By Max Pruger, GM, Compliance Manager At Kaseya And Kirsten Bay, CEO At Cysurance
While no one can truly predict what 2022 holds, it is a guarantee that cybercrime will continue to be a major issue for MSPs. The Verizon Business 2021 Data Breach Investigations Report found over 5,250 confirmed data breaches across 16 countries as well as an increase year over year in both phishing and ransomware attacks. Large organizations often make headlines; however, small- and medium-sized businesses have been feeling the effects of the surge in cybercrime — Kaseya’s 2021 MSP Benchmark Survey found that 77% of MSPs reported that their clients were hit with a cyberattack.
Because of the growing number of risks for MSPs, cyber insurance has become a must-have in 2022. MSPs may find, however, that obtaining and keeping insurance will become more complex — and they’ll need to focus on putting processes in place now to ensure they’re protected in the years to come.
The Burden Of Proof Is Now On The MSP.
The cyber insurance industry is currently in transition, meaning that MSPs must plan — and budget — accordingly to manage their cybercrime risk. In 2022, cyber insurance policyholders will need to prove, with proper documentation, that the controls they say are in place are truly there. The burden of proof will be on the MSP, not the insurance company, to prove the controls in the policy were being followed prior to a cyberattack — attestations will become a thing of the past. MSPs will need to keep detailed records of their cyber insurance requirements and show there are tools in place to continuously mediate risks to the environment to maximize the chances of a full payout.
In 2022, proper documentation will be essential even if an MSP has not undergone an attack — those that cannot verify proper controls will not be renewed, even if their company has had a longstanding policy in place with a particular insurer.
In addition to ensuring processes are in place to properly record all requirements, MSPs need to allocate additional budget for cyber insurance premiums. In 2021, we saw MSPs that experienced triple-digit premium increases for less coverage in the case of a cyber incident — and we expect this to continue in 2022.
Keep Coverage In 2022.
It’s critical that MSPs ensure requirements are being fulfilled in real time rather than waiting for an underwriter to inform them they’re lacking controls — or getting denied. Companies must disclose if they were declined renewal, so denial can become a cascading problem as an organization then becomes uninsurable. Because of the risk and associated costs of a breach, a decreasing number of organizations are willing to insure MSPs — further contributing to the challenges they face if they are denied coverage from an insurer.
MSPs that are declined coverage or not renewed can certify missing controls to make sure their insurability comes back into play. Similar to credit repair to fix bad credit, MSPs can improve their insurability by staying on top of what’s required in their environment to be insured, making sure it’s in place, documenting these requirements, and adapting as new regulations come out. MSPs cannot simply sign their cyber insurance policy once a year and forget about it — it is crucial that they work with their insurer to understand their requirements as well as any changes that may have occurred in their policy from year to year. Though reading through hundreds of pages may seem daunting for MSP owners already stretched thin, it will save the organization from scrambling in the case of a cyber incident and losing out on a maximum payout.
Leverage Cyber Insurance Opportunities For MSPs.
While the changes to the cyber insurance landscape in 2022 may seem formidable, there are opportunities that MSPs can leverage. Because insurance companies are forcing all organizations to adopt a more proactive stance when it comes to their security controls, MSPs can seize this opportunity to improve their own IT environment and use their expertise to provide additional security and compliance services for their clients. As part of this work, MSPs should be investing in solutions that automate crucial tasks like vulnerability scanning and compliance documentation that are critical for cyber insurance policies. As cyber insurance regulations continue to evolve, MSPs that do not prioritize automated solutions will find themselves bogged down in manual tasks that take away from growing their businesses.
While getting and maintaining cyber insurance coverage will continue to be a challenge for MSPs in 2022, there are additional options for those that are either unable to be insured or cannot get the level of coverage needed. Providers have begun to offer service guarantees to MSPs, which provide warranty coverage for those that proactively prove they have implemented the necessary controls. While these service guarantees are not considered traditional insurance coverage, they have been shown to drive behavior change, provide needed protection against cyberattacks, and minimize the financial impact of an event if it occurs. These types of service guarantees can also help MSPs improve their insurability with traditional carriers as well.
No MSP likes to imagine that they will be the next victim of an attack. However, it is likely that cybercrime will impact them in some form over the next few years. MSPs need to proactively work to secure their environments — and those of their clients — and closely follow the controls of their cyber insurance or service assurance provider to ensure they will receive the cyber insurance payout their business will need to overcome a cyberattack. Planning for the worst may not be the most optimistic way to head into 2022, but it will set MSPs on a path to success for the next year and beyond.
For additional insights on obtaining cyber insurance and service guarantees, visit www.Cysurance.com. For more information on how your MSP can achieve continuous compliance with its cyber insurance policies, visit www.Kaseya.com.