Click to toggle navigation menu.

Leveraging Client-owned Cyber Insurance to Reduce MSP Exposure

< BACK

This whitepaper explores the key risks MSPs face from underinsured clients, including:

  1. Legal liability from clients and third parties
  2. Reputational damage and loss of trust
  3. Financial losses from incident response costs, business interruption, and lost revenue
  4. Operational disruption and diversion of resources
  5. Regulatory fines and penalties
  6. Difficulty obtaining their own cyber insurance coverage

It is critical for MSPs to proactively address these risks by requiring clients to maintain appropriate cyber insurance as part of their service contracts. MSPs should also have their own robust cyber insurance and implement strong cybersecurity controls and incident response plans. By taking these steps, MSPs can better protect themselves and their clients in today’s high-risk cyber threat landscape.

1. Introduction

      Managed Service Providers (MSPs) play a vital role in managing and securing the IT infrastructure and data of their clients, many of whom are small and medium-sized businesses (SMBs). MSPs offer a range of services, including network management, cybersecurity, data backup and recovery, cloud services, and IT support.

      However, MSPs face significant risks when their clients do not maintain adequate cyber insurance coverage. Cyber insurance helps organizations mitigate losses from cyberattacks, data breaches, and other cyber incidents by covering costs such as incident response, data recovery, business interruption, legal defense, regulatory fines, and third-party liability.

      When a client experiences a cyber incident and does not have sufficient insurance coverage, the MSP can find itself exposed to a range of risks, even if the MSP itself was not at fault for the incident. These risks include legal liability, reputational damage, financial losses, operational disruption, and difficulty obtaining their own insurance coverage.

      This whitepaper will explore the key risks that MSPs face from clients without adequate cyber insurance and provide recommendations for how MSPs can mitigate these risks through insurance requirements, contractual protections, and their own risk management practices. By understanding and proactively addressing these risks, MSPs can better protect themselves and their clients in the face of evolving cyber threats.

      2. The Cyber Threat Landscape for MSPs and Their Clients

        The cyber threat landscape facing organizations of all sizes continues to grow more complex and dangerous. Cyber criminals and nation-state actors are employing increasingly sophisticated tactics, techniques, and procedures (TTPs) to infiltrate networks, steal data, deploy ransomware, and disrupt operations.

        MSPs and their SMB clients are particularly attractive targets for cyber adversaries. SMBs often lack the in-house cybersecurity expertise and resources to effectively defend against advanced threats on their own. As a result, they rely heavily on MSPs to secure their IT environments.

        However, this reliance on MSPs also makes SMBs vulnerable, as a successful attack against an MSP can provide cyber criminals with access to the networks and data of many clients. By breaching one MSP, attackers can potentially impact dozens or even hundreds of downstream customer organizations.

        Some of the most significant cyber risks facing MSPs and their clients include:

        • Ransomware: Ransomware attacks, in which cyber criminals encrypt an organization’s data and demand a ransom payment to restore access, have surged in recent years. MSPs are a prime target, as attackers can leverage compromised MSP credentials and tools to deploy ransomware across many customer environments at once.[1]
        • Supply chain attacks: Cyber criminals are increasingly targeting MSPs and other IT service providers as a means to compromise their downstream customers. By infiltrating an MSP’s network and systems, attackers can exploit trusted business relationships to propagate malware to client organizations.[2]
        • Cloud misconfiguration: As more MSPs and their clients adopt cloud services, the risk of data exposure due to cloud misconfiguration is growing. Misconfigurations such as unsecured storage buckets, excessive permissions, and inadequate logging and monitoring can leave sensitive data exposed to unauthorized access.[3]
        • Insider threats: MSPs can be vulnerable to insider threats from rogue employees who abuse their privileged access to client systems and data. Insider incidents can be particularly challenging to detect and can lead to significant damage.[4]
        • Social engineering: Phishing emails, fraudulent support calls, and other social engineering tactics remain a persistent threat to MSPs and their clients. Attackers often target MSP employees with phishing campaigns to steal credentials and gain initial access to MSP and client networks.[5]

        To address these risks, MSPs must implement robust cybersecurity controls, including multi-factor authentication, least privilege access, network segmentation, logging and monitoring, incident response plans, and employee security awareness training. However, even with strong controls in place, the risk of a successful cyberattack cannot be eliminated entirely.

