First, it’s necessary; second, it’s extremely complex.
Cyber insurance is a must for any office technology dealer or managed service provider (MSP) offering managed IT services, whether or not cybersecurity is included in those services. With cyber threats such as ransomware, supply chain attacks, and zero-day vulnerabilities on the rise along with the emergence of artificial intelligence, it’s no wonder that Joseph Brunsman of The Brunsman Group observed, “The demand for cyber insurance is going up every year.”
Brunsman, a former IT professional with a law degree, is an authority on cyber insurance and IT. He advises clients on insurance issues and even has a YouTube channel dedicated to cybersecurity. His expertise lies in guiding clients through the intricate cybersecurity landscape. “A successful year for you is when I talk to you once and take your money,” he quipped. “A bad year for you is when we’re talking twice because you’re having a really bad day, and it’s probably about to get worse.”
No Cyber Insurance = No Good
What happens if an IT provider doesn’t have insurance? “If you didn’t have insurance, there’s a good chance you probably didn’t have contracts either,” said Brunsman about a common occurrence with small MSPs. “Then, it’s about to get really bad. Trying to defend an MSP in court is near impossible.”
The best-case scenario is trying to get the case dismissed in the very early stages. This, according to Brunsman, could cost $20,000 to $30,000. “That’s if you did nothing wrong and could prove it,” he emphasized. “Trying to defend technology claims is ridiculously hard. The biggest problem with technology claims is that they’re just so technical.”
One of the challenges with technology claims is how judges and juries perceive those in the tech field. “People assume that someone who knows something about technology knows everything about technology,” observed Brunsman. “I get it because I’m a nerd. I was an IT guy. I got my bachelor’s in robotics. I love technology. But to bank your defense on, let me tell you about firewall configuration and implementation; that’s not going to work. If you don’t have insurance you’re paying a lot, feasibly, if you did nothing wrong, which is very hard to prove you didn’t from a technology perspective. There’s always something more you could have said, something more you could have done, a different vendor you could have utilized. Then, it’s up to the attorneys, but you might wipe out your business or declare bankruptcy.”
Where to Start with Cyber Insurance?
Where should office technology dealers begin their cyber insurance journey? The starting point is Technology Errors & Omissions (E&O) insurance, also known as professional liability insurance. This type of insurance addresses professional negligence, errors, or omissions related to technology services or products provided by a business. It also includes cyber liability insurance, which addresses legal costs when a client sues over a breach and focuses on third-party claims related to the breach at the client’s business.
Generally, cyber insurance contracts are basic MSAs (managed service agreements) and SLAs (service level agreements). “An MSA is a basic contract, which is here’s who we are, this is what we’re doing, this is what we’re not doing, and this is what happens if there’s a dispute,” explained Brunsman. “These are the responsibilities of both parties. MSAs look technical, but it’s just a basic contract. The SLA clarifies the services provided by the MSP. That’s probably nothing different than what the [office technology] industry has been doing for a long time.”
Cyber insurance is also critical for the dealer’s or MSP’s clients. “Hopefully, your clients have cyber insurance; if not, I highly recommend you put that in the contract that they’re supposed to carry it,” said Brunsman. Cyber liability insurance protects against data breaches on the policyholder’s system; covers first-party costs, including investigating breaches, notifying customers and regulators, crisis management, credit monitoring, and reputational costs; and covers customer claims resulting from data theft or breaches on the policyholder’s network.
The Complexities of Cyber Insurance
Brunsman describes cyber insurance as one of the most technical fields of insurance. As a result, it looks scary to many people. That’s because there are so many gray areas and variables regarding what types of controls should be in place. “When the tech guys come to me and say, why aren’t the insurance companies requiring X, Y, Z controls? It’s because they don’t know in a mathematical sense what that ultimately does,” said Brunsman. “That’s why you see two kinds of phenomena in the marketplace. On the one hand, you’re seeing a super short application with five questions. It’s like, what industry are you in? How much revenue do you make? What’s your address? And then a short, external vulnerability scan [i.e., risk assessment]. Or you see this laundry list application. The first company is going, none of these matters, and the other guys say, we have to figure this out. We must build up our own data sets, so we will ask every question possible.’”
Sometimes, Brunsman understands when insurance companies mandate that certain controls be put in place and that the dealer or MSP has to do X, Y, and Z. “And many times, I don’t understand where the requirement is coming from,” he acknowledged.
“The underwriter can’t verbalize to me why they’re doing it. Sometimes, it’s a shot in the dark. And the big brains of the insurance companies are saying, let’s look at our data set. In this industry, with this size of the client, these guys got hit, but these guys didn’t. Okay, why? These guys had EDR [endpoint detection and response]; those guys didn’t. But then it’s like, what else didn’t they have?”
When asked what can be excluded within those contracts, he responds, “I have a law degree and don’t want to sound like an attorney, but the answer is, it depends. It depends on the state where the venue of the dispute is. Everybody is trying to say basic things like, we’re not going to be held responsible if some third-party vendor goes down, and because of that, you’re impacted. It’s debatable whether that’s an enforceable contractual element because a plaintiff’s attorney could turn around and say, well, you are the one who picked the software.”
He added, “At the very least, you have vicarious liability as opposed to direct liability. We’re starting to see more in terms of, let’s say, AI where it’s like, we have no idea how to defend against this; that’s on you guys. Or easy ones like legacy hardware and software systems where they go, we are not supporting legacy hardware and software. If it’s legacy, we’re going to recommend you update it. If you’re not going to update it, that cannot be on us as a service provider. Basic contractual elements like that. But it’s evolving very quickly.”
Secure Your Environment Too
Brunsman recommends businesses do everything possible to secure their environment. “If you’re an MSP or a copier dealer, that begins with incident response and disaster recovery. “You have to have multifactor authentication for email access—the fundamental controls that have been around forever,” maintained Brunsman.
“But don’t bank on the insurance guy who has no idea what he’s talking about and has no legal obligation to ask an underwriter who has no idea what they’re talking about from a technology perspective and doesn’t want to put the insurance company legally on the hook for saying something to explain why you need X, Y, Z. It’s much simpler to just go, let’s map to a framework. Let’s do a risk assessment. Where are we at? Where do we need to be? Plan of implementation. And go from there.”
The Future of Cyber Insurance
The cyber insurance marketplace is a maturing industry from a policy perspective, and Brunsman expects premiums to continue increasing for the foreseeable future. Meanwhile, the marketplace is being refined. By that, Brunsman means lower limits, lower sub-limits, higher deductibles, higher premiums, more mandatory controls, and greater and more refined exclusions. And with all of that happening, don’t expect anything having to do with cyber insurance becoming any less complex than it already is.