In 2022, the average cost of a data breach rose by 12.7% over the previous year, according to IBM’s Cost of a Data Breach report. Attacks have increased both in frequency and potential for damage, with small and mid-size businesses being the most affected. In this era of escalating cyber security incidents, it’s more important than ever that MSPs not only maintain sufficient cyber liability insurance for themselves, but also that their clients are properly insured.
What Does Cyber Insurance Cover?
MSPs make attractive targets for cyber attacks, because if a hacker can break through your security, they gain access to all of your clients’ data and IT infrastructure. Cyber insurance protects you against liability in the event of a security incident that puts your customers’ sensitive information at risk. It’s not enough for each customer to carry their own policy (although this is critical). MSPs also need to have sufficient insurance to cover legal fees and expenses associated with the incident.
Cyber insurance mitigates risk by protecting you from financial repercussions if security is compromised. A well-written cyber insurance policy should protect you from lawsuits and cover financial impacts including:
- Fines associated with a data breach or attack
- Customer notification costs
- Data restoration costs
- Forensic analysis
- Other direct expenses
How Much Coverage Do You Need?
Specific recommendations will vary based on your unique circumstances. It’s important to have enough insurance to cover your potential for loss. Here are a few things to consider:
- Financial Impact of Loss – The average financial impact of a cyber incident has increased dramatically over the past several years. While $1 million in coverage may have been sufficient a few years ago, it may no longer be enough to cover potential damages. For example, the global average cost of a data breach in 2022 was $4.35 million, according to IBM’s Cost of a Data Breach Report. In the U.S., that cost rose even higher, reaching $9.44 million on average.
- Types of Coverage – In addition to cyber liability coverage, you should also maintain professional liability insurance to cover the services you provide to your clients. Professional liability insurance protects you in the event of a client’s financial loss that results from error or omission related to a service you provide.
- Insurance Provider Limits – Most insurance providers will not write a policy for more than $5 million, even though breaches may sometimes exceed that amount. It is possible to syndicate your insurance by getting a second policy to cover amounts in excess of the first policy’s limit. However, this is an expensive option since most insurers will not offer a reduction in premium even though they are only responsible to cover losses that exceed the first policy.
5 Tips to Be Sure You have the Right Coverage
Cyber insurance is an unregulated industry. Because of this, it’s critical that MSPs do their own research to find a provider with expertise in the industry. Even then, you may have to jump through some hoops to get approved. Here are 5 things to keep in mind as you navigate the process.
Implement a PAM solution.
Insurance companies are increasingly focused on PAM as a methodology to ensure least privilege security protection. PAM indicates an underlying culture of security that prioritizes least privilege and greatly reduces the opportunity for password breaches. Implementing a PAM solution and encouraging your clients to do so as well is one of the best ways you can prevent security incidents and qualify for the insurance you need.
Be sure your clients understand MFA and that they have implemented it correctly.
While multi-factor authorization (MFA) works alongside PAM to prevent password breaches, they are not the same thing. PAM focuses on privilege access, and MFA focuses on protecting individual user accounts by requiring multiple identification verification factors. Many clients do not understand how to correctly implement MFA. This lack of understanding could put them at risk of a cyber incident. In addition, if an event does occur and the client is not correctly implementing MFA as stated on their insurance questionnaire, they may not receive the full insurance benefit.
Do not fill out a client’s insurance questionnaire on their behalf unless that service is specifically included in your service agreement
If you fill out a client’s insurance questionnaire for them, you assume the risk. If that action is not covered in your service agreement, you will be held liable for any inaccuracies. For this reason, many MSPs will not fill out the form for the client. Instead, they will provide guidance and explain how the answers should be submitted.
Require every customer to carry their own policy.
Insurance is a critical risk mitigation factor, and every customer should carry their own policy. The policy of the MSP is not enough to cover a client in the event of a security incident. Clients will likely have questions about how much coverage they should purchase. As their trusted advisor, encourage them to consider all outside costs and talk to their broker.
Talk to your broker for cyber insurance recommendations.
An experienced cyber insurance broker can walk you through the specifics of what should be included in your policy. This includes what exclusions would look like, and which carriers would be a good fit for you.
Cyber Insurance Works with Your Security Stack
Cyber insurance works hand-in-hand with a robust cybersecurity strategy to protect both your MSP and your clients from catastrophic loss. At CyberFox, we understand the importance of putting every available risk mitigation measure in place so you are protected. Contact us today to learn more about how we can help you keep your data safe.
Watch our new webinar on Cyber Insurance here.