        This is where cyber insurance plays a critical role. Cyber insurance can provide financial protection and resources to help MSPs and their clients respond to and recover from cyber incidents. However, when clients fail to maintain adequate coverage, MSPs can be left exposed to significant risks.

        3.The Risks of Underinsured Clients for MSPs

          When an MSP’s client experiences a cyberattack or data breach and does not have adequate cyber insurance coverage, the MSP can face a range of risks, even if the MSP itself was not responsible for the security failure that led to the incident. These risks can have severe financial, legal, reputational, and operational consequences for the MSP.

          One of the most significant risks MSPs face from underinsured clients is the potential for legal liability. When a client suffers a cyber incident, it may look to hold the MSP responsible, even if the MSP’s actions or services were not the direct cause of the incident.

          The client may argue that the MSP failed to provide adequate security controls, monitoring, or incident response services, or that the MSP’s own security practices contributed to the incident. The client may seek to recover losses related to business interruption, data recovery, notification costs, legal fees, and settlements or judgments from third-party lawsuits.

          If the client does not have sufficient cyber insurance to cover these losses, it may turn to the MSP’s insurance or seek to recover damages directly from the MSP. The MSP may face expensive legal battles, settlement costs, and potentially damaging court judgments.

          The MSP may also face third-party liability from the client’s own customers, partners, or other stakeholders affected by the incident. These third parties may argue that the MSP owed them a duty of care to secure the client’s systems and data and seek to hold the MSP responsible for their losses.[6]

          Even if the MSP is ultimately not found liable, the legal costs of defending itself can be substantial. And if the MSP is found liable, the damages could be catastrophic.

          3.2 Reputational Damage

          Cyber incidents can also severely damage an MSP’s reputation and erode client trust. When a client experiences a high-profile data breach or ransomware attack, it can generate negative media coverage and attention. Even if the MSP is not directly responsible for the incident, its reputation can suffer by association.

          Prospective clients may be hesitant to entrust their sensitive data and systems to an MSP that has a history of client breaches, even if those breaches were not the MSP’s fault. Existing clients may lose faith in the MSP’s ability to protect them and choose to terminate their contracts.

          In a competitive market, reputational damage can be difficult to overcome and may lead to lost business and revenue for the MSP. A study by the Ponemon Institute found that the average cost of a data breach in 2021 was $4.24 million, of which an average of 38% was attributable to lost business from customer turnover, increased customer acquisition costs, and reputational losses.[7]

          3.3 Financial Losses

          Underinsured clients can also expose MSPs to significant financial losses in the event of a cyber incident. MSPs may be called upon to assist with incident response, forensic investigation, data recovery, and system restoration efforts, all of which can be costly and time-consuming.

          If the client does not have adequate insurance coverage to pay for these services, the MSP may have to absorb the costs itself. The MSP may also lose revenue if the client’s operations are disrupted and it is unable to pay its bills.

          In addition, if the MSP is found liable for the incident and the client does not have sufficient insurance to cover the damages, the MSP may have to pay out of pocket. This could include costs related to legal settlements, judgments, and regulatory fines and penalties.

          The financial impact of a cyber incident can be severe. The NotPetya ransomware attack in 2017, for example, caused more than $10 billion in global damages, with some individual companies reporting losses in the hundreds of millions of dollars.[8]

          3.4 Operational Disruption

          Responding to a cyber incident can also significantly disrupt an MSP’s operations and divert resources away from serving other clients. MSP staff may need to work long hours to contain the incident, investigate the cause, and restore systems and data.

