Q&A: Attorney Eric Tilds on what MSPs should know about cyber insurance
Small to medium-sized businesses (SMBs) are increasingly seeking cyber insurance coverage. As managed service providers (MSPs) try to win and retain the business of their SMBs, they can benefit from understanding the variables at play and how they can leverage this new dynamic to their advantage.
To get the latest on this important topic, we took the chance to chat with attorney Eric Tilds, a nationally recognized and trusted partner of and advisor to MSPs, MSSPs, and SaaS companies. During his combined 20 years at Netarx and then Logicalis, Eric was intricately involved in a host of different legal, employment, compliance, and information security issues.
The founder of TechGC, a full-service law firm specializing in commercial contracting, employment, and data privacy issues for technology companies, he is uniquely in tune with industry trends. In this piece, we queried Eric to get his take on the following:
- The changing landscape for cyber insurance and the role of vulnerability management
- How MSPs should respond when customers ask for help with their applications
- Common pitfalls of helping to fill out an application
- How the rising importance of cyber insurance affect MSPs
- Whether MSPs should require customers to carry cyber insurance
You have said cyber insurance used to be handed out like candy. Can you elaborate on that and how the cyber insurance landscape has changed?
Eric: If you go back 10 years when cyber insurance just started to get a little bit popular, you needed a name, address, and a phone number, and they would give you cyber insurance; you could get the million-dollar policy. Part of that is because no one knew what they were getting themselves into, right? No one knew what the loss ratios were going to be; ransomware wasn't a thing. It was really for data breaches, for hackers, and they would pay out in the event that you had some sort of a breach and it, frankly, just didn't happen very often. Therefore, it was easy to obtain and relatively inexpensive.
Then you fast forward to maybe seven or eight years ago, and people start learning about the pervasiveness of ransomware. It's everywhere and trickling way down — three-person law offices are getting hit. So, now the losses are piling up. And what do insurance companies do? Well, they make it more difficult to obtain a policy by 1) just denying outright, or 2) they start making it very complex to apply. And that's what we're seeing today — it's really difficult to even fill out an application for a cyber liability insurance policy.
In your work with MSPs, what are they concerned about when it comes to this issue?
Eric: So, the problem with the applications, in general, is that they're just hard? When a customer goes to an MSP and says, ‘Hey, I don't know what this means. I don't know what it says. You handle all of my IT, you handle all of my security — here, you fill it out.’
So, that's what MSPs are seeing a lot. In fact, I was on a webinar that discussed this topic, and 98% of the MSPs that were polled said they are reviewing more cyber insurance applications today than they were a year ago.
And the problem is that the applications are difficult. The question may only give you ‘Yes’ or ‘No’ choices but the real answer is neither. So that's where I think the MSPs are struggling. They try to 1) keep up with it, 2) figure out what they're being asked, and 3) keep themselves out of trouble.
My advice to clients is: don't answer it. Get on the phone with their customer’s insurance broker and say, ‘Look, here's the question, and here's the truthful answer. I can only choose Yes or No. What do we do?’ That way, the insurance broker ends up being culpable instead of the MSP.
What are a few of the pitfalls for MSPs when they try to help their customers with cyber insurance applications?
Eric: I think there are two big ones. When an MSP is helping their customer with an insurance application, they're often doing it outside the bounds of their contractual obligations. That means their MSA, the legal agreement between them and their customer, might not apply. If they make a mistake when they're filling out the application — and it happens all the time, whether it's intentional or careless or unintentional — they're not protected by the terms of their MSA. So, we always want the MSP to be protected by their MSA, which contains limitations of liability and disclaimers of warranty and things like that. That's one big category and there's a couple of ways to overcome it.
But the other big category is, let's say, that something does go wrong. And whether or not the MSP’s MSA is in play here, the question is, does the work that they're doing on these cyber insurance applications fall under their own professional liability insurance? Or, is it so far outside of what they told their insurance company they do for their customers, that the insurance company would say, ‘No, I'm not gonna cover you.’ There's a lot of subcategories there, but those are the two big-picture things that I see.
How aware are the MSPs of these pitfalls?
Eric: They're becoming more aware, but most don’t fully appreciate the risk. They don’t know what they don’t know. They’re trying to, out of the goodness of their heart, help their customers. That's what this industry is all about.
So, when a customer comes to the MSP saying, ‘Hey, can you help?’ They're going to say, ‘Of course, I can help.’ They're not thinking, ‘Hmm, does my MSA apply to this work that I do?’ Or, ‘Does my professional liability insurance cover me when I do things like this?’ They just aren't thinking about that which is why I'm getting out as often as I can to help educate the MSPs on those pitfalls.
