 of that $2 million for forensics and bricking coverage, computer hardware replacement, and business interruption, and you know, the ransomware payment and you only got $300,000 left, uh, you know, then that would be third party coverage for client lawsuits. Got it. So, I know you're gonna be quarterbacking today. Justin, chime in when necessary. Um, I've got a few questions here for Gary, then I'm gonna have Gary talk to Wes and Ryan.

So, Gary, Glenn, back to what you said last week, um, this is really something that, uh, I think is probably the most, one of the most bullish things, and I was talking to Justin about this too, that MSPs have been a, a part of. You said you need to be in front of every single client prospect right now. Take us back to that comment. Give us your thoughts and, and, you know, maybe extrapolate a little on that.

Yeah, so one thing I'll tell you, you know, we had our peer meetings last week, almost 200, you know, MSPs, uh, MRR year over year, uh, up 25%. And one of the reasons why, right? So they're lapping the field right now.

And one of the reasons why is, again, for the past year and, and, and preparing like they're prepared now for this, the conversations that we're gonna talk about today, which is in my 25 years of owning, operating and mentoring MSPs, we've never had a wedge that a is a third party wedge like cybersecurity. Like we haven't had many, like, not in that way. And then the other side is, you know, you have the, um, all the press and the awareness around cybersecurity.

So every, when I say every customer, um, look what we've been saying, I feel the, the problem with MSPs are battling with right now isn't a just a cybersecurity issue. It is a business model issue. They don't have the revenue per seat to be able to do the 95% the, the process. And so they have to solve that. The only way to solve it is to change the relationship with those customers.

So, uh, the Kaseya event, the Microsoft event, the SolarWinds event, uh, and now cyber insurance, how quickly it's changing. And not everybody, some people said, Hey, we got, the renewal didn't look much different. Yeah, it's gonna take a little time, but it's a hundred percent of insurance companies will figure this out. Like one, it's already happening one way or the other. Same thing with prospects.

And we're gonna, you know, do a little role play, but you can be asking questions that they need to be, uh, be able to answer. And if they can't, that means their current provider hasn't had that conversation with them. So I see it equally on both sides, better relationship with current customers, using it as a wedge with prospects.

And, and I wanna make sure everybody understands, understand this price is no longer an issue with SMBs to their MSPs unless you don't understand the business right now, not an issue. Yeah. And I'm sure people are gonna sit there and go, oh, easy for you to say, Gary, and well, let's come back to that. I, I do wanna address that. Um, but you mentioned questions. Can, can you walk us through what some of those questions might look like for an existing customer?

How you'd set the stage and then with a prospect? Yeah, so on both cases, I'll tell you this, it has a lot to do with where your cybersecurity posture is. Like this is not a sales technique. Uh, um, this is a wedge that's an actual legitimate, this is something, a reality that's going on. And you as customer zero at the MSP have to have gone through and understand how much you need to do to do things right for yourself.

So I'm gonna start by saying that once you do that, Andrew, the questions become easier. When you ask a customer, you start to ask them about, Hey, you know, what does your policy look like, you know, for cyber insurance, when is it up for renewal? Have you had any initial discussions about that? Has, you know, what's been the conversation with your current provider in terms of, um, the changes, uh, that we see, you know, happening there?

You know, there usually there is no conversations, right? Same thing with all the things we've been preaching on this call. When we talk about tabletops, we talk about, you know, IR plans. These are all questions, really easy questions you can ask. And real quickly, in the first I'll say three minutes, you'll figure out whether that prospect, um, has their arms, you know, around this. If they don't, um, you know, it's an opportunity for you. Yeah.

That comes back to, um, the first thing you said, which again, we've said this again, is you being client zero or client, sorry, client zero client, client number one. Uh, you, you know, if, I think what you're saying, Gary, is that if you don't have command internally, it's kind of hard to go out and fake what you're those conversations. Yeah, Absolutely. Jason's saying, Hey, you need to be telling everybody to watch your videos to learn how to sell at 500 bucks a seat. You know what?

It's not that. What it is, is you need to know how to build the right value. Your seat price is only, I'm not telling people to raise prices. I'm telling them to raise value, Andrew, and the price will come along as you do that. Got it. Does that make sense? Yeah, absolutely. Yeah. The new Jedi mind tricks here. This is fundamental business. Yeah.

Um, you know, is, are there some specific things like, um, you know, if it was a prospect as an example, like, hey, walk th walk me through how your current MSPs building your incident response plan with you, how you're testing it, what are there, you know, some, you know, just nuggets that you might, you know, use as those kind of differentiators to separate yourself. Yeah.

So your differentiators should be based on where your program is, you know, number one, the things that you think you need to be doing, hopefully are doing for yourself and every customer. And as you start to un as you start to unpack that with prospects, the feedback I get from people, it becomes painfully obvious when they start not to answer questions. The key thing to it is you don't just want to keep railing. Once you get to that point, you wanna start teaching.

In other words, soon as we find out, like, well, what do you mean we haven't had a conversation about the, the incident response? Okay. So what do you think would happen, uh, if you had an incident? Like, what would be the first thing you would do? Who's responsible to communicate on your side? Like, I dunno, It starts to unravel and I don't want hit 'em over the head with it.

What I want to do is say, listen, can we take a step back and I can I tell you what we've seen go on in some of the incidents that have happened? Can I tell you how differently we work with our customers today than we did a year ago? Yeah. Does that make sense? Yeah. Do you think that makes sense? And then usually it's a real natural progression after that. Yeah.

