Introduction
Key Takeaways
In 2017, NotPetya malware hit a global food manufacturing company. While the virus was believed to have originated as a Russian nation-state attack against Ukraine, it quickly affected companies around the world.
This attack quickly spread throughout the company’s infrastructure rendering nearly 2,000 systems inoperable, affected some 24,000 laptops, and ended up costing the company more than $100 million in damages.
Some argue it has since played a significant role in reshaping cyber insurance as we know it today.
Why?
The affected company filed a claim against its traditional property and casualty insurance policy, but it was denied with the insurer saying because a nation-state actor was behind the incident, it was an act of war and therefore, as part of an exclusion clause, the policy didn’t cover it.
This example highlights why it’s important that organizations of all sizes understand their insurance policies and coverages, and more specifically, why MSSP clients need cyber insurance to cover incidents traditional policies won’t touch.
As an MSSP, you likely serve a range of small- and mid-sized businesses (SMBs), many of which struggle to manage cybersecurity controls and can’t meet increasing demands for cyber insurance coverage.
Understanding the nuances of this coverage is important for your own operational resilience but also should be a part of a larger safety net to support your clients should they experience a disruptive cyber event.
Why Cyber Insurance Matters
First, what is cyber liability insurance?
Cyber liability insurance protects organizations from a range of risks including security, privacy, service, and operations.
Exactly what these risks are and what they look like vary depending on an organization’s unique characteristics. Unfortunately, many organizations struggle with risk assessments, often overlooking critical risks that lead to inadequate planning and a lack of protection when a cyber breach occurs. This is a place for your MSSP to step up and shine.
So, how can you help your clients apply for their first cyber liability policy or shore up existing coverage?
To begin, evaluate these key areas to assess risk for policy coverage:
Security
- Errors and omissions
- Contractual liabilities
- Aggregation of cyber risk
Privacy
- Network vulnerabilities (malware, ransomware)
- Data breach (PII, PHI, PCI, etc.)
- Confidential data (e.g., CUI, third-party data)
Service
- Consumer-related issues (collection, storage, and usage)
- Regulatory (GDPR, CCPA, NY Shield. etc.)
Operational
- Technology reliance (automation)
- Cloud adoption
- Enterprise systems (ERP, CRM, billing, scheduling, etc.)
From a risk perspective, your clients should seek coverage that supports their unique and specific operational needs, and supports their existing cybersecurity program.
Key Challenges
Cyber insurance premiums increased by an average of 28% in the first quarter of 2022 compared with the fourth quarter of 2021.
On top of that, cyber insurance application forms are increasingly more in-depth, asking for a growing list of requirements for coverage consideration. Today, a growing number of MSSPs are stepping up to help their clients with these applications.
To further complicate matters, each client must think about their unique risk posture and appetite while insurers work to align policies that meet demands while they’re analyzing what’s actually affecting organizations in the wild.
Insurers are certainly becoming more aware of your client's pain points, and while we’re starting to see some harmony in the industry about managing those risks, it’s likely this will continue to evolve as the threat landscape continues to expand.
Many small and middle-market clients just don’t have the same level of controls or capabilities that larger or mature organizations do. So, while insurers look for best practice implementation and management, they’re often challenging for SMBs. That can range from building effective training and education programs for staff to implementing security controls such as multifactor authentication (MFA). Again, this creates an opportunity for your MSSP to step in.
Even if you’re managing larger clients that have these capabilities, your MSSP will likely still play a role in ensuring those capabilities are current and continuous. And, it’s not just about saying your clients have these controls in place. Insurers also now require clients to demonstrate they’re effectively doing what they say they are, even for security controls not listed on a cyber insurance application.
Demonstrating Maturity
If you’re managing your clients’ controls and frameworks via spreadsheets and word processing documents, it can be incredibly difficult to demonstrate program maturity, especially in real-time, and especially in multi-tenant environments where you’re handling security for a range of diverse clients.
If you haven’t done so already, adopting a SaaS-based cybersecurity framework management platform can help. With a cybersecurity management solution, you can see exactly where your clients are in framework implementation, can get insight into more than one framework at a time, and you can crosswalk multiple frameworks simultaneously.
If you manage multiple frameworks that meet different areas of your insurance requirements, with this type of platform, all of that data is in one place. You can even get insight all the way down to individual controls and sub-controls. You can also use the platform to export data about controls and frameworks to submit with your clients’ cyber insurance applications.
The benefit? If your clients can demonstrate to their insurer that they’re doing what they require and more, they may get more brokerage coverage, more exposure to carriers, and potentially additional discounts or services—all because they can prove they’re effectively doing what they say you are.
In fact, if your clients want the opportunity for better coverage and potentially better rates, they shouldn’t wait until they get an insurance application to think about what they need to do.
The better way to do this is to have answers long before an insurer mandates security requirements. Again, if you use a cybersecurity management platform for your clients, you can easily and quickly cull all the data needed to demonstrate what they’re doing and be more effective in answering additional security questions along the way.
Remember, you should always take into consideration the capabilities the insurer requires, but never rely on that exclusively for adequate and appropriate coverage.
Being Prepared
While your clients may consider implementing specific controls or frameworks to obtain cyber insurance coverage, the reality is these requirements are often core elements of a mature cybersecurity program.
Your MSSP can play a role in helping clients develop stronger compliance practices and a better understanding of cybersecurity preparedness by focusing on six key areas:
Incident response
- Has your client established proper incident response protocols
Training
- Has your client established proper education and training protocols?
Vendor management
- How does your client conduct various degrees of due diligence on all of your vendors?
Governance and risk assessments
- Have you evaluated your client’s cybersecurity risks? What is the client’s level of awareness and communication?
Access rights and controls
- How does your client manage controls onsite and offsite related to access to systems and data?
Data loss prevention
- How does your client monitor outbound communication and data at rest, in transit, and in use?
7 Key Security Controls Your Clients Should Have
Cyber insurance is not a one-size-fits-all solution. Your clients will need to consider many factors including size, risk tolerance/posture, industry, and other specifics.
While different insurers require different security controls to obtain and maintain coverage, there are some best practices to consider:
- Multifactor authentication (MFA)
- Network segmentation/segregation
- Backup and recovery strategy
- Endpoint detection and response (EDR)/malware prevention
- Sender policy framework (SPF)
- Remove or secure remote desk protocol (RDP)
- End-user security training
Managing Cyber Insurance With Tech
Even if your clients are not seeking cyber insurance right now, it’s a good idea to implement these controls and/or frameworks now. It will help when they’re ready to seek coverage, but more importantly, it may prevent a cyber event from happening. And as a bonus, they might get better cyber insurance at a better rate.
Using technology to manage cybersecurity programs and cyber insurance requirements is a no-brainer. With the right platform, supported by the right industry experts and advice, you can do this successfully—with fewer resources, even if your clients don’t have a CISO or CTO.
For perspective, think about this: When it comes to frameworks, controls, and requirements, all of these can be viewed as separate projects and many have hundreds of elements to implement and track. Whether it’s something you need to tackle one time or it needs continuous monitoring, you can use a framework management platform to do this more efficiently. And you can do so with real-time insight into maturity, as well as a look back over time, so your clients can improve communications with their C-suite and key stakeholders and meet all of their cyber insurance demands with confidence.
Need help breaking down the complexities of cybersecurity by simplifying some of your existing practices? Schedule a custom tour. Learn more on how Apptega can simplify day-to-day cybersecurity and compliance management for your clients.
Watch our latest webinars on cyber insurance to hear from industry experts.