Cybercrime is rampant and here to stay. The FBI’s Internet Crime Complaint Center (IC3), established to track internet crimes, has received nearly 5.7 million complaints since its inception in 2000. According to its 2020 Internet Crime Report, there was a spike of more than 300,000 complaints from the previous year and reported losses at more than $4.2 billion. These statistics are alarming and serve as a wake-up call to both managed service providers (MSPs) and small and medium-sized businesses (SMBs) that they need to prepare. Cyber insurance has become a must-have in 2022, but obtaining it – and keeping it – is not so simple.
The Cyber Insurance Landscape is Changing
MSPs and SMBs alike need to understand the industry is in transition and plan accordingly to manage their cybercrime risk. In 2022, requirements will shift. Attestations will become a thing of the past, and policy holders will need to prove, with proper documentation, that the controls they say are in place are truly there. The burden of proof will be on the entity, not the insurance company, to prove the controls in the policy were being followed prior to a breach. Also, catastrophic coverage will be written in as an exclusion. To maximize the chances of a full payout, MSPs and business owners will need to keep detailed records of their cyber insurance requirements and show there are tools in place to continuously remediate risks to the environment. Another trend to expect in 2022 is that premiums will go up – depending on the sector, these increases could be anywhere from 30-50%. The healthcare industry and MSPs are even seeing triple digit increases in some cases. New industries that will be impacted by rising premiums are the construction and manufacturing sectors, which are starting to be considered low-hanging fruit by cybercriminals.
Additionally, getting insured will become more difficult in 2022. Organizations that cannot verify proper controls will not be renewed, even if the company has had a longstanding policy in place with a particular insurer.
Don’t Get Dropped, and What to Do If It Happens
It’s critical that MSPs and SMBs ensure requirements are being fulfilled in real time rather than waiting for an underwriter to inform them they’re lacking controls—or getting denied. Companies must disclose if they were declined renewal, so denial can become a cascading problem where an organization then becomes uninsurable.
If coverage is declined or not renewed, an organization can certify the missing controls to make sure insurability comes back into play. Similar to credit repair to fix bad credit, companies can improve their insurability by staying on top of what’s required in their environment to be insured, making sure it’s in place, documenting these requirements and adapting as new regulations come out.
Another trend MSPs should be mindful of is the decreasing number of organizations willing to insure them due to the risk and associated costs of a breach. In 2021, we saw MSPs who experienced triple digit premium increases for less coverage in the case of a cyber incident—and we expect this to continue in 2022.
Opportunities for MSPs and SMBs
While the news around cyber insurance may seem less than ideal for MSPs and SMBs, there are opportunities that IT professionals can leverage. For MSPs, the pandemic underscored the importance of MSPs as subject matter experts who can help their customers understand their critical security needs. Insurance companies are forcing organizations to adopt a more proactive stance when it come to their security controls, and MSPs should be leading this conversation and encouraging their SMB customers to work with them on needed improvements to their environment. As part of this work, both MSPs and SMBs should be investing in solutions that automate crucial tasks like vulnerability scanning and compliance documentation that are critical for cyber insurance policies.
While getting and maintaining cyber insurance coverage continues to be a challenge for MSPs and SMBs, there are additional options for those that are either unable to be insured or cannot get the level of coverage needed. Providers have begun to offer service guarantees, which provide warranty coverage for MSPs and SMBs that proactively prove that they have implemented the necessary controls. While these service guarantees are not considered traditional insurance coverage, they have been shown to drive behavior change, provide needed protection against cyberattacks and minimize the financial impact of an event if it occurs. These types of service guarantees can also help MSPs and SMBs improve their insurability with traditional carriers, as well.
Though all MSPs and SMBs hope to never experience a cyber incident, the risks will continue to grow. Organizations need to focus on both prevention and mitigation, and one way to do this is by proactively working to secure their environment and closely following the controls of their cyber insurance or service assurance provider.
About the Authors:
Kirsten Bay brings over 25 years of experience in risk intelligence, information management, and policy expertise across a variety of sectors. In the last six years, Kirsten has been the CEO of big data and cyber security companies, leading the strategy and development of next-generation analytics and attack detection technologies. Throughout her career, Kirsten has been appointed to congressional committees developing cyber policies, initiatives and recommendations for the intelligence community and held executive roles at Cyber adAPT, Attensity Group, and iSIGHT Partners.
Max Pruger has been a pioneer in the managed services industry since the late 1990s. He currently serves as General Manager of Compliance Manager for Kaseya and is responsible for Kaseya’s Compliance go to market strategy. Prior to rejoining Kaseya, Max served as Chief Revenue Officer of CloudJumper (acquired by NetApp), where his responsibilities included running all aspects of the company’s sales operations, managing and developing an MSP channel and building a world-class sales organization. Max was the director of strategic accounts for Kaseya where he was recognized four years in a row for sales excellence, winning the Chairman’s Cup for outstanding sales success. Max began his career at USWeb as a founding member of that company’s managed service division. He has also held the position of Senior Architect at IBM. Max holds a BS in Computer Science from American University and an MBA from the University of Maryland – Robert H. Smith School of Business.