Cyber Insurance Requirements for MSPs
How Axcient automation improves cyber insurability
Despite an 80% year-over-year increase in ransomware, one report found that only 17% of SMBs have enough cyber insurance to cover the average cost of a breach. The same report found that 64% of small business owners were not familiar with cyber insurance at all! As a managed service provider and an IT guide for your clients, you must prioritize cyber insurance for your business.
Table of Contents
With that said, qualifying for a cyber insurance policy isn’t what it used to be. Today’s applications can be upwards of 20 pages, requiring finite details about your backup and disaster recovery (BDR) processes, products, vendors, and outcomes. For full cyber insurance coverage at an affordable premium, MSPs need vendors and solutions that deliver business enablement on top of comprehensive business continuity and disaster recovery (BCDR).
In this article, we’re highlighting the benefits of cyber insurance for MSPs, telling you what to do to get it, and showing you how built-in automation significantly simplifies the process.
What is Cyber Insurance?
Generally, cyber insurance, or cyber liability insurance, helps businesses cover financial losses due to cyberattacks or data breaches involving sensitive information. Like any insurance policy, various protections are available based on what you need, what you want to spend, and what the carrier is willing to offer. At the bare minimum, MSPs should get a policy that covers data breaches; cyberattacks on your data, your client’s data, and any data stored with vendors and other third parties; and cyberattacks that occur anywhere in the world – not just in the U.S.
Beyond that, it’s recommended that your policy covers the following:
- Cyber extortion, including ransomware and social engineering.
- Regulatory fines or penalties for being out of compliance or failing to meet standards.
- Media liability and reputation losses after an incident is made public.
- Business interruptions and downtime.
- Breach response and management expenses.
Why Do MSPs Need Cyber Insurance?
Breaches are expensive.
MSPs might not want to deal with cyber insurance applications or premiums without any channel-specific regulatory agency or governing entity. However, like most things, you get what you pay for – and if you don’t pay for insurance, your losses won’t be covered. As a result, regardless of the total costs of your breach, the business is responsible.
The average data breach cost for small businesses (less than 500 employees) increased from $2.35 million in 2020 to $2.98 million in 2021, a 26.8% increase. – Cost of a Data Breach Report 2021
After a disaster occurs, the first call you make is to your cyber liability insurance provider. Acting without their direct advisement could result in denied claims or legal ramifications. Although it depends on your policy, you will most like be assigned a Breach Attorney or Breach Coach who is invaluable in guiding you through recovery communications from a legal standpoint. You risk opening your MSP to undue liability or litigation without this guidance. Even the smallest misstep – like using the word “breach” instead of “incident” or “attack” – all carry different legal implications.
Compliance may require it.
Fortunately, or unfortunately, Cybersecurity Maturity Model Certification 2.0 (CMMC) is introducing new requirements for MSPs handling sensitive data on behalf of the Department of Defense (DoD). MSPs and MSSPs will have to meet the requirements of CMMC in order to work with the DoD. This includes demonstrating proof of regular backup testing, meeting Governance, Risk, and Compliance (GRC) framework needs, and utilizing automation over manual intervention. The federal government is also establishing guidelines that push the use of automation for data protection.
What this probably means for MSPs across vectors is more regulation is coming. Due to the high data breach costs, the success of cyberattacks like ransomware, and the lack of security requirements currently, MSPs should expect the inevitable. Cyber insurance can help MSPs adhere to CMMC standards now and whatever is introduced in the future.
It’s a good look for your MSP.
Furthermore, by meeting the qualifications for cyber liability coverage, your MSP demonstrates a security-first stance with reinforced “what if” protections. Not only does it CYA, but you can leverage it to win new clients and build your relationship with existing clients. To insure something is to value it highly. That’s how clients want their MSPs to think about their business-critical data, so tell them you do, and here’s proof. Be an MSP that exceeds best practices before they become requirements, and you’re always ahead of the game.
“60% of respondents report being hesitant to enter a new agreement with any organization lacking cyber insurance. If you don’t have coverage, you’re not making the shortlist regarding sales or strategic relationships. There’s never been a more powerful reason for getting insurance.”- How Cybersecurity Insurance Provides Protection, 2022
How Do MSPs Get Covered?
It’s no secret that insurance companies are demanding more from SMBs. With the average cost of a breach in the millions, it makes sense that applicants must demonstrate their commitment to cybersecurity via infrastructure best practices. Today’s underwriters are adding new provisions to prevent ransomware and decrease insurance claims.