So you want to flip, you want to create as much a little bit of fud for them to understand there's a gap, and then we want to switch, you know, instead of hammering them and going into sales mode, we want to go into teaching mode with that. That's how we're gonna build that relationship. Yeah.

It's very, uh, I, I use the term challenge or sale, but it is very educational based, like that, you know, something and you can educate them on a topic that they dunno about and challenge them a little bit, push a little bit, but don't make them, you know, painfully uncomfortable. What objections, Gary, aside from Jason saying 500 a c No kidding. What what objections, you know, object. Fine. Um, and, and, and how might you handle, So let's start, let's first start with, um, customers.

The primary objection is, listen, we thought you were already doing that. That's always number one. Hey, we, we assume you're already doing that. And, and two, oh yeah, we have cyber insurance. Like, you know, general, you know, kind of a general, you know, statement on it or Yeah, that's, you know, I understand that there's some more risk, but you know, you guys gotta get this stuff done. For me, it's always usually pushing back on a price objection.

That's the main thing that comes from customers with prospects. It's this dismissiveness that, um, yeah, my team or my, my vendor handles it. That's the number one thing. Like, oh yeah, yeah, we got it. That's why you have to have command both with customers and prospects about what those conversations are, how things aren't the same as they were.

Um, why their vendor isn't keeping up or with your customers, why you have changed, why you have new roles, process tools that you didn't have six months or a year ago to address this. And again, leading into that concept with customers, and you'll hear this at the end when we do a little role play, you have to lead it in and you gotta keep beating this drum that this is not an MSP issue. This is an industry issue. And their risks, their costs, they're having to deal with cyber insurance.

Those things have already changed, right? We're just more educated on it, you know, than than other vendors. Yeah. Ju Justin said something to me last night also that I thought was really interesting. He is like, you know, we almost as MSPs have to trick ourselves a little. And Justin, I'd like you to elaborate this, that we need to feel like we're licensed like a doc. You know, we have a license like a doctor or an, you know, attorney as a bar.

You know, Justin, you, you, you could lose your license. Like, can you just kind of put that in perspective? 'cause I think it's an important part of the conversation here, um, about, you know, why it may not, I guess, will still resonate as, as effectively as it should. Yeah, no, I mean, you know, I think that, you know, there's a lot of us, you know, that are, that are licensed that if we don't do certain things, we lose our livelihood, right?

So if a doctor, God forbid, gets a patient that has some sort of, you know, medical illness and they don't follow a standard that's laid out by the a MA, they're in trouble. You know, a lawyer, if they don't go and follow the bar, they're in trouble. If I don't do things and I say, Hey, the department of insurance, I know that's what you want me to do, but I'm only gonna do three of the five things they say, that's great, but you can't write policies here anymore. Anymore, right?

So are you saying we're like doctors that are leaving a bunch of patients on the table Right now? Not at all. I'm just, I'm just saying like for example, you know, if your MSP organization offers 40 service offerings that are available to your client, why are you not sitting down with the client and telling them, here are all 40 things we recommend that you do ASAP. Right?

Because I think too many times, you know, MSPs and I've, we see it on the claims when we get into it, you know, they're, they're letting still, they, their clients be the, the patient and the doctor, right? And, and in this relationship, you gotta pick one or the other. You know, you either got to, I think in my mind, you gotta be the doctor and say, Hey, listen, this is the way we're gonna do it, and if you don't like the way I'm gonna perform the knee surgery, go see another doctor.

You know, because I always ask clients, is bucking the system worth losing your business? You know, is one client really worth it if it is take on the business, right? Because we don't get calls when these are tens of thousands of dollars of claims. These are hundreds of thousands of dollars and millions of dollars in claims. If you only have a $1 million policy and you're gonna allow a client run around with a firewall built into their router, right?

And they don't wanna do EDR and active threat hunting and they don't wanna do a SOM solution, they don't wanna do those things at the end of the day, that's fine. But if they're gonna be a 200 credit score client, maybe they aren't the right client for you. If they're a 500 credit score client and it's well documented. If they wanna eventually be a seven or 800 credit score client, you work with them.

And if it's the 800 credit score client, you know, you return their call on Christmas Eve, you know? But I think that, you know, you have to, at least in my side of the desk, if we get into a situation where we get into a lawsuit or we go to court, the attorneys on the other side are really good at saying, okay, where did you come up with these recommendations? Did you make my client aware?

'cause how would you expect the CIO or CEO of the organization to make a determination on security when the CIO didn't tell? Yeah. So you're, you're basically saying, you know, we should have this understanding that whether it's nist, CSF, whether it's CIS, that's our license to do business. These are the guidelines we have to follow. If I, if I'm understanding you correctly. Yep, yep.

Is, is, you know, hey, the client, you know, this is the problem you have as your CIO outsourced IT provider, MSP, whatever you sell, call yourself with your client. Here are the standards we follow nist, you know, CMMC, ISO covid, you pick it within that standard. You know, here are the 40 things that we recommend you do. You're doing five, that's cool, you wanna do five. But don't come back and tell me on October 1st that on August 2nd, I didn't tell you about the other 35 things.

'cause I clearly did. You know, at the end of the day, if each MSP has 50 clients right? And you've got a $2 million policy and something were to happen, how do you expect to get to first base if you don't have the right contracts in place and risk management and risk transfer techniques. Right? $2 million just won't last. Right? Yeah. Very, very cool. Um, I got some other things I'd like to bring up later if we have time. I really do.