          This can lead to burnout and turnover among MSP employees, as well as decreased service levels for other clients. The MSP may need to bring in outside incident response consultants or temporary staff to assist, which can add to the financial burden.

          In addition, if the MSP’s own systems are compromised as part of the attack on the client, it may be unable to serve any of its clients until it can restore its operations. This could lead to extended downtime and lost revenue.

          3.5 Regulatory Risks

          Depending on the nature of the client’s business and the types of data involved, a cyber incident may also trigger regulatory investigations and enforcement actions. Many industries, such as healthcare, finance, and energy, are subject to strict cybersecurity and data privacy regulations.

          If a client experiences a breach of regulated data and does not have adequate cyber insurance to cover the costs of required notifications, credit monitoring, and other regulatory obligations, the MSP may be exposed to liability as a business associate or service provider.

          Regulators may investigate the MSP’s role in the incident and whether it complied with applicable regulations and industry standards. If the MSP is found to be non-compliant, it may face fines, penalties, and increased scrutiny.[9]

          3.6 Insurance Coverage Risks

          Finally, MSPs may face challenges obtaining their own cyber insurance coverage if they have a history of client incidents, even if those incidents were not the MSP’s fault.

          Cyber insurers are becoming increasingly selective in their underwriting practices, and MSPs with a track record of client claims may be seen as higher risk. Insurers may decline to offer coverage, charge higher premiums, or impose more restrictive terms and conditions.

          Without adequate cyber insurance of their own, MSPs may be unable to meet client contractual requirements for coverage, which could lead to lost business opportunities. They may also be exposed to greater financial risk if they experience their own cyber incidents.

          To mitigate the risks posed by underinsured clients, MSPs should take proactive steps to address cyber insurance coverage in their client contracts and engagements. They should also implement strong cybersecurity controls and incident response capabilities to reduce the likelihood and impact of cyber incidents.

          4. Recommendations for MSPs

          4.1 Require Adequate Cyber Insurance Coverage in Client Contracts

          MSPs should consider making adequate cyber insurance coverage a requirement for all clients in their service contracts. The best way to approach this is for the MSP to partner with and insurance broker or managing general agency that specializes in cyber insurance. This insurance intermediary can work the client to assess its own unique risks and appropriate cyber insurance limits, terms and conditions.

          Additionally, the MSP should require the client to provide proof of coverage and require the client to maintain the coverage throughout the duration of the engagement and to provide notice of any changes or cancellations.

          By making cyber insurance a contractual requirement, MSPs can ensure that their clients have the financial resources to respond to and recover from cyber incidents, reducing the risk of the MSP being held liable for uninsured losses.

          4.2 Include Limitation of Liability Clauses in Client Contracts

          MSPs should also consider including limitation of liability clauses in their client contracts to cap their potential exposure in the event of a client incident. These clauses can specify that the MSP’s liability is limited to a certain dollar amount or to the amount of fees paid by the client.

          While limitation of liability clauses can provide some protection for MSPs, they may not be enforceable in all cases, particularly if the MSP is found to be grossly negligent or to have acted in bad faith. MSPs should consult with legal counsel to ensure that their contracts are properly drafted and comply with applicable laws and regulations.

          4.3 Maintain Strong Cybersecurity Controls and Incident Response Capabilities

          To reduce the likelihood and impact of cyber incidents, MSPs should implement strong cybersecurity controls and incident response capabilities, both for themselves and for their clients. This includes:

          • Conducting regular risk assessments and penetration testing to identify and remediate vulnerabilities
          • Implementing multi-factor authentication, access controls, and network segmentation to prevent unauthorized access to systems and data
          • Monitoring networks and systems for suspicious activity and anomalies
          • Developing and testing incident response plans to ensure rapid and effective response to incidents
          • Providing employee security awareness training to reduce the risk of social engineering attacks
          • Maintaining offline backups and disaster recovery capabilities to enable rapid restoration of systems and data in the event of an incident

          By implementing strong cybersecurity controls and incident response capabilities, MSPs can reduce the risk of successful cyberattacks and minimize the impact of incidents when they do occur.

