To mitigate increasing losses, insurers pursue claims against providers - called subrogation.
Cyber insurance claims are rocketing higher.
And so is the cost of insurance premiums - up 50-100% in many cases!
As much as that increased cost stings, this post isn't about the cost.
Here, we're focused on the risks. Specifically, we're focused on the risks to MSPs and other IT services providers, after the attack.
There's a funny word called "subrogation" that we need to learn some more about.
Subrogation is a way for insurers to recover losses from third parties after they've paid out a claim under an insurance policy. This isn't specific to cyber insurance, but it has weighty consequences for those involved.
Organizations hire Managed Services Providers to take care of all of their IT headaches, security included. One of the frequent drivers of demand for MSP services is the need to obtain cyber security insurance. Those insurance applications have gotten quite tricky to navigate.
Depending on the client agreement, this can give rise to risk for the MSP. And that risk rises as insurance companies pursue subrogation claims.
We'll dive into an example subrogation claim in just a moment, but let's first take a look at some of the security steps insurance companies now require.
All of the above are tools that the MSP manages for the client. And if things go wrong, the MSP could end up in the insurance company's crosshairs.
You run a successful, client-focused MSP. And let's say a thriving local business hires your MSP for full-suite IT and security services. The whole package. That's great! Awesome for business.
Now, you get that client all set up and humming. Things are going swimmingly... until someone in HR falls for a Phishing email.
Once the employee opens the door, the attacker launches the ransomware du jour. We don't need to get into the nitty gritty here, as you've undoubtedly lived this out already!
So we'll fast forward to after the insurance claim has been paid and systems are all back up and running.
Then you hear from the insurance company's attorneys, with a subrogation claim against your MSP. Getting served any lawsuit is unpleasant. When it's from a deep-pocketed insurance company, it's extra unpleasant.
The insurance company starts asking for records of all your security services at the client at the time of the breach. They want to see if any of the services you were supposed to provide were either not implemented properly or improperly managed.
When they key in on your Security Awareness Training program, they start asking how frequently you phished users at the client. They're now asking about training courses and how and when those were delivered to the client. What content was in there?
Let's just say the insurer's attorneys discover that this hypothetical MSP neglected to actively manage their client's Security Awareness Training program. Naturally, they start pointing at the MSP for failing to provide a required service, per the insurance application and agreement.
This is where subrogation comes into play.
The insurance company can now pursue a subrogation claim against the MSP for its losses from the breach.
That's a bad situation.
So let's avoid it!
INFIMA can help.
When it comes to your Security Awareness Training, INFIMA makes it easy. We provide fully automated Training and Phishing Simulations, and we even include your Employee Security Awareness Training Policy! Confidently hand that right to your insurance company.
✅ User Security Awareness Training
✅ Privacy Training
✅ Phishing Attack Training
You've got enough other things to be doing. We got this.
A note for clarity: we're certainly not attorneys and not insurance professionals, so none of this is legal advice. We're just really good at automating your Security Awareness Training, and we love serving our Partners.
Join the newsletter to receive the latest updates in your inbox.