The managed IT space is experiencing tremendous growth, mostly because businesses of all shapes and sizes are leveraging IT solutions that they cannot or do not want to purchase, deploy, and maintain on their own. However, the rapidly expanding industry has caught the attention of cybercriminals and state-sponsored hackers. In a survey of office equipment dealers and MSPs conducted by BPO Media & Research, almost 53% of respondents said that they had been subject to a ransomware attack. Surprised at how high that is? If anything, it seems a bit low. We stopped asking that question this year because it is so commonplace, and no longer a useful statistic for analysis.
Hackers — from your run of the mill ransomware gang all the way up to nation-state actors — love to target MSPs because they can break into one organization to access many. Why steal the keys to one castle when they can steal all the keys to all the castles with the same amount of effort? And because MSPs tend to have a few different types of clients, hackers can easily target several organizations of a certain type — let’s say healthcare providers, financial institutions or even government agencies — through a single point of entry. To an ambitious criminal, MSPs are a catalog of victims.
Hackers like to target MSPs so much, in fact, that in June 2020 the U.S. Secret Service had to issue a warning to private and government organizations about the increasing number of attacks on MSPs. The previous fall, a report released by Armor, a U.S.-based cybersecurity firm, detailed how hackers were able to gain access to 13 MSPs and cloud-based service providers and distribute ransomware to their customers. Many of those firms had customers in the IT or healthcare space, with others in legal, accounting, and payroll services.
The last few years have been a learning experience, with many of those lessons learned the hard way, creating a greater awareness of cybersecurity’s importance. Businesses are deploying new solutions, hiring penetration testers to identify unknown vulnerabilities, and implementing best practices to ensure their data is secure. But any cybersecurity expert will tell you that “there is no such thing as 100% secure,” and “you’re only secure until you’re not.” When you have exhausted all efforts to prevent a catastrophe and a catastrophe strikes nonetheless, there is insurance.
The problem is many policyholders don’t know what their insurance policy does and doesn’t cover. In a survey of CFOs and other financial senior executives conducted by commercial property insurer FM Global, 70% of respondents “believe that their insurer would cover most or all of the losses their company would incur in a cyberattack,” even though in reality, many of the losses they foresee are ones insurance rarely covers. More specifically, they believe insurers would make them whole for things like “degradation of the company’s brand/reputation, increased scrutiny from the investment community, decline in revenue/earnings, introduction of regulatory compliance problems, or decline in market share/share price.”
It is not uncommon for traditional business liability insurance policies to have language that excludes coverage of cybersecurity risks. But just because traditional insurers wouldn’t cover these incidents, that doesn’t mean that cybersecurity risks are simply uninsurable.
Cybersecurity insurance: What it is and what it is not
Functionally, cybersecurity insurance isn’t much different from other traditional insurance products. It simply addresses the specific risks associated with IT infrastructure, information privacy, and information governance liability, and protects policyholders from the damages/losses incurred as a result of a cybersecurity incident, such as a data breach, business interruption, and/or network damage.
Cybersecurity insurance policies are sold as standalone or packaged into existing policies. Cybersecurity insurance providers wrote $1.11 billion in premiums for standalone coverage in 2019, while packaged premiums totaled $915 million. What’s the difference?
A standalone insurance policy is purchased separately and built specifically for cybersecurity incidents. Standalone cybersecurity insurance policies offer more protection, both in what is covered and how much is paid out. Of course, with a wider spectrum of coverage and higher payouts, premiums for standalone policies are higher than those packaged together with general business liability insurance policies. If your business is reliant on IT systems — which is the case for dealers and MSPs — then you might want to take a good look at a standalone cybersecurity policy that addresses all the risks that come with managing the IT infrastructure for hundreds of businesses.
Packaged policies don’t offer the same protection as a standalone policy in either the scope of coverage or the amount that the insurer will pay out on a claim. Of course, policyholders don’t pay as high a premium as they would with a standalone policy. Packaging cybersecurity protection into an existing policy is a good idea for businesses with lower risk profiles.
Whether they’re packaged or purchased as a standalone policy, cybersecurity insurance products come in three forms: first-party, third-party, and “silent cyber protection.” It’s important for policyholders to understand how these different packages work, who they cover, and what incidents they cover. Here is a breakdown:
First-party coverage protects a business from the costs, damages, and inconvenience created by a cybersecurity incident, such as when someone steals data from your business, a DDoS attack shuts down your online marketplace, or ransomware holds your data hostage. This can also cover costs associated with incident response, forensic analysis and data restoration costs.
Third-party coverage is similar to that of medical malpractice insurance. Third-party coverage protects businesses from harm that they’ve caused to their customers, partners, vendors, or other stakeholders from outside the company. Some specific examples of what a third-party policy may cover include litigation and regulatory damages (costs associated with court judgments, lawsuits, and fines), notifying customers that there was a breach, and purchasing credit monitoring services for customers whose data was stolen.
Silent cyber coverage isn’t much different from a third-party coverage plan, functioning as an extension to a business’ general liability/property and casualty policies that would not cover cybersecurity incidents. As an example, let’s say the computer system at a shipping port is infected with malware and no one can use any of the software that delegates which trucks pick up which shipping containers. If the contents of those containers were perishable or needed to be delivered by a certain date, some property and casualty policies may have a clause stating that the insurer is not responsible for damages created by cybersecurity or IT issues. That could mean losses resulting from damaged goods or failing to deliver a good in accordance with a contract would have to be borne by the shipping port’s operators. But with silent cybersecurity coverage, the shipping port would be protected from those damages.
Some insurers will bundle different coverage policies. Take note that any of the policies described above may or may not cover any combination of incidents – take the time to understand your own risks and which policies address those risks.
Equally important to knowing what cybersecurity insurance is, we also need to be clear about what it is not. For one, cybersecurity insurance is not a cybersecurity strategy. Rather, it is a single component of a complete strategy — one you should hope to never use — that doesn’t make you any more impervious to attacks or accidental disclosures.
Cybersecurity is also not simple. Standardized, comprehensive policies are not the norm, which is largely a function of the immaturity of the cybersecurity insurance market as well as the unpredictability of future incidents. For example, the home and auto sectors of the insurance industry can leverage a treasure trove of historical data, whereas the relatively new cybersecurity insurance industry has very little to go by. The first cybersecurity insurance policy was signed in 1997, while auto and home insurers have existed for more than a century. What’s more, the data that car and home insurers can harvest is more reliable in calculating the risk for a given policyholder. Unfortunately for cybersecurity insurance providers, yesterday’s attacks don’t tell us much about tomorrow’s, and it’s difficult to tell if one business is more of a security risk than another. Instead, cybersecurity insurance providers rely on less reliable methods for assessing risk and calculating prices. The potential scale for a single hack further complicates what is and isn’t covered now and in the future. As just one example, epic global mayhem was caused by the NotPetya malware, a single attack that impacted tens of thousands of computers across the globe.
No matter how much you spend on cybersecurity insurance, it’s probably a lot less than absorbing the full cost of dealing with the results of being hacked. The Ponemon Institute’s annual Cost of a Data Breach Report shows the global average cost of a data breach in 2020 is $3.86 million, and in the U.S., the most expensive country, the average cost more than doubles to $8.64 million. Such a blow is a death sentence for some businesses.
Hackers attack thousands of times a day, every day. Even with the right protections in place, there is no such thing as “100% secure.” Eventually, one of those hackers is going to find and exploit that bad configuration or unpatched software, or pull off a clever phishing or social engineering scam. Don’t wait until that happens – now is the time to determine what your liability will be and if cybersecurity insurance is something your business needs.