          4.4 Educate Clients on the Importance of Cyber Insurance

          MSPs should educate their clients on the importance of maintaining adequate cyber insurance coverage. This includes explaining the risks of cyberattacks and data breaches, the potential costs of responding to and recovering from incidents, and the benefits of having insurance to mitigate those costs.

          MSPs should work with clients to assess their insurance needs and coverage gaps and to help them obtain appropriate coverage. MSPs may also consider partnering with insurance brokers or carriers to offer cyber insurance as part of their service offerings.

          By educating clients on the importance of cyber insurance and helping them obtain appropriate coverage, MSPs can reduce their own exposure to uninsured losses and create a more resilient ecosystem for themselves and their clients.

          4.5 Obtain Appropriate Tech E&O / Cyber Insurance for the MSP

          Finally, MSPs should obtain their own robust cyber insurance coverage to protect against the risks posed by client incidents and their own potential exposure. MSP cyber insurance policies should cover costs related to incident response, data recovery, business interruption, legal defense, settlements and judgments, and regulatory fines and penalties.

          MSPs should work with experienced insurance brokers to assess their risks and coverage needs and to obtain appropriate policies. They should also ensure that their policies align with their client contract requirements and that they have adequate coverage limits to address potential losses.

          By obtaining appropriate cyber insurance coverage, MSPs can reduce their financial exposure to client incidents and protect their own operations in the event of a cyberattack or data breach.

          5. Conclusion

            The cyber threat landscape facing MSPs and their clients is complex and constantly evolving. While MSPs play a critical role in helping their clients manage and secure their IT environments, they also face significant risks when clients fail to maintain adequate cyber insurance coverage.

            Underinsured clients can expose MSPs to legal liability, reputational damage, financial losses, operational disruption, regulatory risks, and challenges obtaining their own insurance coverage. To mitigate these risks, MSPs should proactively address cyber insurance in their client contracts, implement strong cybersecurity controls and incident response capabilities, educate clients on the importance of coverage, and obtain appropriate insurance for themselves.

            By taking these steps, MSPs can better protect themselves and their clients in the face of increasing cyber risks. They can build more resilient and sustainable businesses, while providing the critical IT services that their clients need to thrive in the digital economy.

            References:
            [1] Culafi, L. (2021, July 15). The Rising Ransomware Threat to MSPs and Their Clients. Channel Futures. https://www.channelfutures.com/msps-the-rising-ransomware-threat
            [2] Spadafora, A. (2021, June 3). Supply Chain Attacks Target MSPs to Reach Downstream Customers. TechTarget. https://www.techtarget.com/searchsecurity/news/252502078/Supply-chain-attacks-target-MSPs-to-reach-downstream-customers
            [3] Kumar, R. (2021, March 11). Cloud Misconfiguration: A Major Risk for MSPs and Their Clients. Forbes. https://www.forbes.com/sites/forbestechcouncil/2021/03/11/cloud-misconfiguration-a-major-risk-for-msps-and-their-clients/?sh=77f03f393e6b
            [4] Palmer, D. (2021, August 17). Insider Threats: What They Are and How MSPs Can Prevent Them. CRN. https://www.crn.com/news/security/insider-threats-what-they-are-and-how-msps-can-prevent-them
            [5] National Cyber Security Centre. (2021, October 5). Social Engineering Attacks on MSPs and Their Customers. NCSC Guidance for MSPs and Small/Medium Organisations. https://www.ncsc.gov.uk/collection/msp-guidance/social-engineering-attacks
            [6] Simmons, D. (2020, December 10). MSPs Face Legal Risks