Once we get Dustin on, he hit some Dustin bond for the role, well, sales call role play. They are doing some fantastic work around the conversation around cyber insurance and cyber resilience, Ryan. So I'll tell you that. But Gary, let me let it turn it over to you, uh, and interact a little bit with, um, with Ryan and Wes. And then again, Dustin, please feel free to chime in. I I want to, there's one thing I wanna make sure we hit on. 'cause I'm, I'm watching chat and questions.

I'll tell you what I see, right? In working with so many MSPs in the same marketplace, one, Ms. P, it just feels like they're fighting their customers. I don't have those kind of customers, my customer's this, my customer's that and someone else who deals with the same type of customers. It, this is not an issue in most cases, what I wanna tell people, even though it might not feel this way for to you, it is more you than it is the customer base right now. Because the reality is so compelling.

It, you haven't gotten there either with your cybersecurity maturity or your belief system. 'cause this is no longer sales. This is a business conversation that leads to higher revenue in more sales. And I'm watching it again, I'm watching the division happen between people who think they can and, and, and aren't and, and others that are just doing it. Gary, if I could just say one thing too about belief. This is about if not doing the right things.

You're basically saying, you know, your clients are more important than one client's more important than your business and your livelihood for all the people you employ. Because, you know, again, I can, you know, we know enough stories now between Chris Lair, between Justin, et cetera, where these can be game ending events. So we have to, you know, treat ourselves as the crown jewels of this whole thing, right? Not that our clients aren't important, but again, you know, the Yeah.

Gary, can I, and Gary, can I bring up one thing that you Yeah, go ahead, man. I can't tell you the number of times when we talk with our MSPs, like, hey, you know, make them aware and then they will report back what they think is gonna be a pain. And you know what exercise and they client goes, wow, I wasn't aware of a so sim I didn't quite understand. That makes sense. I really could use that. Thanks for bringing it to my attention. We'll do it so they end up reporting back to us.

Is it every time again, no. You know, but more times than not, you'd be surprised at the clients when you make a good case on what the services, why they should get that particular service and why. And those services that are, that are available to them, you'll find that someone knows someone now that's either been affected by a ransomware attack, a business email compromise, you know, a cyber crime event.

So I think you're fine finding for the most part, again, it's not everybody, but the MSP's client is willing to spend more on security. I mean, we ask our clients, they just tell us they are. Yeah. Let me just give one real quick anecdote that I want to ask Wes some questions. I had someone I spoke to last week during our peer meeting said he had one kind of big client to them, like five to 8% of their revenue, who's been one of these problem clients. So you get stuck sometime on one hand.

You want to, you, you have this risk. On the other hand, you know, you're a little dependent on, on, on a big customer, you know? And finally he got it down with the, the CEO of the company. And he just said to him, look, I only have one question for you. Why am I more concerned about your business and your business risk than you are? I don't understand it. And he said there was a pause and it was like that moment that broke. And he's like, okay.

You know, he's like, look, I'm not here to sell you anything. I'm trying to explain this to you and I'm feeling like this is keeping me up at night and you don't seem to be concerned about it. And do you really care? Look at your whole business and my business. Do you really care about another a thousand or $1,200 a month in the big scheme of things? 'cause if you do, we're not communicating to you. Right? And I, I don't know what else to do, man. I'm at my wit's end and boom, they got it.

They got it over the hump. So that's awesome. Wes, here's what I want to ask you. Look, we're not saying that every MSP has to be an insurance agent or make recommendations, but do you think like what level of business acumen and understanding about what's happening with some of the things that Justin's talking about, do MSPs need to have to even be able to have conversations with their customers in order to help 'em and know, have them know what they need to do?

So first of all, uh, you're kind of blowing my mind on the whole, like, why do I care more than you do about your risk? I have never really put it in that frame before. And it just shocked me when you said it. I'm like, that is so good to get a client to really understand I am here as your MSP to help you manage through this risk. Ultimately, it's your responsibility.

But I inherit, we talk about this all the time on the call and you've sniffed out some of this already, going back to the acumen that Justin has already kind of laid out for us. You know, the journey of an MSP has been challenging because in the old days it was purely just, how do I keep it running? How do I set up servers and workstations and produce automation to make my life really simple?

But then all of a sudden they get caught in the cross hairs of security because none of the big, like super large MSPs that are out there will ever be able to serve the s and b industry because they're too expensive, they're not custom to solutions. And so the only opportunity is for the MS P and the MSP's already serving the IT assets for the company. So they've already inherited a lot of that risk.

And so now MSPs are going through this journey of you are forced to build expertise not just in security, but also in cyber insurance. And so yes, you must develop business acumen here. You must truly spend some nights and weekends to understand all of this. I know a lot of top performing MSPs and one of the things that they do, one in particular that I can think of, I'm just gonna throw their name out there because they'd be okay with it, is J Mark.

I know when I talk to J Mark and they sit down with their banks, their clients, one of the things they're often doing is they say, let us help you review your insurance coverage. We're not here to make the decisions for you, but there's a lot of things that we're very finely attuned to that you need to have some conversations. You know, and just like Justin said, wow, you've got $2 million as a bank. This is not enough guys.