While the end goal is security, the methods for getting there can be challenging. For example, many policies mandate multi-factor authentication (MFA) on all admin access and privileged accounts in a network environment. To do that, MSPs need to visualize users across security and identity products, which can be difficult to impossible. Art Gross, the CEO of Breach Secure Now!, sees positive implications in stricter insurance policy demands. He says…
“It’s going to force MSPs to implement more security safeguards. It’s going to force their SMB clients to implement the security safeguards that MSPs have struggled to convince them to implement. If you can convince clients they need cyber insurance, it’s the carriers that are going to force clients to implement the right security, or they’re not going to be insured.”
In order for “trickle-down security” to come to fruition, MSPs need to play by the carriers’ rules. There’s a certain level of business enablement required for MSPs to not only meet the demands of cyber insurance policies but to do it without too much strain on your business. Modern BCDR automation empowers MSPs with hands-free productivity, high-visibility reporting, and integrated dashboards that validate the efficiency of your security operations.
Cyber insurance companies favor automation because it delivers best-in-class BCDR with goof-proof proactive controls. Additionally, cyber insurance rewards a modern, consolidated, and efficient stack. With built-in BCDR automation, MSPs can secure a cyber liability policy quickly and at a lower monthly premium than sticking with a legacy solution.
3 Ways Axcient Can Help
As a 100% MSP-only solution provider, Axcient’s BCDR solutions are specifically designed to support MSPs in the channel and your SMB clients. Built on a proprietary Chain-Free backup foundation with built-in automated features, worry-free storage, and secure, long-term retention, Axcient x360Recover was made to get you insured. Here’s how…
#1: Automatic backup integrity testing
AutoVerify is a built-in, always-on backup monitoring and verification feature. No more manually checking backups or suffering “backup burn.” Instead, automate backup checks and prove their health with high-visibility reporting.
- Daily continual backup monitoring and virtualization of the latest backup point for each protected system + proof with Axcient’s Backup History Reports.
- Nightly intelligent adaptive backup VM testing checks bootability, OS health, data corruption, file system integrity, and application usability.
- Accounts for pending updates and prioritizes them for greater test accuracy without exceptions.
- Automatic self-healing response detects backup failures and re-backs up the compromised portion of the data in the next backup.
- Custom alerting and escalation rules route notifications to the assigned parties for follow-up and remediation.
#2: Self-managed cloud disaster recovery
Virtual Office is another built-in, always-on feature that immediately starts virtual machines in the Axcient Cloud of one or more protected devices to replace all impacted systems temporarily. No more downtime! Instead, automate disaster recovery and prove your readiness with disaster recovery testing results.
- Runbooks with the Recovery Wizard provides step-by-step configuration instructions to create an automatic deployment plan for virtualized devices.
- Full-office disaster recovery testing with runbooks proves cybersecurity readiness to cyber insurance carriers and creates opportunities for disaster recovery optimization.
- Automated Virtual Office Teardown automates shutting down test instances based on custom controls to contain usage and make the most of free days in Virtual Office.
- Free for 30 days every year so MSPs can run clients in the Virtual Office to deliver uninterrupted business continuity despite equipment lag times and physical office damage.
#3: Anti-ransomware and data loss technology
AirGap is yet another built-in, always-on feature that separates data deletion requests from the mechanics of data deletion to prevent permanent data loss. No more worrying about ransomware! Instead, lean on automated protections that cyber insurance providers appreciate.
- Honeypots trick bad actors into thinking they’ve successfully accomplished their attack, but it’s just an illusion to send them on their way.
- Human factor controls limit who can create and fulfill data deletion requests within Axcient to a select number of authorized security individuals – no one individual can complete both actions.
- Human two-factor authorization requires audible approval from an authorized MSP representative to Axcient before data deletion requests can be fulfilled.
- Time gaps between when data deletion requests are created, verified, and executed all vary in length to avoid recognizable patterns that bad actors can replicate and exploit.
Modernizing your approach to backup and disaster recovery may seem overwhelming. However, the payout in cyber insurance coverage, regulatory compliance, time-saving automation, and money-saving consolidation are well worth it. Axcient’s comprehensive BCDR solution delivers these benefits alongside robust cybersecurity and responsive support. See how we can help you get covered…
About the Author: Carissa Johnson // Product Marketing Manager, Axcient
Carissa Kohn-Johnson has a background in healthcare technology and information technology, and is now the Product Marketing Manager for Axcient. She has a lot of MSP Channel experience from planning and attending hundreds of conferences and tradeshows, and found her passion in IT. Carissa is also an elected official in Cary NC, a town chock full of technology-forward people. Connect with her on LinkedIn – perhaps you can contribute to the Axcient blog?