A couple of episodes ago, I spoke to Wes Spencer at Perch Security about some of the actions and strategies you can implement to protect yourself and your clients against the recent surge of MSP-targeted ransomware. Today, we’re looking at another plank in your MSP defense strategy: insurance.
If you experience a breach of some kind, whether that’s you as the MSP or one of your clients, that can be a life-changing event and not in a good way. Worst case scenario — it could mean the end of your MSP business, bankruptcy, and all the ripple on effects from those.
So it absolutely makes sense to have some safety nets in place. Yes, you want to take precautionary measures so your house doesn’t catch on fire—those are the things we talked about in Ep051 with Wes Spencer—but you also want to know that if circumstances beyond your control burn your house to the ground that you can recover. And of course, that’s where insurance comes in.
My guest today is Justin Reinmuth, the founder of techrug, an insurance agency based in Columbus, Ohio, that specializes in working with technology service providers. Together, Justin and I look at what insurance your MSP needs and why, how to make sure you’re using insurance optimally as a protection strategy, and some of the trends in technology insurance that will be affecting you in the coming years.
One thing to note: This discussion with Justin covers insurance in the United States. The specifics of insurance are going to be different in different countries, of course, but the broad strokes should apply just about anywhere so this is well worth a listen no matter where you are.
What Every MSP Should Know About Cyber Insurance: Interview With Justin Reinmuth
[02:54] The number one policy to pay attention to is a cyber E&O (errors and omissions) policy. These are unregulated policies meaning there is no standard policy. Some policies will cover cyber extortion, some won’t. Some will cover first-party business interruption claims, some won’t. You need to make sure you have the right policy with the right coverage and limits.
[04:34] Find an agent who specializes in cyber E&O or get together with an association. You want to make sure they understand your business and the coverage that’s right for your circumstances.
[05:42] Cyber extortion is kidnap and ransom insurance. As people in the industry know, this is on the rise.
[06:26] A first-party policy protects the MSP. Third-party coverage protects the MSP from client claims due to business interruption.
[06:48] Risk management needs to go beyond insurance. You need PIC: protection, insurance, and contracts. Protection is making sure you’re doing everything you can in-house, such as vulnerability scanning. It’s also making sure you’re clients are doing what you’re asking them to around security.
[07:23] Also make sure you have the right contracts in place. A good MSA (master services agreement) defines your boundaries.
[07:58] A waiver of subrogation clause in your MSA, for example, will prevent the client’s insurance company from coming after you.
[08:16] Find a qualified attorney who is familiar with the space for creating your contracts. Contracts need to be updated regularly, just like technology.
[09:28] You need first-party business interruption coverage, so if there’s a hack and you’re shut down, you have some recourse.
[09:58] You also need what’s called system damage, which covers deleted or corrupted data.
[10:10] Third-party coverage will take care of when clients experience down time or data loss.
[10:25] The most common claims Justin sees are for data loss, network security failure, breach of contract, cyber extortion, and problems with rogue employees.
[11:10] When one domino falls, it will knock over several more pretty quickly. For instance, cyber extortion can cause multiple issues.
[11:51] The average compromise is now taking an MSP about 10 days to get back up and running.
[12:25] If you don’t follow privacy laws correctly, you could be subject to a regulatory fine or penalty. There’s coverage for that as well.
[13:03] Because these policies are unregulated, different carriers have different criteria. On the application form for the policy, make sure you’re not checking any boxes that you can’t comply with. Also take a look at exclusions.
[16:11] Justin estimates that anywhere from 50 to 70% of MSPs, don’t have the right type of insurance or the right limits.
[17:13] Some MSPs don’t understand the coverage they need. Cost can also be an issue.
[18:46] When you add a new service offering, make sure you let your insurance agent know. There’s also a yearly application process, which gives you an opportunity to review coverage and make sure it’s keeping pace with your business.
[21:02] In the US, the number one insurance policy for an MSP should be cyber E&O. The second is employment practices, covering sexual harassment claims, wrongful termination suits, and the like.
[22:30] Jennifer’s recap of key takeaways: 1. As an MSP, you need a specific cyber E&O—errors and omissions—policy in place. A generic business E&O is not going to provide the coverage and protection you need.
[22:41] 2. There’s a good chance that right now your MSP doesn’t have all the right insurance coverages in place or potentially the right limits to protect you properly. Now would be a good time, having listened to this episode, to review your policy and see if it covers some of the basic things we discussed: cyber extortion, first-party protections, third-party protections, data loss, network security failure, rogue employees.
[23:05] 3. Find an insurance agent or broker who specializes in working with technology companies. Ask them a lot of questions and make sure they can answer them all to your satisfaction. As Justin pointed out, the insurance carrier is not going to be the one to come to you and say, hey you’re missing something in your policy. That’s on you and the agent you work with.
[23:23] 4. While you’re reviewing your insurance policies, take a look at your legal contracts and agreements as well. Are they working together to provide coordinated protections. Again, you’re going to want to look for a lawyer who specializes in working with technology companies if you’re not already working with one.
Remember that the first-ever Frankly MSP Live is happening in January 2020. It will only be the first time once! Will you be one of the lucky ones who can say, “I was there when it all began?” Grab your ticket at franklymsplive.com [No longer active.] and use code FRANKLY50 for $50 off at checkout. I will see you there.
Links from this episode
- Fight Back: What You Can Do About MSP-Targeted Ransomware – FMSP 051
- Justin Reinmuth on LinkedIn
- techrug (for US-based MSPs)
Insurance agents in the UK handling cyber liability
Insurance agents in Australia handling cyber liability
Like what you hear? Listen and subscribe.