Skip to content

What Role Does Vulnerability Management Play In Cyber Insurance?

ConnectSecure  |   Oct 12, 2022

The global cyber insurance market is projected to more than quadruple in size over the next few years, from $7.60 billion in 2021 to $36.86 billion in 2028, according to Fortune Business Insights.

The rapid rise of this relatively new industry has notable implications for managed service providers (MSPs), particularly those that serve small to medium-sized businesses (SMBs). While larger organizations were quick to acquire cyber insurance as the threat landscape began to grow more volatile, SMBs are now first in line to seek coverage.

In this post, we’ll break down why this development matters to MSPs. Specifically, we’ll explain the role vulnerability management will increasingly play in your quest to earn both new business and to retain the trust of current clients as insurers put their cybersecurity practice under the microscope.

Market dynamics fuel cyber insurance demand

Breaches take financial toll

First of all, consider the cost of a data breach to an organization. The 2021 Verizon Data Breach Report found the median cost to be $21,659, although most organizations can expect that amount to rise as high as about $650,000.

WFH grows attack surface

As the cost has gone up, so has the threat levels that organizations of all sizes face. Few developments have increased the potential attack surface as much as the new work-from-home economy. When pandemic restrictions left millions of people no choice but to log in from their home devices, hackers initially acted as if they were attacking enterprise systems. Now, ComputerWorld notes, hackers have changed strategies to invade the home networks as they try to access the company.

Attacks on web applications now account for 39% of all breaches, the Verizon report shows.

“The COVID-19 pandemic has had a profound impact on many of the security challenges organizations are currently facing,” said Tami Erwin, CEO, Verizon Business, in a statement. “As the number of companies switching business-critical functions to the cloud increases, the potential threat to their operations may become more pronounced, as malicious actors look to exploit human vulnerabilities and leverage an increased dependency on digital infrastructures”.

Onslaught of threats

The impact of the WFH trend is only the latest security challenge that organizations have had to tackle. In 2019, ransomware attacks picked up sharply. In 2021, multiple software supply chain incidents caught companies off guard. To mitigate the fallout from future attacks, organizations are increasingly turning to cyber insurers for protection. The share of insurance companies that offer cyber insurance has increased dramatically in recent years, from 26% in 2016 to 47% in 2020, according to the U.S. Government Accountability Office (GAO).

Premium costs are rising

But increased demand, coupled with an increasingly volatile threat landscape, have resulted in costlier policies. In the past few years, premiums have seen a 25% average increase and a growing number of exclusions, according to the Top Cybersecurity Threats for 2022 report by Forrester, the market researcher. At the same time, the report notes cyber insurance firms have tightened the underwriting process and ramped up scrutiny of policyholders and applications.

This is where MSPs have an important role to play in helping their customers a) meet the stringent security requirements to obtain coverage, and b) strengthen their overall security posture. As the report authors note, “cyber insurance does not substitute for proper security controls.”

Why MSPs can leverage vulnerability management to appeal to SMBs

SMBs need IT partners to meet insurance criteria

Insurance carriers require policyholders to meet certain compliance and audit criteria to qualify for cyber coverage. And, as stated above, the criteria are getting consistently more rigid as carriers try to minimize their risk exposure. Applicants, in turn, under pressure to deliver during the due diligence process, need an expert partner to lean on — and the natural choice is their MSP.

In other words, managed service providers are uniquely positioned to facilitate their SMB client’s interaction with cyber insurers. An MSP can help them fulfill a number of critical requirements, such as vulnerability management, configuration management, and Active Directory monitoring and management.

MSPs, armed with the right tools, have the ability to relay important information to the customer during this often complex and stressful process. This is a critical feature for MSPs that vie for the business of companies most likely to acquire cyber insurance — primarily those that create, store, and manage electronic data online, such as customer contacts, customer sales, PII and credit card numbers.

Identifying vulnerabilities before they become breaches

To repeat Forrester’s observation, relying on cyber insurance alone is a threat to the organization. The research firm’s analysts say senior leaders and boards are just now learning what security leaders have stressed all along: an insurance policy must be paired with a risk mitigation strategy and investment in security program maturity.

Again, this dynamic opens an opportunity for MSPs to add vulnerability management as a cornerstone offering. An MSP that can identify vulnerabilities and eliminate them with a structured, proactive program that reduces the threat from potential attack vectors will significantly boost a customer’s security posture. This helps organizations stay ahead — to the largest extent possible — of new and emerging threats that some policies may not even cover.

MSPs can also benefit from building up their own defense and response protocol. With their own house in order, so to speak, they protect the end customers. The MSPs reap the benefits of assessing their own cybersecurity practice — and remediating any vulnerabilities — while assuring their customers enjoy the same optimal protection.

Summing up

As the threat landscape is bound to get even more complex, organizations will turn to cyber insurance for an added layer of protection. MSPs can position their customers for coverage and, more importantly, introduce vulnerability management to fortify their cybersecurity practice and help them thrive in the face of rising attacks.


Read more: 

Q&A: Attorney Eric Tilds on what MSPs should know about cyber insurance

What does a vulnerability scanner do?

The lessons from Log4j and other zero-day attacks