And they actually walk through what a breach looks like and where the expenses get incurred from and all of the things that the bank had never thought through before in terms of like reputational damage and how to handle, you know, all of those things that happened with it. Like, well, we never really cost modeled any of that.

And so, yeah, the, the reality has come for us today that we're not making the decisions of an MSP of what goes into an insurance policy for our clients, but we must have the business acumen to help walk them through what they have, some of the gaps they may have, and then also what they truly honestly need. Because you are gonna be caught in the middle of this as well.

One of the big takeaways we had from last week is how the whole subrogation process is changing and how this works between you and your insurance and your client and what happens between them based on the nature of the breach. Yep. So yes, Gary in, you must develop business acumen here because it's, it's critical for your survival. Yep. Absolutely. Wes, the next question that I had for you is, I'm seeing these questionnaires start to change, right?

More onerous, you know, multiple pages, M-F-A-E-D-R logging or just a few, few of the things more's coming. So I want you to put your, your CISO hat on now as a ciso, how do you go and have those conversations, uh, with your stakeholders when things are changing like this so quickly and now you need to communicate that to your stakeholders? And, and by my stakeholders, do you mean my clients as an MSB? No, no. Well, I mean you as a CISO at a company. Okay. Yeah.

So, so I think it's really clear, first of all, let me say this, it's really clear when you see the new requirements that are coming in, no longer is it like we wanna make sure you have a firewall that's updated. We wanna make sure that you have AB everywhere and MFA, now you're seeing this push towards detective response tools. Those that give us the capability of reducing the time gap between the presence of a breach and are noticing of that breach that we can take action.

And also the ability to have the forensic data to jump out of that and understand the nature of the attack, the significance and breadth of that attack we're seeing that occur. And so, you know, one of the things I would simply be speaking about if I'm a CISO at an organization is understanding, hey, let's use this roadmap of what cyber insurance is requiring us to, to un to to have. But let's also understand they're still setting the bare minimums.

They're still setting the basic levels of things that we need to have in place. That it's not all just like, okay, cool, we put an EDR in and I've got a SIM that I fired in there. Now I'm walking away from it. And, and I think I'm good. There's so much more that goes into this. I would be using this to say, as we always say, compliance sets the minimum, not the maximum. Compliance says, these are the things we need to have in place.

And if insurance says it's those things, great, let's make sure we move towards that. But let's also start really building in security maturity A so that we don't have to ideally have the cyber insurance claim that's gonna rock our world. And two more importantly, so we can build towards a more secure, mature environment. So as new things happen, whether it's regulatory changes, new requirements by cyber insurance, whatever, we are going down this maturity journey to stay ahead of the curve.

And we can do this through a, a, a, um, an approach approach, a framework approach. We can do this with a commitment to say, this is important for us, um, Gary, this is, this is the new age that we live in. And so that's how I would start really discussing and talking through my board through all this to say, we can get there and here's the pathway to get there.

And the thing I would say, what I've learned is, you know, I, we talked about this before, Justin, you mentioned this, you know, there may be 40, 50 things that we need to do. We need to boil that down to two or three things we're gonna work on this quarter. We're gonna, we're gonna boil it to here's our areas of highest risk. We're gonna tackle these things first.

After those things are done, we're gonna move to something new, but we're gonna work towards risk mitigation for our organization from the highest, most significant areas. And those where we can get those quick wins and make big differences. And then we'll go through two or three new things and two or three new things and we're gonna go down this journey. That's how I'd approach it. Yeah.

I love to ask you and Ryan those questions because every time you answer it is exactly how A-V-C-I-O should be talking to a customer a hundred percent of the time. That's why I love to have you. 'cause you're so comfortable both of you with having those conversations with stakeholders. And it translates a hundred percent. And I'm gonna follow that up with Ryan in a second. But Justin, I had a question for you.

I've heard you talk about breaking down the reasons, uh, about cyber insurance for customers into three buckets, right? You, um, can you go through those? You break 'em down into sensitive information, system criticality and cyber crime. Can you talk that why you organize it that way? Yeah, and for, you know, as Wes was saying, you guys were talking about, I mean, you know, you gotta be much more than just the msp, right?

So, you know, we want our clients to consult with their clients on insurance, but not get into the weeds of determining, you know, limits or answering specific questions. So we just tell, hey, just from a simple high level, I mean, when we talk to the MSP's clients, we always get that they're concerned about one of three things. And it could be all three things. The first group usually is coming to us and saying, Hey, we're concerned about all this PHI or PII, we hold, right?

So we'll call that again the sensitive info group, right? Yeah. So they wanna make sure that if this information is compromised, do we comply with the state laws on the books? Can we notify enough people? You know, can we hire a regulatory, uh, you know, attorney if god forbid we need it? 'cause those, those people are expensive. Um, you know, but all that goes along with the theft disclosure of PHI or PI and those folks are usually in the healthcare industry.

They're usually in the financial industry and you know, accountants or kind of that group, right? Then you've got your second group that's really, really concerned about their systems, you know?

Um, and you know, we tell our clients all the time, I mean, if they can't understand why, how dependent they are on their systems, come in Monday morning, tell 'em we're gonna perform a ransomware fire drill, take 'em down and put 'em back up at, at five o'clock on, on Monday and see how their day goes, right? I mean, they have to understand if you can't, can't access your email and your management system, it's a headache, right?

