Cybersecurity consultants and MSPs look after multiple customer environments, and implement steps to keep them running at peak performance and safe from cybersecurity threats. But what kind of business insurance should you be looking for as an MSP?
What is business insurance?
The idea behind business insurance is the same as with any other kind of insurance policy. You hope you never have to use it, but you pay a small amount each month so that if something goes wrong – you don’t have to pay the costs out of your own pocket.
In the case of business insurance for MSPs, we’re often talking about an action taken on the part of you or your technicians which can be called negligent by the customer and leads to them sustaining harm, whether that’s loss of business or a preventable cyberattack.
How can MSPs and cyber-consultants limit risk?
As an MSP, you may or may not be responsible for cybersecurity, but you will always have control over assets and network credentials such as passwords and usernames. You will also have access to performance data and network information which could signal a cyberattack or a system failure, so it’s not surprising that customers will turn to you to ask for an explanation if something goes wrong. When SMBs who leverage MSP services were asked, 69% claim they would hold their MSP accountable at some level in the event of an attack, and 74% would take legal action against them.
That’s why it’s so important to set up several lines of communication and defense, and this starts before your customer even signs on the dotted line. As soon as you sit down with a prospect, and you’re having an initial conversation about their needs, communicate to them exactly what services you offer, and which you don’t.
For example, if security services like anti-malware or anti-ransomware incur an additional fee — make that clear. If you don’t offer any protections against compliance risk, lay that out in this initial interaction, and then of course – write it down in your contract.
Many MSPs remember to outline all the services they do offer in their contracts, but forget to include what is out of scope.
What if I do include cybersecurity, but the customer doesn’t want it?
You might find that you engage with customers who prefer to handle their cybersecurity in-house. Perhaps they have their own team, or maybe they don’t want to spend the extra dollars each month on your cybersecurity bundle. In this case, you need to ensure that the customer has provided written agreement that you are not liable in case of an attack.
The easiest way to do this is by providing them with a waiver to sign. This is documentation that outlines the decision, that you offered cybersecurity services and explained the risks of turning these down, but the business still refused. While some customers might still argue that you were negligent, a waiver provides cast-iron proof that is admissible in court that your business should not be held accountable.
Some MSPs and cybersecurity consultants may believe this isn’t enough. We’ve heard many customers saying, “It’s the full-service stack or nothing.” This attitude is understandable, as a single customer with lax security measures could well open your whole supply chain up to risk. For many MSPs, if they can’t be given control to manage a customer’s security fully, then they aren’t the right customer for the business. The decision ultimately is up to you.
Business insurance: first and third-party insurance options
Whether you choose to only manage customers who sign up for your security services or otherwise, in the background, it’s also important to set up your own agreement with an external insurance provider. Broad-service insurance firms will be able to set you up with first-party insurance which covers risk against your own business, and third-party insurance which covers you against risk to your customer environments, no matter how many you have, or where in the world the customers are based.
Originally, MSPs usually relied on E&O insurance, which stands for errors and omissions. As IT consultants usually came on site to perform work, this was more about protecting technicians against accidents or damage to hardware or physical property. As E&O insurance doesn’t usually cover remote incidents, it won’t automatically cover cyber risk or system failures that occur due to human error when remotely managing a customer environment.
As the interconnected nature of IT environments is actually the riskiest part of working with customers today as an MSP, this is a critical element to ensure is covered by any insurance that you take on.
What should I check before buying business insurance?
The exact plan that you opt for will depend on contextual factors about your business, such as what industry you’re in, the location of your customers, and your specific risk factors.
However, broadly speaking, before you choose your insurer, ask yourself:
- Are there any specific risks that you need to consider in your industry, such as web skimming for a retail website?
- Do you have precise compliance regulations that you want covered against in case of fines, penalties, or legal action?
- How broad is the coverage that the specific policy provides, and how much are you covered up to?
- What exclusions does the policy detail, and are you sure that these won’t impact you either today or in the future?
- In case of a cyber-attack or an incident, how quickly does the insurer respond, and what is their incident response plan?
From utilizing your Managed Service Agreement to ensuring you have a waiver in place where necessary and signing up for comprehensive business insurance, today’s MSPs need to think about liability from day one.
If you’re going to work so hard on security and compliance, you may as well benefit from it! Looking for ways to use compliance regulations for your own advantage? Learn more here.