What MSPs Should Know About Cyber Insurance in 2023

By Jennifer Tribe

Admit it, cyber insurance probably isn’t at the top of the list of things you want to talk about.

Premiums are skyrocketing. Insurance companies are making it harder and harder to qualify. There’s ever more paperwork. And the attacks that make cyber insurance an absolute necessity for your MSP business, as well as your clients, keep ratcheting up. It’s enough to make any technology business owner want to tear their hair out.

So, is there any end in sight?

The short answer is yes, the experts say. The cyber insurance market will stabilize … eventually. But we’re probably in for a rough couple of years before that happens. In the meantime, here’s what you need to know to get a handle on cyber insurance in your MSP business.

Insurance Oversold

First, a bit of backstory to understand how we got to this place: insurance companies made some mistakes.

In 2018 and 2019, insurance carriers seemed to be channeling Oprah Winfrey’s famous car giveaway, said Wes Spencer, vice president and channel chief for cyber insurance broker FifthWall Solutions. “All the carriers were like, you get insurance, you get insurance, you get insurance.”

The thinking was that cybercrime was something for big targets such as banks to worry about, not smaller businesses.

Chris Wilkerson, vice president of risk and head of insurance at Blackpoint Cyber, agreed that insurance carriers saw cyber insurance as a massive opportunity to generate revenue, and so they sold as much of it as they could. “It became a bit of a free-for-all to aggregate premium,” he said.

The problem is that the carriers didn’t yet have enough data to price cyber insurance properly, so the strategy was to sell as much of it as possible and hope for the best. In 2020, that strategy blew up in their faces.

“COVID was one of the things that really pushed this up into the stratosphere,” said Spencer. “We see a volume of attacks going up and the cost of those attacks going up.”

Loss ratios – how much an insurance company pays out versus how much they’re offering – jumped to more than 75 percent. For context, a 10 percent loss ratio is considered good. In other words, the insurance companies started taking a bath on cyber policies.

Rising premiums are therefore a sign of insurance companies trying to match their cost to the risk. As long as the risk of cyber attacks remains high, cyber insurance will continue to get more expensive. But there are positive signs that we’ll hit a leveling off point in the next couple of years.

“The carriers are pushing more maturity onto clients and forcing them to do more,” said Spencer.

As companies get their cyber security protocols tuned up, the risk of becoming a victim to cyber attacks goes down. That means fewer insurance claims, which brings loss ratios down for the insurance carriers. Spencer estimates that if the industry can get cyber loss ratios down to 35 or 40 percent, the cost of insurance might stabilize.

Wilkerson also sees the industry trending toward stability. “Once we normalize, we [will] probably have a couple of years of stability,” he predicted. “At some point, we’ll see pricing trend down. I’m confident in that.”

Stricter requirements an advantage

Those increasingly stringent requirements to qualify for a cyber insurance policy will help bring costs down for the MSP and its end users. In the meantime, they’re also a tremendous sales tool for your MSP business. Spencer points out that the security controls the insurance companies are looking for boil down to five things:

  • Managed endpoint detection and response;
  • Segregated and immutable backups;
  • Multifactor authentication everywhere;
  • Vulnerability management, including scanning and updates; and
  • Cybersecurity awareness training and phish testing.

These five controls are something you almost certainly have in your MSP toolkit and can offer clients – and now you’ve got a compelling reason for your clients to buy them.

“Insurance gets to be the bad guy that comes in and says, ‘If you want coverage, you’ve got to do more things than you ever had to do before. You may not have wanted to do them. You may not have thought you had to do them. But if you want insurance coverage, you have to.’ Period, end of story,” Spencer said.

Blackpoint Cyber is also taking the approach of using security controls – in this case, the company’s suite of cyber security products – to manage the cost of premiums. Traditionally a SaaS vendor, Blackpoint recently started an insurance division offering policies to MSPs that use their tools.

Of the cyber policies the company currently holds, data suggests the group “should be producing about $25 million a year in losses, and we’re at zero over the last two and a half years,” noted Wilkerson. That’s a hefty bargaining chip with carriers that have been happy to offer lower premiums for the lower risk policies.

“We’ve collectively as buyers put ourselves in a position to approach the market with what is to the insurer a profitable portfolio,” Wilkerson said. “In doing so, we want to recognize some of that value back, and that’s the mousetrap that we’ve built to get there.”

As a final tip on handling premiums, it’s important to shop your policy to a wide variety of carriers. “The carriers don’t all operate in lockstep,” Spencer said. He has seen carriers quote radically different prices for identical policies – as much as a $15,000 difference in one case.

Don’t be afraid to ask your insurance agent how many quotes they’re getting and to request more. Or, try a broker that has direct access to a wider variety of carriers.

Jennifer Tribe is host of the ‘Workflow for MSPs’ podcast. She serves as director of content at Syncro, an all-in-one RMM, PSA and remote access tool that helps managed service providers run more profitable businesses.