Cyber Insurance Primer: How To Avoid The Pitfalls

Two cyber insurance broker executives discuss how MSPs and MSSPs can navigate the often-tricky process of obtaining policies, including through understanding what’s covered and the importance of ransomware coverage.

For managed service and managed security service providers, the process of obtaining cyber insurance can be complex and difficult -- and not always successful. MSPs and MSSPs are considered harder to insure than many other types of businesses due to a number of unique factors, including their cybersecurity duties for customers and the frequent targeting of MSPs by cybercriminals. CRN spoke with executives at two cyber insurance brokers who specialize in working with MSPs and MSSPs—Sunnyvale, Calif.-based DataStream Insurance and Philadelphia-based SeedPod Cyber—to find out some of the most common pitfalls and how to avoid them.

Get two cyber-related insurance policies from the same carrier.

Along with a standard cyber insurance policy—which provides coverage in the event of a ransomware attack, data breach or other cyberattack—MSPs should also obtain technology errors and omissions (E&O) insurance to cover their professional liability, according to Marvin Cigarroa, senior director of insurance at DataStream. That can include any claim made against the MSP based on allegations of a mistake or negligence in the delivery of their services. Importantly, MSPs should always make sure to get both their cyber insurance and tech E&O policies from the same carrier, according to Doug Kreitzberg, founder and CEO of SeedPod Cyber. If an MSP uses two different carriers and a customer files a claim, things can get messy. “What you could have is each carrier pointing to the other saying that the other is liable,” Kreitzberg said.

Work with a specialist.

Many carriers make risk determinations for the MSP category as a whole, rather than looking at individual service providers, according to Kreitzberg. As a result, finding a broker who is willing to get to know the individual MSP—and assess its actual security posture—can increase the likelihood of getting a policy (and potentially will lead to a reduced premium as well). Another reason this is a good idea: There are a lot of nuances to understand when it comes to insurance policies for MSPs. “You really need to work with someone who’s on top of it,” he said. “Whether they work with us or with someone else, I just encourage any MSP to work with someone who actually specializes in it.”

Understand what’s actually covered.

While this may seem like a no-brainer, failure to understand what is and isn’t covered by a cyber insurance policy is a common pitfall for MSPs (a key reason to work with a specialist). For instance, on a tech E&O policy, Kreitzberg recommends paying close attention to how the carrier defines the services that are covered. Ideally, the policy should have a broad definition for the services it will cover, he said. What the policy shouldn’t contain is a list of specific services that are covered. If it does—and the MSP gets hit with a lawsuit related to a service that’s not on the list—the carrier may refuse to pay.

Pay extra attention to the ransomware coverage.

MSPs will definitely want to know what’s covered in the event of a ransomware attack: Does the policy cover the costs of getting systems back up and running, and does it cover lost profits? MSPs should also see if it’s possible to place what’s known as a sublimit on the ransom payment that is covered by the policy, Kreitzberg said. A sublimit ensures that any ransom payment will be capped at a percentage of the overall policy. For instance, a $1 million policy, without a sublimit, could get entirely used up on covering a ransom payment and leave nothing for system restoration or lost profits.

Keep in mind: Insurers will treat MSSPs differently from MSPs.

Many carriers do view MSSPs—which often serve as an outsourced security operations team for customers—as a bigger risk than IT-focused MSPs, broker executives told CRN. Among other things, carriers will often scrutinize an MSSP’s customer agreements more closely than they would for an MSP, according to Kreitzberg. MSPs that are exploring whether to add a managed security practice will want to keep this top of mind, said DataStream founder and CEO Andy Anderson. In terms of liability, an MSSP is “essentially signing up for a lot more,” he said. Because of the insurance implications, MSPs should also be careful in how they advertise what they offer for security services, Cigarroa said, noting that he’s encountered some stretching of the truth on this in the past. “If you’re not really doing MSSP work, make sure you don’t have stuff on your website saying that you are,” he said. “That could actually backfire.”