So people think to a lot of our MSP's clients, they think, oh, well, we'll just, you know, we'll just pay the ransomware. And we go, I mean, it's to mine Bitcoin and go through all that process. People don't understand it. It takes forever, right? If you're going to try to do this on your own.

So that systems group, if you have the ability to call an insurance carrier, get on the phone with them in a couple of hours, start going through this process, and in a day or two start seeing results, you know, in terms of, you know, the decryption and you know, forensics that might have to you, you have to comply with and business interruption, you know, and any data that might be damaged when you have to recollect the data.

Or we run into bricking situations where that's computer hardware replacement. So you know that that middle group is gonna be our systems group. And then the third group, you know, is somebody that's focused on cyber crime, whether it's a business email compromise, you know, whether it's, um, unauthorized access, uh, via electronic funds. You know, it could be an email or phishing attack, but I think your clients can relate to, hey, you know, you need cyber insurance because of sensitive info.

You need cyber insurance. If your systems go down, we gotta get 'em up as quick as possible. And you need it in case you get tricked into a hundred thousand or $500,000 going someplace it shouldn't have. So again, I don't think you have to get into the weeds. Um, you know, and yeah, spend some time on it, but, you know, just understanding the client doesn't expect you to give them a detailed answer when they ask about cybersecurity. They just want the cliff notes version. Yeah.

You know, that's really good. Uh, Wes, I did have one more question for you. Um, and that is, uh, so we had, um, one of my members, Keith from DBK on, and one of the things, yeah, one of the things he said is, which has really changed the pivot for them, which they're having an amazing, they've had an amazing, uh, last 12 months, um, when they made themselves their number one client, their client zero, they come first always, uh, relative to all others, and it kind of changed their culture.

So in terms of MSPs, you work with so many of them that are implementing security plans like since July 4th. Are you hearing any kind of change to follow, like kind of what, you know, we've said it, but Keith was pretty, you know, adamant about it. Yes, man. Yes. Um, I've seen a few different things here, Gary. Um, first of all, I think every MSP went through the shock factor of, wait a second, I can do everything right.

And I still have critical third parties like my RMM provider that are a huge risk vector for me. And that is a tough position to be in, but it's one in which, um, this is not new to the world of cybersecurity. We've seen this from the target days on back of third party systemic risks.

And so it's a challenge to be stuck in that position of like, Hey, you know, WWW look at all this risk I've got around me, that the only thing I can do is either hope and prayer or ask a bunch of questions to my RMM provider and get a better understanding of what are they doing to harden their own infrastructure that I'm using. And so that was like the first step since July 4th that every MSP went through. That was a huge shock to them and a huge wake up call.

But then I think the next thing that comes outta that is they begin to say, okay, so now I see how much this, how significant this is, it's not going away. And so now MSPs are getting into what does it look like to hard my own premise, like if I ever even bothered if I'm on-prem RMM, have I ever even bothered to say what does it take to hard my own infrastructure? Right? Like, uh, that, that like web, web app, firewalls in front, like just basic things.

So these are, these are things we're really starting to think through, which are really, really good. Um, and of course, Gary, I'll just say this and I'm really interested here what Ryan has to say too on this, but you know, of course the normal things around security of like, okay, you know, I'd have to eat my own tacos for sure. So now it's time for me to truly invest in a mature process.

You know, when I think about doctors, for example, they command this certain arrogance when you go to see them, they bark orders, they seem to have the right answers. They don't like patients talking to them and telling them, well, I read this on WebMD and this is what I think I need. They like, I like doctors that are arrogant, and that arrogance comes with years of practice and years of work that has been put into their trade and practice.

And I wonder if we lack that in the MSB space, especially when it comes to security. And so these things are eyeopening moments for us to really walk down that journey. Yeah. Um, Ryan, what do you think? I mean, I'm, I'm right there with you. I I don't really know that I have much to add there. You, you know, the, there's one difference though between a surgeon and an MSP, um, an MSP, they, before security, they were already having the small business, having to run five businesses.

You know, professional service is really a different business than support, which is a different business than running a tool stack, which is a different business than setting up a proactive, you know, kind of government. It's different than A-V-C-I-O process. So yeah, to get that business acumen, we really have to, we have to really work hard.

Ryan, as I was listen, like listening to this and thinking about for the last week, conversations with MSPs around, uh, you know, this just this topic around cyber insurance and a lot of what the carriers are pushing people to do, they're, they're concerned about protection, right? Uh, keeping bad guys, bad guys out.

You know, you talk about cyber resilience, that's for the insurance company, but of the MSP, like right of boom is probably what determines how things turn out for us of our customers. So how does an MSP balance that they have certain things they need to do, uh, that are kind of like the insurance carriers pushing them, uh, you know, on, on the protect and detect side, but they have to live with right of boom. Yeah. So what's the, yeah.

How, how do you, how would you tell MSPs how they need to look at that and how they need to understand cyber resilience in a way that balances those things? I don't know. I mean, I'd be interested to, to see what Justin's thought is on this, but I really don't think that cyber insurance is there for right of boom yet. I think it's, they're starting to get there, but like, think about what they provide you. Okay, they're coming in at the right of boom moment, right? Right.

You're calling up and say, boom happened, I need your help. And they're, they're basically there to minimize their losses, which are your losses. And so they've kind of come up with this playbook of post boom, how they're gonna help you respond and recover from that incident.

