Just getting cyberliability insurance is never enough. Find out what else you need to do.
Just ten years ago, cyberliability insurance was an exotic creature. What was available was often just a rider, with very limited coverage. A few years later, standalone cyber policies appeared that nearly everyone could qualify for. All that mattered was your industry, your revenue, completing a two-page application. But the insurance industry mispriced this risk and started losing money. With the uptick in cybercrime, things only got worse. We now see far more complicated applications, much higher fees, and no guarantee of coverage.
But coverage is now more critical than ever. That means we must educate our clients about risk and ensure they don’t think our services (or insurance) are substitutes for their coverage. One way to get there is to develop a strategic partnership with an insurance broker. Some of the best brokers can help you model risk, provide pre-assessments for those without coverage, and review existing policies. The right partners will provide you the tools you need to identify client risk, persuade them of its import, and help you become a more critical part of their businesses.
Why cyberliability matters
I would start this out by asking if you know how many of your clients even bother to carry cyberliability coverage, and whether these coverages are adequate. The next step goes as follows - discovery or asking the right questions to find out where they stand and working with those answers. Perhaps they simply don’t understand the risks of not carrying coverage or think those risks are completely mitigated by your services. Maybe they believe your cyberliability insurance covers them - truly the worst-case scenario.
Even those that carry coverage often “yes" their way through the application, without understanding the questions, much less the answers. We have all probably experienced this, with all the attendant risk of claim denials and other potential bad business outcomes. To fix this, we must take the lead, shepherding our clients through the process, and being sure that they complete these forms accurately. This also helps to engage in their own security and justifies what we already want them to do. Remember, we cannot sell insurance, only help them buy it.
We must “up" our game. Many of the newest cyberliability forms are drawing on some very good sources, including various security frameworks that many of us model our security stack and processes upon. Some require even more rigorous processes than we are used to, even for those of us that consider securing our clients to be plan A.
For most of us, comprehensive BCDR is our plan B. But what happens when that fails too? Now it’s time for plan C, proper cyberliability insurance coverage. But wait, there’s more. You must remember that incident response plans should be crafted “through the lens” of this insurance. For example, what is the first thing clients want in the event of an attack? For you to fix it fast - which is probably the wrong move. The right one is to contact their insurer and follow their advice. That will not be the answer they want, so have this discussion now, not later.
There are two very good reasons why we should embrace the need for cyberliability coverage. The first is the process of risk discovery and how to mitigate it (security, backup, insurance coverage). This will lead to much more intimate relationships with our clientele. These are not technical but true business process discussions, and they are wonderful.
The second benefit is that we go from “selling” security to our clients to having them come to us to solve business (risk) problems. Much of the ingrained resistance to the inconvenience and the cost of security melt away under these circumstances. We are no longer the computer guys selling stuff, we are now solving business needs, mitigating risk, and enabling coverage. And that is a great thing. Once again, we are not insurance providers, so that’s why we must have a strategic partner to educate us on how to identify, mitigate and cover our clients’ risks.
The final word
As MSPs for our clients, we cover many bases. One of those must be to educate our clients about how and why to obtain cyberliability coverage. We must help them navigate truly complicated application forms, and maybe even up our own security game to make sure they are operating in a secure enough manner to be insurable. But the process of navigating these new hurdles will ultimately lead to better, more business-focused conversations, not to mention tighter integration into their business processes. Finally, they get to see us as the problem solvers they need and not the salespeople they dread. The opportunities this brings us to improve their security posture and show our true worth are priceless.