Cyber insurance is a polarizing topic among MSPs and their clients. Its perceived value, coupled with the often-painful renewal process and escalating premiums, has turned this type of coverage into a matter of preference rather than necessity for many organizations. As your business directly manages the IT infrastructure and cybersecurity of your clients, your role directly influences the claims process, responsibilities, and liabilities provided under these coverages. For organizations not bound by regulatory requirements to carry a policy, the choice often boils down to this: gamble on avoiding a breach or invest in cyber insurance to mitigate financial loss when the inevitable occurs.
A few key insights emerge when examining the latest research. With most forecasting organizations putting the CAGR at just above 20%, the cyber insurance market is expected to exceed $100 billion by 2030. What’s even more concerning: an alarming 72% of small and medium-sized businesses (SMBs) without cyber insurance say a major cyberattack could destroy their business according to the National Association of Insurance Commissioners 2024 cyber insurance report.
The positive news is that the cyber insurance market is finding stability after the disruptions caused by the COVID-19 pandemic. However, the downside is that this stability results from risk reduction strategies implemented by carriers and brokers to minimize their exposure. These strategies include wartime exclusions (restricting coverage for attacks backed by nation-states), increased entry barriers for certain sectors (such as healthcare and education), premium increases, and new coverage limitations, making the cyber insurance industry a more manageable risk for insurers.
Cyber insurance carriers are diving deeper than ever into assessing applicants before issuing policies. They now scrutinize everything from the organization’s cybersecurity infrastructure—such as the use of MFA, endpoint protection, and email security—to the implementation of incident response plans and employee training programs. This heightened scrutiny ensures that only businesses with robust defenses and proactive risk management strategies qualify, as carriers aim to minimize their exposure to increasingly sophisticated cyber threats.
There is no standardized template when it comes to how companies approach cyber insurance from the business or risk management side. We are still in uncharted territory. So where does the MSP fit into all of this?
Your responsibilities span a wide range of tasks, including risk mitigation, incident response, business continuity, and more depending on the level of support you offer. If an MSP’s actions—or negligence—contribute to a breach, such as through improper patch management or misconfigured systems, clients may hold your business accountable for the resulting loss.
For the MSPs with a cyber policy of their own, it is important to understand where a client’s coverage starts and where yours ends. It could mean the difference between a breach covered entirely by a policy (yours or your client’s), or your organization being held financially culpable.
Your business can also assist clients in reducing expenses and discovering additional ROI. Consider this scenario: an SMB handling sensitive customer data, struggling with GDPR compliance, and facing high cyber insurance costs. By working closely with your client and their insurance provider, the insurer gains a better understanding of the processes and technologies you use for your client. Employing tools like AI-driven email security, conducting compliance audits, and establishing an incident response plan for ongoing readiness demonstrate your dedication to protecting said client's environment. These efforts strengthened the SMB’s security framework, allowing them to renegotiate their cyber insurance policy for lower premiums and more extensive coverage.
This conversation can't take place unless each party is given the opportunity. Communication between the MSP, their client, and the insurance provider has never been more important.
Any MSP worth their weight must know where the skeletons are buried. The risk assessment process is crucial for providing the highest level of service possible to your clients. As the saying goes, preparation is the key to success. We have created a list of questions for both your new and existing clients to ensure you’re aware of the liberties afforded to them through their cyber insurance coverage.
I’ll start with the low-hanging fruit. Your client’s insurance carrier needs to understand your role in their security strategy just as much as you need to understand their coverage details. While this should be a fundamental step during the assessment and onboarding process, it’s often overlooked. It could be overlooked in an expedited onboarding process or perhaps an extremely siloed client dynamic, but it must be covered.
This is important to you and your clients for a handful of reasons. For starters, your business can help them in meeting their insurance requirements. A business can't be insured if they don't meet the minimums established by carriers today. Second, your security program might result a reduction of their premiums by providing additional detail on what you’re providing for them (please see the example above). Lastly, your business must be a part of the Incident Response (IR) plan. How quickly incidents must be reported and handled are all outlined in policies and must be documented by the MSPs for their clients claim to be considered.
This is crucial for both you and your clients for several reasons. Firstly, your business can assist them in fulfilling their insurance requirements. A company cannot be insured if it fails to meet the minimum standards set by carriers today. Secondly, your security program could lead to a reduction in their premiums by offering additional details on the services you provide (please see my theoretical example above). Lastly, your business must be mentioned in the Incident Response (IR) plan. The speed at which incidents need to be reported and managed is specified in policies and must be documented by MSPs for their clients' claims to be valid.
As the primary manager for their IT infrastructure and cybersecurity posture, you need to know what’s included in their policy. Ideally, your business is included in their Incident Response (IR), Business Continuity (BC), and Disaster Recovery (DR) plans already.
When talking about loss, it’s important to highlight what types of losses are involved in a cyber policy. Below I’ve summarized the details and differences between third-party vs first-party coverage:
At the same time, it is equally important for MSPs to regularly review their very own cyber coverage to make sure that they have obtained the appropriate insurance for their organization. It's a two-way street. Coverage counsel can provide valuable guidance by analyzing insurance gaps, enhancing policy language, and resolving coverage claims.
Insurance companies live and die by the numbers and you should too. When looking at the NetDiligence Report of 2023, Phishing, Ransomware, and Business Email Compromise (BEC) represent almost half of the claims filed from 2019 to 2023. Generative AI has drastically amplified the scale and speed of these attacks, as more threat actors adopt AI-driven methods to orchestrate their campaigns. Ensuring your clients are protected from threats stemming from workplace communication platforms is crucial for their cyber resilience.
Phishing, BEC, and ransomware attacks often originate through email, making robust email security a key factor in risk mitigation. Having advanced email security added to your client’s environment demonstrates proactive measures to prevent costly breaches. Solutions that integrate real-time threat detection, automated response, and Security Awareness Training (SAT) significantly lower the likelihood of successful attacks, reducing claims and liabilities down the road.
MSPs play a crucial role in your client’s cyber insurance lifecycle, directly influencing clients' risk profiles and claim activity. With the market projected to exceed $100 billion by 2030, insurers are tightening requirements, raising premiums, and limiting coverage to manage risk. MSPs must understand the boundaries between their own cyber coverage and their clients’ policies to avoid financial exposure. At the end of the day, the primary goal of improving your client's cyber resilience remains the top priority.
To facilitate a successful client partnership, MSPs must conduct thorough risk assessments and ask the critical questions about clients' cyber insurance. This includes clarifying coverage, ensuring alignment with their client's insurance carriers as well as their own if applicable, and staying ahead of leading claim catalysts. By implementing robust email security and proactive planning, MSPs can reduce claims, enhance cyber resilience, and reinforce their indispensable role as trusted partners in managing cyber risk.