Which is why a simple thing that we've told a lot I must be to do is go get cyber insurance coverage because they're gonna have access to that deep bench of response and recovery capability that you may not have or have had the chance to build. So you can outsource that capability to the cyber insurance provider. But I think what those questionnaires that a lot of MSPs are getting are the primarily like, what do you do to prevent, and what we do to detect and minimize the scope of an event.

So they're not really full kind of full cyber resilience questionnaires. They kind of stop at detect, and like, they might ask you, do you have an incident response plan? Have you tested it? And, but they're not really getting into the details of like, have you done a full-fledged ransomware tabletop exercise and what were the results?

And, you know, so I think there's still more that needs to happen there for at least the insurance companies to be understanding the true cyber resilience of their customers. But the flip side of that is, I don't think MSPs should rely on the cyber insurance carriers to be driving them to that level of maturity. That's a place they need to get to as well. And, you know, I'll, I'll call out Brian Weiss iTech, um, partners here.

Um, he had many people here know, and he's made it well known that he had a breach back in 2018, um, for that affected some of his clients, and it was as a result of a vendor technology. Yep. Um, and over 30 of his customers. Yeah. Yeah. And, and he, uh, got, uh, he had a very interesting experience that he was actually ready to respond.

Um, and he was, he was kind of like flabbergasted by how the insurance was, was kind of behaving because like, he was almost, in some ways getting penalized for having a plan and for being a really good steward of him and his customers. That's literally the words he uses. And so, again, I, I think it, it moves us in the right direction, but it's not, it's not gonna get us to the ultimate destination.

So I don't know if that answered your question, but Yeah, it's almost like you're kind of saying what, what, um, in some ways what Wes was saying is that we, this is not our goal is to get cyber insurance like that. Our standards have to be much higher and that we're responsible for ourselves and our customers. We have to be, uh, be prepared to respond and on how to deal, have an instant response plan, and the insurance companies are there, hopefully as a resource, right.

And a backstop to help us, you know, with that get us through. But we can't just, we, we have to hold ourselves to a higher standard. Yeah, absolutely. Um, so one last question I had for you, Ryan. Do you have any take, what were your takeaways from like last week's cyber call? Have you thought about it since?

I mean, uh, Justin's kind of confirming a lot of things and we're talking specific MSP, but you know, we heard from, you know, big players about like, pretty much assured like what's coming? What did, what was the feeling or the takeaways you came away with? I don't know. I'm not, I'm not big on fear, uncertainty and doubt, but, um, that, that phrase that Wes caught onto of like, why do I care about your risk more than you do in some ways is how I felt about MSPs for a few years.

Like, why do I as a vendor, a CSO vendor, care more about what's happening to you than in some cases you do. And I think you bring that back to like the onerous exclusions. Like, you know, either not being able to get a policy or getting a policy that says we'll cover you unless you're the reason all of your customers get ransomed. Um, I just, I worry that as an industry we're not moving fast enough and that that tsunami's gonna hit us. Like the tsunami warning.

I, I think there's enough time to get clear, but I don't know if people are going to heed the tsunami morning. Yeah. And that's kind of where I'm, I'm at. And like that's, you know, part prediction part, you know, I, I don't wanna say that based off of past events that this will predict the future, but you know, we're, we're still moving a little slow here. And I think if we don't really kick this thing into high gear, a lot of MSPs are gonna find themselves in an uninsurable position.

And that is not good, because I literally just posted something to Cyber Nation about an hour ago in the interview with the new threat actor Black Matter, and they said, um, they don't care if, if people can't get insurance policies anymore because they're still gonna pay. So, like, they're not gonna stop if you can't get insurance. And Yeah.

You know, I gotta tell you just, uh, how this is hard for me as someone who, you know, coaches and mentors, business leaders, you know, I, I, I'm always trying to be a motivator. Mainly that's my job. I need to try to, you know, inspire and motivate people to, to that, that they can set higher expectations and reach 'em. But I'm balancing that with, you know, going into meetings, looking at people's smart numbers, and, and I'm tired of saying to 'em, look, I have the math.

You can't get there at that price. It doesn't work. Let me back, let me back you into it again. And so, I don't want to like constantly be hitting people over the head. I don't want to be, uh, you know, fear, uncertainty and doubt, but I feel the same way sometimes that you do Ryan, which is why am I more concerned about my customers, my customers Ricks the MSP Right. Than, than they are. Like, this seems to roll downhill, uh, as it were. Yeah, yeah. Yeah. Awesome. Alright, Andrew, it's cool.

What do you want, what do you want to do So far? We covered a lot of ground. We Did cover a lot of ground. Well, one, I wanted to ask Justin if he had any comments, um, you know, just based on what he's heard, anything that, you know, you just want to cap us off with before we chat with Dustin here.

Yeah, no, I think I, and you have to rewind like 15 minutes ago, but when Gary and Wess were talking, I think it was something, what'd they learn after July 4th in this event is, you know, I would ask you on a poll question is, you know, put out how many, uh, MSPs are sharing the Ts and C's of the vendors that they're working with. So, so what would that look Like? Go ahead. Because I Further on that. Yeah, no, I, I think that that a, it's a good risk management tool.

In other words, if I gotta live with Microsoft's terms and conditions and they have a supply chain attack, you do too. Here they are. Right? You can't be carrying the, the, the liability for billions of dollars of vendors. You know, the other thing is, my team, we've gone through some of these contracts and these agreements and there are end user agreements in there that say, Hey, the ultimate end user of this product, they agree to our hold harmless indemnification and limitation of liability.

