When the time comes to renew your tech E&O and cyber insurance, be sure to be sitting down when you receive your renewal terms. When it comes to insuring Managed Service Providers, carriers are taking their gloves off. Over the past 18 months, events like Solar Winds, Kaseya, and Microsoft Exchange, have heightened the concern MSPs represent to insurance carriers and the aggregate risk they pose. Many insurance carriers are withdrawing from the MSP market altogether and those carriers that are still providing coverage may require premiums three to seven times what your renewal premiums were.
MSPs can prepare themselves to be in the best position when it comes to renewal by making sure their security policies are in order. You should have written security procedures and policies in place, that are regularly tested and reviewed, so carriers can accurately assess your risk. Your security controls should be on par with or even more diligent than what you are asking and expecting of your clients.
Here are crucial security controls to include and remember to base security controls on an established risk framework.
- Multi Factor Authentication (MFA)
- Endpoint Detection and Response (EDR) solutions
- Backups- including an offsite backup. Backups should be tested regularly.
- Double down on access controls especially those for your RMM. That includes MFA (can’t say that enough) and mechanisms to remove dormant accounts or users. Make sure keys are in a secure repository. In short, apply the concept of least privilege to your access controls
- Automated application patching- especially for RMM but also any other applications being used by your organization.
- Maintain audit logs and tools to identify and respond to alerts, or preferably have those performed by a SOC and/or MDR solution.
- Have a solid Incident Response plan in place and be sure to be conducting table-top simulations on an annual basis.
This may be a lot for any organization to focus on. However, it has become critical that MSPs be as vigilant in their security controls as what they ask of their clients, or even more so. Because of the aggregation risk an MSP represents, putting these controls in place may be the only way for MSPs to get tech E&O and cyber insurance at all, let alone at an affordable price.