In a Blackpoint webinar, you mentioned a scenario where a client had contacted you as they were about to inform their customers of a potential breach. And you told them to hold off and urged them to get a better understanding of the implications. Can you explain what happened?
Eric: In this particular instance it was a software client that reached out, but the same scenario holds true — they didn't know. They didn't know they were supposed to contact their cyber insurance carrier. They didn't know they were supposed to have a breach coach lined up. They didn't know that they should have called me before doing anything. Thankfully, they did but they called me just to proofread a document that they were going to send out to 22 of their customers whose information was in this data breach.
Fortunately, I was able to put the brakes on it but here we are in November and this actually happened over the July 4 weekend. So, it's been four months and this is still not resolved. So, with data breach incidents, it takes a long time to do it, and it's easy to do it wrong. But to do it right is tough.
How can MSPs be better prepared for situations when customers ask them for help? You mentioned that MSPs can help but not do the actual work.
Eric: That's a really big distinction, and there are two ways that they can go about it: First of all, in the category of making sure their MSA applies, the one thing that they can do is just have a statement of work that's between them and their customer for filling out or helping fill out their cyber insurance application. If they don't want to charge their customer for it, so be it.
But the statement of work will clearly lay out who is responsible for what with the application. Something I see lacking, even when MSPs do put some paper in place, is that the statement is too broad or too vague and not specific enough to what they're doing.
The second thing they can do is a little bit easier. If they're providing managed services to a customer, just include in their managed services statement of work that, as a service, we will help you fill out your cyber insurance application. And then it makes sure that it's in the statement of work, and therefore the MSA applies, and therefore, hopefully, they will be protected by their MSA.
How does the rising importance of cyber insurance affect the way that MSPs should go about their business?
Eric: The cobbler's children have no shoes. It's the same thing with MSPs. Sometimes, MSPs are so busy trying to help their customers that they just overlook their own vulnerabilities. I don’t know if the importance of cyber insurance necessarily changes the way they do business, but it might change how they interact with their customers. I highly recommend all of my MSP clients require their customers to have cyber insurance. I'd say about half of them do and half of them don’t. That latter half is afraid to cut off the tail of customers who, for whatever reason, do not want to carry cyber insurance.
But it’s sort of bellwether, right? If I have a customer that carries cyber insurance, I know they're taking their security posture seriously. And if I have a customer who doesn't carry cyber insurance, then I probably also know that I'm gonna have a tough time convincing them that they should be using MFA (multi-factor authentication) and a tough time convincing them that they should do all these other security postures that will just harden them as they should be hardened.
Not long ago, there was a lack of data that could inform cyber insurance rates. Has that changed or do rates now better reflect the reality on the ground?
Eric: That's a good question. I think we went from one side of the pendulum swing when there was no information and, now, we're kind of on the other side, where the insurance companies have suffered all of these losses. I think we're going to come back to the middle. I think prices will probably come down a little bit and coverage will be a little bit easier to obtain.
I also think the insurance companies, in order to get to that median level, are going to start asking tougher questions and asking to show proof. We have insurance companies buying MSSPs. and they're probably not buying them for financial purposes; they're buying them so that those MSSPs can go into their client base and say, ‘Yes, they're secure’ or ‘No,’ they're not secure.’
It's one thing to have your MSP customers’ insurance company looking at the work that you're doing as an MSP. I think it's another thing to have the insurance company's internal MSSP looking at the work that you're doing. So, I think there's going to be a lot more justification and many more questions that are going to be asked in order to get to that midpoint in the pendulum swing.
The MSPs that don't require their customers to carry cyber insurance, what kind of risks do they face?
Eric: The risk is kind of an objective risk instead of a subjective risk. If they have a customer that isn't going to carry cyber insurance, then they're not taking their IT security posture seriously, in my opinion, and if they're not taking their posture seriously, then they're going to take more risks.
They're probably not going to engage with the MSP on their security offering. So, now you've got a greater likelihood that your customer is going to be subject to some sort of security incident. And when there's a security incident, there's always risk to the MSP because there's going to be forensics and people are going to be looking for a needle in the haystack and they're always going to be pointing fingers at the MSP. So, as an MSP, if you can have fewer customers who suffer security incidents, it ultimately provides less risk to you as the MSP.
Finally, can you speak a little bit about the importance of having an incident response plan in place?
Eric: Yeah, it's so important. It's as important as insurance. And it's not just important to have it, it's important to exercise it. It’s one thing to spend the time to draft it and then you put it in a drawer and forget about it. That's really easy to do. But, if instead, you're getting it out every six months and you're making sure that it still applies to your business, then you're going to play like you practice. And when you have a real security incident, if you've practiced it 100 times, you're going to manage that security incident just like you practiced it. If you've never practiced it before, then I think you're in trouble.
Thank you, Eric, for participating.