So as an MSP, are you sharing that with the end user of that product? Because, you know, going back to, you know, Wes' thing, one thing I would say is the Kaseya thing, you know, is if you shared those terms and conditions with your client of what Kaseya has, then all of a sudden if the client agrees to it, there should be no problem. You know, and, and I would just say we've seen for a couple years the lack of transparency and a lot of the white labeling will get you into trouble.

It sounds great, but when we go to court, it's not so great. Yeah. But it's harder and harder. I mean, um, I think we just, were looking at it this quarter. Um, we, uh, we have a tools, um, matrix for, for the, uh, for the peer groups. And I think on average, MSPs on average have 14, 14 or 15, you know, tools, which means a lot of 'em have more than 20 Right. Tools in their stack. It's, you know, it's getting more and more complicated every quarter it seems. Yeah.

And I'm, I'm not again, you know, some of it right, is I understand that there's almost like some people feel like I'm chasing infinity, right? When's enough enough? Yeah. But I'll just go back to illegal. If you sign the contract and you said you were gonna do it and you didn't do it, we're in big trouble. Yep. That's Just that simple whether or not you want to do it.

But we see a lot of our MSPs, you know, creating detailed statement of works, you know, that include, Hey listen, we're not actually the one that does your email. You know, when you click on that thing and Microsoft pops up, they're actually the ones hosting it. Here's their terms and conditions. If I gotta live with them, you do too.

You know, and by the way, you know, if you change, get Microsoft to change their terms and conditions, you know, I guess I got a standing order, I'll buy you a steak dinner. Yep. But I, I would just say that, you know, that Kaseya thing, you know, the whole event, right? It to me, one of the big things coming out was, you know, are you sharing the terms and conditions of these vendors with your clients?

Because if not, you might have contractually or obligated yourself, yourself contractually to it. But secondly, I think that again, you can't be carrying the bag for billions of dollars of vendors watch out, you know? Yep. I'm with you. Interesting. Awesome.

So, Gary, I, um, I, I was talking to Mike Bogard last week and he's like, Andrew, we just got off like a few events, and I'm not gonna go into the numbers, but we are killing it in a positive way on things around cyber insurance and cyber resilience. So it's like, ooh, that's gonna make Ryan really happy.

So they're doing a great job on events, um, getting in front of prospects and customers and um, you know, you and I talked about doing a sales call role play, and I thought, wow, it would be great to get Dustin Bond on who he's in the thick of it in sales. He's director, one of their directors there. So, um, Dustin, can I first ask Dustin, what in these events, um, you're having positive stuff come out from engaging with, you know, clients and prospects, what can you distill down?

What is, uh, what is resonating? What is it that's creating the wedge Y Yeah, I think to begin with the, these events, they're cyber resiliency events. I think people are interested in, in-person events. So I think that's Aiden in our favor.

Mike, our, our CSO has been kind of doing a, a national campaign here, so him and his counterpart, John Roberts, but specifically what we're seeing stem from it is, is Mike's kind of taking the hour and a half or so gotta kind of walk a customer to begin with education on the front side. Hey, what are we seeing relevant in the industry? Talks a little bit on some of the, on, on some of the recent events and his perspective on 'em.

And then usually a good lobbying question relevant to today is too, is he talks through how many people would actually know what to do in case of the cyber incident that's also driving cyber. Then he takes the messaging and drives it more towards cyber insurance. What he's seeing in our perspective, and that's generating kind of the conversation around tools and technologies and services.

So he is taken a taken that these, these folks through a journey, uh, of kind of starting from, Hey, let's talk about some of the bad stuff in the news to frame it up. And then he's kinda w weaving the conversation all the way towards the tail end. And what we're seeing as an output of it, um, is, is managed services activities for the appropriate customer.

Um, but, but then we're seeing some, you know, in reinforcement of education around, you know, your traditional EDR Simmons Socks services MFA for everything you can possibly get your arms around assessments, assessments, assessments. But what I've been, I've been part of, um, a, a few of 'em, in, in almost every situation, a customer's been willing to share their story and they're, we limit these at usually 12 to 15 people to kind of create a smaller group.

But it, it's been impactful or even a story of a recent customer saying, I'm really struggling getting my ownerships to get on board with multifactor authentication. So he is using that. And then of course, now we've, we've got an uplift to an agreement. Yeah, absolutely. So, Andrew, what did you want, how did you want to do this? Do you want, um, do you want me to be the customer first? You wanna do a little, Yeah. How about this? How about you be the MSP first?

Maybe give Dustin your perspective so he can hear it a little bit and, you know, if we have time, we'll go roll over. Prospect customer. Um, what do you want, Dustin? Do you prefer prospect or customer? You wanna be a prospect or a customer? Yeah, I, I could be the prospect. Okay. I've Got a couple questions. Speed up. Yeah. Yeah. So Dustin, um, I'm appreciate you taking a couple minutes, uh, to speak with me. I, I, I really just wanted to, you know, check in with you.

I want to see how you were feeling about your, about your technology, you know, especially in the light of, you know, the past, you know, six months in many of the events that we've seen. I don't know how much you're aware of what's been happening in the IT world. Yeah. Increased or elevated attention on cybersecurity for certain, and from my perspective, it's, it's just more or less who do, who's accountable and where we have opportunities for improvement. Yeah.

