It’s every MSPs worst nightmare, you wake up Monday morning to find that one of your MSP clients has been hit by a cyber-attack. After a bit of digging, you realize that the problem has been caused by a vulnerability in their anti-virus software, the same one you sold them. Here’s the question: Is this your responsibility? You’d be surprised by how many MSPs don’t know the answer.
The facts are, even if an attack was not your direct fault, as an MSP you can still be held liable for a third-party breach that impacts your customer’s systems or data.
Shoring up your defenses against the unknown can be complicated, but we’re here to walk you through it. Here’s what you need to know.
Cyber Insurance: Who Should Be Buying it?
There are two main kinds of cyber insurance that can limit your risk as an MSP. They’re equally important, but can cover you in different use cases.
Firstly, professional liability insurance is coverage that no MSP should go without. Imagine being a doctor or a lawyer, and working without malpractice insurance? It’s just not smart business. With all the best of intentions, cybercrime happens. Attackers are getting smarter, and a shocking 90% of breaches are caused by human error. Professional liability insurance will protect the customer and the MSP if a service provider is found to be at fault.
Top tip: Whenever you add a new service offering, make sure to let your insurance provider know.
Secondly, your customers need to have their own first-party cyber liability insurance, which will cover any risk to their data, no matter where it comes from. This could include mistakes made by their own employees where cyber education has failed, as well as ransomware, data breaches or phishing schemes from hackers, or gaps in third party solutions such as anti-virus, storage, or cloud services.
How Can I Talk to my Clients About Insurance?
Your customers might ask whether cyber liability insurance is worth the price tag. After all, isn’t protecting their IT systems what they’re hiring you for? Especially with clients who are less tech-savvy, it’s important to make it clear from day one that you’re providing what Webroot calls “layers of defense.” You’re setting up your services, and their own organizational defenses to give the best possible chance of protection, with each layer of defense as secure as possible. However, you can’t guarantee that a data breach or cyber crime won’t happen, and so the final line of defense will be ensuring that the damage is minimal, if the worst occurs.
It can help to do some of the leg work for your clients, or even including cyber liability insurance in the package you offer them. This is where you need to be comprehensive, ensuring that the terms of the provision will cover any probable claim that could come up. This can vary between industries. If your clients work in the medical field for example, there may be specific losses due to HIPAA compliance, or if they are EU-based, this might be GDPR. Here are a few checklist items that you should make sure your provider covers:
- The company and its whole datasets, even where data was held insecurely.
- Litigation and defense costs for compliance, lawsuits or class action.
- The cost of forensics and incident response.
- Actions caused by employees, subcontractors or partners, both intentional and unintentional.
If clients query this line item, reiterate that the cost of insurance for protecting against cybercrime has the same benefits as house insurance or any other kind of cover. It’s a minimal charge that hopefully you will not need to cash in on, but will pale in comparison to the cost of handling a cyberattack.
Would they go on holiday to an unknown destination without including travel or health insurance? Most definitely not, or they would have themselves to blame if they were left unprotected and became unwell.
Managed Service Agreements: It’s all in the Small Print
Whether you choose to make cyber insurance part of the package that you offer your clients, it’s a smart move to limit your liability by enforcing the purchase of insurance as part of doing business with you. Make sure that you specifically outline your expectations in your Managed Service Agreement, listing that the customer agrees to purchase first party cyber liability insurance from a reputable insurance broker. It’s important to include a subrogation clause, which means that the insurance company will not be able to blame the MSP if the customer needs to makes a claim.
You can follow a similar path when it comes to back-ups. Either offer your customer backup systems for all critical data, for example Acronis which can be offered through Atera for as little as $0.07 per GB for local storage, or enforce that they have their own back-up in place.
Data loss due to insufficient backup solutions is one of the largest risks for a company, so it’s important to lay out your terms in black and white. Add to your MSA that any hardware and software failures that lead to loss of data are not the responsibility of the MSP, and that you expect the customer to be responsible for having a backup of their critical customer or business data.
Think about the costs that a cyber-attack might incur, and be specific about what your coverage includes as an MSP, especially if you are on a retainer model where you cover any IT support they might need for a fixed monthly price. Draw your customer’s attention to these at the start, explaining that your coverage does not include items such as the ransom costs of a compromised device, or the time it takes to get systems back up and running after an incident, or to make compliance reports. These will be charged above and beyond the usual agreement, at your usual hourly cost.
Top tip: Don’t dwell on the negative! Remember to offset this conversation by explaining that if customers set up their systems to ensure best practices for security, storage and back-up, including the right employee education, the company will be unlikely to ever need to pay a ransom over stolen data, or handle the fallout of an attack.
Three Use Cases for MSA and Cyber Insurance
Let’s take a look at three likely kinds of cyber-risk, and how our proposed actions can protect you and your customer, too.
A third-party supplier is breached
According to Gartner, a cyber attack is an average of $700,000 more costly when a third party provider is involved. Think about how many cloud services your customers engage with on a daily basis, from email and file sharing or storage, to videoconferencing, VoIP, or payment services. If an attack happens due to a third party system, your customer may still consider you liable as their MSP, especially if you recommended and installed the software.
Firstly, in this scenario you’ve covered yourself contractually by outlining that third-party software failures are not your responsibility. Secondly, your customer has first-party cyber liability insurance that protects against actions caused by the wider supply chain. Lastly, you have your own professional liability insurance for peace of mind.
A ransomware attack from a bad actor
By 2021, a new organization will fall victim to ransomware every 11 seconds. If your customer is unlucky, they might well turn to you and expect you to handle the issue as part of your retainer agreement. This is why it’s so important to have the terms of a ransomware attack outlined in your contract.
Diffuse the situation by making sure that you’re ready for this ahead of time. Your client will have already agreed to pay you hourly for your work on the attack, cyber-liability insurance will cover the customer for any costs over compromised machines, and an enforced back-up solution means that your customer will not suffer any lost information or critical customer data, and will hopefully be able to avoid paying the ransom.
Your customer has a systems outage
In this scenario, your client loses data when their on-premises systems fail. Have you worded your contract sensitively enough to avoid liability? If you’ve made sure to say that you are not responsible for hardware and software failures, and that your customer is responsible for their backups, you can rest easy. Of course, the problems that systems failures cause can be exacerbated by MSP error, such as slow time to action or mitigation, especially considering the cost of downtime has been calculated as $5,600 per minute, or $300,000 per hour.
In this case, the client may have a point when they blame you for loss of earnings or a break in business continuity. In this case, you’ll be glad that you invested in professional liability insurance, which can help you to compensate the customer for their loss of earnings, show that you’re serious about making it right, and limit the impact on your own bottom line.
Cyber Insurance is More Than Just a Buzzword
Do MSPs need cyber-insurance? Yes, and your customers do, too. However, you can limit your own liability as a service provider by carefully wording your Managed Service Agreement to protect your business.
In today’s complex threat landscape, new attack vectors are being utilized all the time, and sophisticated threats are impossible to fully guard against. Start as you mean to go on with new clients. Ensure that they have the systems and protections in place to keep their sensitive information secure, and add transparency and trust by explaining the responsibilities and limitations of your partnership from day one.