Ransomware Causing Security Insurance Costs To Spike: MSPs
“I got my renewal the other day from our insurance company, but it wasn’t even a renewal, it was basically the first shot over the bow that said, ‘Hey, by the way, I know you haven’t had an incident this year, but your rates are going to go up 15 percent because you work in technology,’” says Dawn Sizer, CEO of 3rd Element Consulting.
With ransomware attacks on the rise and making global headlines, cybersecurity insurance firms are starting to force MSPs to pay thousands more or in some cases doubling the cost of insurance which is shifting how solution providers sell their managed services and security stack.
“I got my renewal the other day from our insurance company, but it wasn’t even a renewal, it was basically the first shot over the bow that said, ‘Hey, by the way, I know you haven’t had an incident this year, but your rates are going to go up 15 percent because you work in technology,’” said Dawn Sizer, CEO of 3rd Element Consulting, a fast-growing Mechanicsburg, Pa.-based MSP and consulting specialist. “They’re not even saying you’re an IT provider, but only, ‘You work with technology.’ That’s 15 percent. It is not a small number. It is not insignificant.”
Sizer said 3rd Element Consulting recently switched cybersecurity insurance firms because her previous insurance company doubled its cost. “So [our previous insurance company] were the ones insuring MSPs and doing a good job of it and making sure that they were looking at your brand, looking at reputation, looking at everything holistically in that area. And then they were like, ‘Well, you know what, you’re going to see an enormous jump,’ -- it doubled,” said Sizer.
MSPs said the increase in pricing from cybersecurity insurance firms is changing the way solution providers offer and structure their security business. “It’s dumb that the insurance industry is actually driving what we’re selling, how we’re selling, and how much of it we have to sell in order to protect ourselves,” said Sizer.
CRN reached out to several cyber insurance firms including Allianz, Chubb and Lloyd’s of London who did not respond for comment on the matter by press time.
Brian Miller, CEO of FusionTek, a Kirkland, Wash.-based solution provider, said the global spotlight around ransomware is making cybersecurity insurance firms force some of his customers to buy security solutions or will refuse to insure them.
“Insurance companies are requiring their insured – i.e. our client – to make sure that they adhere to a certain level of standards -- from how the equipment is set-up, or if its multi-factor identification, or for backups, etc.” said Miller. “So while we’ve had that discussion with our clients for years, a lot of times they’ve said, ‘Hey, it’s an inconvenience right now,’ or ‘Hey, there’s a challenge.’ Now the insurance companies are saying, ‘We’re going to drop you unless you go do this.’”
Miller said zero-trust solutions such as from ThreatLocker and multi-factor authentication (MFA) are becoming a requirement from cyber insurers. “It’s being driven, not really from a regulatory standpoint as much as a compliance directive to keep your insurance or to be able to [run] your normal business operations,” he said.
Cybersecurity insurers try to help businesses manage cyber risk efficiently and effectively including conducting cyber risk assessments and advising on hardening defenses. Cyber insurance firm can pay out millions for a single cyber-attack. For example, insurance vendors were expected to spend $90 million on incident response and forensic services for clients hit by the SolarWinds hackers last year.
Just this month, insurance executives from across the nation attended a White House cybersecurity meeting with U.S. President Joe Biden who appealed to the private sector insurance executives, “to raise the bar on cybersecurity.”
More than one-third of organizations worldwide have experienced a ransomware attack or breach that blocked access to systems or data over the last 12 months, according to an August 2021 survey by IT research firm IDC.
“Ransomware has become the enemy of the day; the threat that was first feared on Pennsylvania Avenue and subsequently detested on Wall Street is now the topic of conversation on Main Street,” said Frank Dickson, program vice president of Cybersecurity Products at IDC, in a statement. “As the greed of cyber-miscreants has been fed, ransomware has evolved in sophistication, moving laterally, elevating privileges, actively evading detection, exfiltrating data, and leveraging multifaceted extortion. Welcome to digital transformation’s dark side.”
Only 13 percent of organizations who experienced a ransomware attack or breach did not pay the ransom, meaning the vast majority of business are paying the cyber criminals, according to IDC. Although the average ransom payment was almost $250,000, a few large ransom payments skewed the average.
Nathan Stallings, president of Matrix Integration, a Jasper, Ind.-based MSP and solution provider, said many MSPs are now requiring their customers to buy their entire security package.
“I’m seeing whenever MSPs brings on a new customer, they’re saying, ‘You have to buy all these things at the same time.’ Let’s say we’re charging $140 a month per user. When we add security, and we’re not giving new customers the option, it’s $230 per user and it includes these security measures,” said Stallings. “There a big MSP market trend that is requiring customers to have that security layer.”
By 2031, ransomware will cost its victims more than $265 billion annually, according to Cybersecurity Ventures, up from approximately $20 billion in 2021. Ransomware is expected to attack a business, consumer or device every 2 seconds by 2031, up from every 11 seconds this year, says Cybersecurity Ventures.
3rd Element Consulting CEO Sizer said some “break-fix” solution providers who are not managing and monitoring their customers IT equipment are not going to be able to get insured.
“It’s also going to drive out a lot of the break-fix people because they won’t be able to get insured with cyber at all. If you’re not managing and monitoring their equipment, they won’t insure you. Or they’ll insure you, but your rates jump so high that I don’t know how people will be able to do it,” said Sizer. “So there’s a lot of things behind the scenes that are really driving what these security insurance numbers are and why security [sales] are up so high for some MSPs.”