As attacks continue to worsen in size, scope, and frequency, businesses and their channel partners are placing a renewed focus on cyber insurance policies. Channel Insider spoke with Roddy Bergeron, the cybersecurity technical fellow at channel distributor Sherweb, to learn more about what MSPs need to know to ensure they are ready for the future.
Cyber insurance complexity grows alongside attack impacts
Bergeron now contributes to security enablement and research resources for Sherweb, but he previously worked at an MSP and says he remembers the complexities even then tied to insurance. The complexity and need have only increased over the past few years as the security landscape, and technology more generally, have changed dramatically.
“At the end of the day, the world has changed,” Bergeron said. “If you look back a few years, even say pre-COVID, attacks weren’t as rampant as they are now. There are some tragic outcomes, from total business loss to significant brand damage, done when providers or their clients suffer an attack.”
The first step into readiness: remember the basics before all else
Most cyber insurance providers have extensive audits, involving potentially hundreds of questions that any MSP must complete before being approved for a policy. While that may sound and feel overwhelming, Bergeron advises MSPs to remember that most of the things asked for in audits are relatively basic security components solutions providers should already have in place.
“We’re still telling and reminding partners to just do the basics,” Bergeron said. “I feel like we’ve been preaching it for years, but it’s still so important and still not universal.”
The technologies and approaches to security that Bergeron considers in this grouping of basics include:
- Multi-factor authentication (MFA) tools internally and for clients
- Zero trust access framework in the overall security strategy
- Managed firewall security solutions
- Understanding of vendor and third-party risk
- Data backups and continuity plans in case of an attack or other downtime
In addition to just knowing the basics that should be met, Bergeron also points to various regulatory and compliance frameworks as paths to follow toward insurance coverage.
“If you go through, say, the CIS controls or NIST or any of the other frameworks, and if you achieve everything set out in them, then you’ll be 80 or 90 percent of the way toward what an insurance company would want to see,” Bergeron said. “I’ve seen some insurance companies actually in their questionnaires ask MSPs which of the frameworks they follow.”
Maturity in the market will shape new expectations
Bergeron’s predictions for the next few years in the cyber insurance and security landscape focus on the market maturing as policies force providers, vendors, and end-user businesses to seriously examine their risk and the liability associated with that risk.
“We’re all, from vendor to MSP to insurance company to end user, we’re all assuming a level of risk just by operating. But we’re watching in real-time as we all try to sort out legally who assumes what level of risk for what portions of our technology, and that’s going to be agreed upon and understood across the board soon.”
This push towards a nuanced and comprehensive security approach will likely impact partner businesses that offer some security services but don’t have the depth or expertise to justify the risk and liability concerns coming.
“I think the [providers] who aren’t fully committed to security are going to need to exit the security space,” Bergeron said. “Outsourcing clients’ security to an MSSP or even a more security-minded MSP is a viable option. Not all providers are going to want to or be able to afford security talent, and that’s what outsourcing is perfect for.”
While cyber insurance is not a new concept for the channel, some partners might need a refresh. Read our guide to cyber insurance to learn more about typical coverage, providers to work with, and more.