So how has this changed, like, the relationship and the conversations between you and your current provider? What does that, what does that look like? More so along the lines of, uh, I've seen some other tools or technologies come to fruition that I maybe wasn't as familiar with before. So I don't know if this is an any event for me to get caught up, or am I buying the next new latest and greatest widget? Yeah.

How do you know, how do you know what to spend money on and, and maybe what, what not to? 'cause it can be confusing. I, I really don't have an answer for it. I am just trusting that the right things are being done. I gotcha. I gotcha. So with that, in that trusting, like, you know, on a scale of one to 10, 10 feeling like when it comes to cybersecurity risk, you're sleeping like a baby, one being, uh, you don't get a wink of sleep, you know, where, where would you say you are today?

About a seven. About a seven. What, what do you think it would take to get you, well, first off, is a seven good enough right now? Are you comfortable at a seven? No, not, not exactly. Comfortable at seven. And what do you think it would take to get you from seven to to nine or 10? Mostly the, the things that I, I don't know. Yeah. I, I, I, I, I, I only can protect or know what's visible and in plain English to me. Yeah.

You know, Dustin, th this conversation is one that, you know, a a as a provider, um, we've been having with every one of our customers, right?

Um, every quarter, uh, you know, leading up into this, uh, in that education factor, do you think maybe it would make sense if I could maybe set up another time and kind of take you through what we take our customers through to really just educate them on how to look at this differently in this landscape, no matter what, whether we're the choice for you or not?

I feel like you need to have, based on what you've explained, I think you have need to have a little bit more perspective so that you can just make good decisions, even if it's with your current vendor. Would you be comfortable setting up another meeting? Yeah, I absolutely would. Yeah. You see, Andrew, I don't have to, you know, I, well first let me, no one's ever answered 10 to that question. Hmm. In the history of, uh, of like since like Copernicus or whatever. Um, so that's number one.

So there's always a door, but I, what I want to do is I want to ask questions and he kind of says, well, it's basically what I don't know. Okay, well how big is that? What does that mean to you? And I'm leading him down the idea that there could be a solution. I'm not giving him that solution. Now I'm telling them what our, I'm really just telling them that my customers don't experience that and I'm looking to get accomplished that next step.

And in that next step, we're gonna go into a lot more detail about questions. Again, not firing and hammering, but educating him on how he needs to look at this in terms of, you know, standards, in terms of resilience, write a boom, all the things that have happened used in stories with our customers, stories from the industry. Gary, you know what, the other thing I noticed is, you know, if someone said seven, your initial gut is, wow, Dustin thinks this cyber's pretty good.

But your follow up question was really, I think good because I think people tend to minimize risk, right? In terms of Ryan, is that a fair statement? People minimize risk. Yeah. There's like a, there's like a thought effect or bias, um, that, uh, Brian Weiss was actually saying this earlier, the less you know, the more confident you are, Right?

Um, and so if you are a customer is answering a seven or eight, that should be an indication to you that if you can get them to a point where they're having an education conversation with you, that they will realize that they haven't been having the right conversations with their existing provider and they're starting to have them with you. So to me, Jeremy Says five is the new one. Yeah. Yeah. So I mean, to me, seven is actually a promising answer.

'cause it to me that says, this person has no idea. Yeah, absolutely. Again, we've been handed this, uh, um, some people are looking like it's a tough time to be an MSP. Uh, I'm gonna say it could be for 30% of MSPs, it's gonna be the best time, uh, to ever be an Ms. P. You're on mute. You're still muted, Andrew. Thanks.

I was gonna say in your tenure as an m, you know, as an MS P working with MSPs, like year over a year, 25% growth across, you know, a wide swath Of, I've never seen an average this high. We have top people that always meet and surpass that, but in terms of a group average over that, MSPs, that would be, um, the most, uh, growth and 'cause part of it's two factor. One is they're getting more customers because of what's going on for everything we talked about today.

But also they're, uh, their prices have increased, you know, so much because of all this. So you have more customers and those new ones and the existing ones are spending more. And I, and I believe that's what, that is what contributed to, to those numbers. Got it. And We're, and I'm gonna dig into 'em more and I'll give people more information so we can kind of dissect that in the future. Awesome. Alright, so we'll wrap It down in Kruger effect. I love it. That's What it is. Yeah, thanks.

I I was having a hard time finding it. It's so great. I've used that at one of my, uh, sch fest. It's, it's such, it's such a great, if no one's seen it, you have to check it out. It's, I Mean, honestly it's probably useful for your MSP sales teams just to sit down and look through the list of biases and effects that affect how people think about in like applied information security. Because you're gonna run across six or seven of them every single phone call. Yeah, right. I use the juice.

I use the juice. Alright, well hey, first Dustin, thanks for jumping on and doing that and sharing what's working for you guys and, and opening that up. Open the kimon up to help others out there. Is always appreciate you and, and coming on Justin, uh, always awesome to have you with us. Um, I put your link in the, uh, green call to action. Um, a lot of people on the chat, I don't know if you saw that saying how they work with you and what they think of you.

So as always, we really appreciate you coming on and, and giving your perspective. Thanks for having me. I appreciate it. Yeah, absolutely. On behalf of Ryan, Wes, and disappearing, Gary Pika, um, we'll look forward to seeing all of you next Monday. Make it a great day. Take care. Thanks everyone. Thanks. See you.

Related Videos

Using Changes in Cyber Insurance to Get Your Clients to Say “Yes” & Drive More Security MRR | Right of Boom