Cyber Insurance After The Hack

Cyber insurance claims are rocketing higher.

And so is the cost of insurance premiums - up 50-100% in many cases!

As much as that increased cost stings, this post isn't about the cost.

Here, we're focused on the risks. Specifically, we're focused on the risks to MSPs and other IT services providers, after the attack.

There's a funny word called "subrogation" that we need to learn some more about.

Subrogation is a way for insurers to recover losses from third parties after they've paid out a claim under an insurance policy. This isn't specific to cyber insurance, but it has weighty consequences for those involved.

Why does this matter for MSPs?

Organizations hire Managed Services Providers to take care of all of their IT headaches, security included. One of the frequent drivers of demand for MSP services is the need to obtain cyber security insurance. Those insurance applications have gotten quite tricky to navigate.

Depending on the client agreement, this can give rise to risk for the MSP. And that risk rises as insurance companies pursue subrogation claims.

We'll dive into an example subrogation claim in just a moment, but let's first take a look at some of the security steps insurance companies now require.

  1. Patching - keeping all systems on the latest software updates. This seems easy, but it so often isn’t. Unpatched networks are a wide open door for attackers.
  2. Backups - keep solid backups! You don’t ever want to have to use them. But you’ll be thankful you’ve got your data secured if you are ever attacked.
  3. Password Policy - implement MFA (multi-factor authentication) and/or implement a strong password manager.
  4. Anti-Virus - this one kind of seems obvious. You need a strong AV solution.
  5. Privileged Access Management - all sensitive data access should only be granted on an as-needed basis.
  6. Security Awareness Training - saving the best for last here. 9 out of 10 attacks start with an attacker fooling one of your employees.

All of the above are tools that the MSP manages for the client. And if things go wrong, the MSP could end up in the insurance company's crosshairs.

How about an example

You run a successful, client-focused MSP. And let's say a thriving local business hires your MSP for full-suite IT and security services. The whole package. That's great! Awesome for business.

Now,  you get that client all set up and humming. Things are going swimmingly... until someone in HR falls for a Phishing email.

Once the employee opens the door, the attacker launches the ransomware du jour. We don't need to get into the nitty gritty here, as you've undoubtedly lived this out already!

So we'll fast forward to after the insurance claim has been paid and systems are all back up and running.

Then you hear from the insurance company's attorneys, with a subrogation claim against your MSP. Getting served any lawsuit is unpleasant. When it's from a deep-pocketed insurance company, it's extra unpleasant.

The insurance company starts asking for records of all your security services at the client at the time of the breach. They want to see if any of the services you were supposed to provide were either not implemented properly or improperly managed.

When they key in on your Security Awareness Training program, they start asking how frequently you phished users at the client. They're now asking about training courses and how and when those were delivered to the client. What content was in there?

Let's just say the insurer's attorneys discover that this hypothetical MSP neglected to actively manage their client's Security Awareness Training program. Naturally, they start pointing at the MSP for failing to provide a required service, per the insurance application and agreement.

This is where subrogation comes into play.

The insurance company can now pursue a subrogation claim against the MSP for its losses from the breach.

That's a bad situation.

So let's avoid it!

INFIMA can help.

When it comes to your Security Awareness Training, INFIMA makes it easy. We provide fully automated Training and Phishing Simulations, and we even include your Employee Security Awareness Training Policy! Confidently hand that right to your insurance company.

✅ User Security Awareness Training
✅ Privacy Training
✅ Phishing Attack Training

You've got enough other things to be doing. We got this.

If you're an MSP and want to learn more, go check out how we Partner with you here. If you like what you see, book a time to chat!

A note for clarity: we're certainly not attorneys and not insurance professionals, so none of this is legal advice. We're just really good at automating your Security Awareness Training, and we love serving our Partners.

Photo by Sarah Agnew on Unsplash