CRN Deep Dive: The challenges and opportunities MSPs face around cyber insurance
CRN Australia investigates how several leaders in the channel community view cyber insurance.
Some Australian partners are facing challenges when it comes to finding the right cyber insurance policy and understanding the gravity of the risks associated with not having the right policies in place.
Partners and resellers are struggling to assess their own risk profiles, putting them in a vulnerable position to bad actors or having to pay a larger premium than necessary.
Cyber insurance, while 10 years old, is still a nascent form of insurance but it is becoming more prevalent in the channel community.
Australia is on the path of underinsurance with cyber risk, according to the Insurance Council of Australia, only 20 percent of SMEs have standalone cyber insurance.
CRN Australia spoke with several cyber insurance companies, partners and vendors to understand the risks and opportunities for partners around cyber insurance.
Peter Birbeck, CEO, Acclario IT, a Microsoft systems integrator has had cyber insurance for the past five years and said it is a critical component for his company’s risk management strategy.
However, he has identified several challenges for partners in obtaining cyber insurance.
“Insurers have strict underwriting requirements, including a thorough review of the partner’s history of prior events and the implementation of certain security practices,” he explained.
“The cost of premiums can be high, especially if the partner does not have robust security measures in place.”
Having certifications in place like ISO27001 can help reduce the cost of premiums, according to Birbeck.
“Additionally, partners must demonstrate that their staff are trained and knowledgeable about cyber security policies and procedures to avoid falling into traps,” he noted.
“The cyber threat landscape is constantly changing, requiring partners to adapt and update their security measures continuously."
Luke Irwin, principal consultant at CISO for hire company Aegis Cybersecurity said it is critical for MSPs and MSSPs to have cyber insurance.
He said managed service providers are becoming more of an active target for threat actors as they hold access to client systems.
“Should an MSP’s systems be compromised, and client data accessed you need to have the insurance layer in place to meet those litigation challenges and enable continuity of operations,” Irwin explained.
Risks in cyber insurance
One of the main challenges partners have is risk recognition, according to Irwin at Aegis Cyber.
"People are terrible at assessing their own risk profiles. What was put in five years back as a band aid is now part of the infrastructure and normal to the environment,” he said.
“Those positions need to be challenged and corrected to bring them into line with recommended practices.”
Irwin also noted that the cyber insurance industry is flooded with non-cyber specialists who don’t understand the industry.
“There is a swathe of non-cyber security insurance specialists selling cyber security insurance as they have their licence for insurance, and it is another line item,” he said.
“Some are good, some are average, some do not know the right questions to ask. I equate that to speaking to your GP for a tooth ache, sure they can make the pain go away but the root cause of the problem still exists and needs to be remediated.”
Fred Thiele, CISO at Interactive said the size and scale of an organisation plays a huge part in someone obtaining cyber insurance.
“If you're a small MSP or you're a small service provider, you don't have the funds to go in and do all this stuff,” he said.
“Often, it's a fake it until you make it or you do everything you possibly can do according to the letter of the law from the insurance companies, you just might not have cyber coverage as a small provider, that’s difficult.”
Taking the point of view as a customer, Thiele explained that they would most likely be asking if a partner had insurance.
“I'd expect that as a service consumer when you go to assess the market for your third party providers, you'd want to have some questions around what level of insurance do you have.
“Do you have cyber insurance? Do you have ransomware insurance? Because they're typically two different things. How much does your policy cover?”
Thiele said while MSPs are seen as a risk due to the complexity of their business, insurers would understand that.
“I don't think it be any secret that MSPs because of their size, complexity and how many customers they look after they’re an inherently more risky business and insurers are all about managing risks, so they would see that,” he added.
Vendors helping MSPs get the right insurance
Some vendors are enabling and helping their customers understand the nuances of cyber insurance.
Pasha Ershow, SVP for APJ & Middle East Sales and Global Channel at Acronis held a security event earlier this year and one of the key questions from their partners was around cyber insurance.
“Right now, it's something that businesses use to mitigate the risks. If risks happen, and there's certain financial consequences, people need cyber insurance,” he said.
"But you will not get cyber insurance unless you implement certain tools, processes and procedures that can make sure that even if something happens, the probability of this is as low as possible.”
Ershow said they have created a checklist for their partners to help with cyber insurance.
"We partner with some other players who do this checklist for cyber insurance, we will help to identify what are the gaps, implement these solutions and then help end customers to get the right cyber insurance.”
Know before you go
There may be a need for more MSPs and resellers to obtain cyber insurance, but cyber insurance brokers also need to have a deep knowledge of the channel community.
Birbeck at Acclario IT said it is imperative that cyber insurance brokers understand the channel landscape.
"Cyber insurers need to understand that the channel environment is more complex than that of a single organisation. Partners deal with multiple customers and must be across all their requirements from a cyber perspective,” he explained.
“This means having robust internal policies and procedures and cyber insurance is even more critical for partners due to their access to multiple organisations' systems, data, applications, and processes. Additionally, partners are often the first point of contact in the event of a cyber incident."
What do cyber insurers think?
Partners are beginning to understand that if they purchase cyber insurance it will protect the entire company, not just one division.
Andrew Brett, director at cyber insurer Infosure said the demand for cyber insurance is coming from the understanding that the risk is more business related than cyber.
“Back in the day, a lot of people just pigeonholed it as a cyber risk. As I said, 25 percent of most cyber incident costs come from the tech side, but the other 75 come from public relations, business interruption and legal,” he explained.
“The demands are coming from realising it's more of a business risk, just like they insure the desks and chairs in their office, they’re realising that it's not something that's just a tech problem, and that that it's still not where it needs to be.”
Brett noted that most of the insurance broker industry hasn’t caught up with cyber insurance demand.
“There's still skills gap in their understanding of what the product does and how it benefits a client, so you can only buy what you understand. If someone's telling you this is just another insurance line, I think you should buy it, they're not going to buy it.”
Andrew Bremner, managing director at SherpaTech is seeing more and more MSPs purchase cyber insurance.
“We're seeing certainly with MSPs that the take up has been quite good. For most of our customers, the take up is quite good,” he explained.
Bremner added that while cyber insurance is important to have, it is still only one part of a larger cybersecurity plan.
“Cyber insurance is just one risk mitigation, it’s only one. You still need people process and technology, and it's only when that first barrier – people process and technology – when that breaks through, what have you got left? You’ve got cyber insurance, or you've got your bank account,” he said.
“[Cyber insurance] is just one small part of the risk solution.”