What Tightening Cyber Insurance Requirements Means For MSPs
By Jeremy Young, Blumira
Over the past decade, the cyber insurance industry has operated much like the wild west. In an attempt to grab market share, over-eager underwriters wrote policies without fully understanding their risk — or in some cases even understanding cybersecurity at all.
This shotgun approach was a strategic bet from one of the oldest industries in existence, but not all bets pay off equally. With the confluence of cryptocurrencies, the rise of ransomware, and increased cyberattacks overall, most insurance providers are upside down on their cyber books of business and now have to make some tough choices to try and right the ship.
Most insurers are looking at three main options:
- Cut bait and leave the industry altogether, accepting their losses
- Dramatically raise premiums while lowering coverage limits
- Use the incident and breach data they’ve acquired to mandate better cybersecurity standards
For those that remain in the market, there’s no question that we’re going to see the cyber insurance industry tighten and become more standardized — it’s just a matter of when. For some, it’s already happening with premiums doubling or tripling.
But the real changes are still ahead of us — and when they come, many MSPs will need to make some major changes to their security tech stack.
A Shift In MSP Culture
Before I dive into why the MSP tech stack will need to change, it’s important to understand where the current landscape stands and how MSPs typically handle cybersecurity risk.
An MSP generally relies on a few main pillars when it comes to mitigating cybersecurity risks. First, there’s people and culture, which either leads to or stems from, internal policies and framework adoption. Next, there are tools, which stem from covering gaps while adhering to policies and frameworks. Lastly, insurance and incident response planning allow an MSP a better chance at response and speedy recovery.
I want to take a moment here to point out that most MSPs know the right things to do but are hamstrung in their ability to implement the proper controls across their customer base by their customers. Small businesses have any number of threats to their businesses daily, cyberattacks being one of many. So it’s understandable why until something happens to them, they aren’t willing to make the changes necessary — both behavioral and budgetary — to adopt proper cybersecurity measures.
For MSPs just starting on their security journey, the first instinct is to look for a silver-bullet tool to solve that problem. The response to this desire is a security industry that’s plagued with products-that-should-be-features willing to make false claims that appeal to this instinctual urge to throw money at a problem we haven’t yet taken the time to understand — with the end goal of business owners feeling like they’ve mitigated risk, regardless of whether they’ve achieved better security outcomes.
After scratching the surface and getting exposure to the endless tools available in the cybersecurity market, a new understanding starts to creep in: “I’m not doing enough, but I don’t know the right things to do.”
That understanding is the start of a cultural shift we’re seeing in the MSP industry: the prioritization of cybersecurity as a new foundation of business culture. While this shift has been happening one by one in the MSP space for the last five years, the Hafnium attacks on Microsoft Exchange and then the Kaseya ransomware attacks hit so close to home for many MSPs and accelerated their security maturity journey massively.
Turns out, these events have had the same maturation effect on the cyber insurance industry as well.
Digging Into Data
The first life insurance policy was taken out in the early 18th century, and the payment of that policy was based on one factor: age. Of course, modern life insurance is much more complicated. Prospective policyholders are now asked a myriad of questions: What’s your family history? How often do you drink alcohol or use drugs? What’s your driving record? Blood tests are common for coverage with higher limits or to get better rates.
It’s not exactly a stretch to predict the same evolution for cyber insurance. Cyber insurance may not be in the dark ages equivalent to early life insurance, but the industry is still fairly nascent. If you aren’t speaking to a cyber insurance specialist, you should expect your main contact to be relatively uneducated about cybersecurity, relying on templates to determine a coverage plan.
But now, cyber insurance companies have over a decade of data that reveals certain trends. That data may reveal, for example, that customers with endpoint detection and response (EDR) and multifactor authentication (MFA) yield better profit margins for insurers than, say, a customer with no formal security policy.
Those old-school insurers who have been writing policies since the 18th century will take a longer-term view of this problem. They’ll be the ones who simply hike premiums and lower coverage limits. The little guys that jumped into cyber chasing easy money will cut their losses and leave the space. But a new breed of cyber insurers is emerging, and their focus is increasing cybersecurity effectiveness to lower risk. These are the diamonds in the rough.
The Future Of Cyber Insurance
The trend of requiring certain cybersecurity controls for cyber insurance coverage has already come to fruition. At a White House Cybersecurity Summit in August, for example, a major cyber insurance provider, Resilience, promised to “require policyholders to meet a threshold of cybersecurity best practices as a condition of receiving coverage.”
There is no better industry to measure risk, so it’s only natural that insurance coverage will be the driving force in years to come around cybersecurity adoption for MSPs, regardless of where they are in their own security maturity journey. Tightening requirements have already driven the adoption of MFA, EDR, and one-year log monitoring and retention — and this list will only grow.
Insurance is one of the oldest industries in existence. Insurance companies play the long game, but when they move, the underwriters move together to rightsize underperforming segments. Right now, cybersecurity policies are their biggest loss center, but MSPs shouldn’t expect that to continue in the long run. Look for MSP-friendly people and companies like Reid Wellock at FifthWall Solutions, or Justin Reinmuth at Techrug who provide security guidance, value, and real partnership — not just policies.
Most importantly, MSPs that haven’t already started their security journey should start now. And they shouldn’t wait to follow the baseline requirements and take the risk of being uninsurable at their next renewal date.
About The Author
Jeremy, from Austin, TX, is Director of Partner Strategy at Blumira and has been working in tech and cybersecurity for a dozen years. He leads the partner program at Blumira, bringing cloud SIEM and SOAR to those who need it most: the SMBs and MSP partner community that keep their businesses running. Before that, Jeremy was Head of Affiliate Partnerships at Huntress Labs, where he led the go-to-market strategy for partnerships. Jeremy also helped build the Duo Security MSP team, advocating for MFA to be a standard for all MSPs and their customers. Verizon Enterprise Solutions and Hewlett Packard round out his ITSec tenure.