MSSP Alert Live 2024’s second day of sessions kicked off with a keynote panel on “The State of Cybersecurity Insurance and Warranties (and What’s the Difference?),” providing key insights on different types of breach coverage and what MSPs, MSSPs and their customers can expect when shopping for policies in 2024 and 2025.
Beltex Insurance CEO/Founder Dustin Bolander, Coalition General Manager of Security John Roberts and PCH Technologies President & CEO Timothy Guim comprised the panel, which was moderated by CyberRisk Alliance Editorial Director of Channel Brands Jessica C. Davis.
The panel offered a diverse array of perspectives, as Beltex Insurance is an MSP-focused cyber insurance company, Coalition is a cyber insurance company that offers managed detection and response (MDR) services and PCH Technologies is an MSP that launched a cyber warranty program last year in partnership with Cork.
To start the keynote, the panel answered the question: What is a cyber warranty?
The difference between cyber insurance and cyber warranties
Cyber warranties are much narrower and more specific than cyber insurance policies, dealing only with “very specific issues around a data breach,” Guim explained. Cyber warranties often come embedded with certain cybersecurity products or services but can also be purchased as an add-on and typically have no deductible.
As cyber warranties are less mainstream than traditional cyber insurance, discussing the option with customers is “definitely an educational process” for MSPs like PCH Technologies, Guim added. Understanding which services and scenarios are covered and which are not is key when determining whether a cyber warranty is right for a given customer. However, it’s typically good to have both, Guim added.
Roberts further explained the difference, saying that while insurance covers the business, warranties only cover specific technology. Bolander noted that while cyber warranties can be worthwhile in recuperating costs in certain breach scenarios, they “should be the cherry on top of your risk management” strategy and actions rather than replacing cyber insurance.
An important thing to note regarding cyber warranties is that many such policies will require businesses to act fast to notify the warranty provider after a breach. Bolander said one of the biggest mistakes organizations make during a cybersecurity incident is failing to notify their insurance or warranty provider right away. Even if an organization “thinks they have it under control,” they should still reach out, out of an abundance of caution, as many cyber warranties have a 24-hour notification policy to be paid out.
Roberts noted that while it is important to engage one’s cyber insurance provider soon after a suspected compromise, insurance is typically less of “a ticking time bomb” than a warranty, with more time afforded to make a claim compared with a warranty.
What today’s cyber insurance ‘soft market’ means for customers
Cyber insurance rates underwent a major change in the last five years as a result of the ransomware threat exploding in 2019, with rates later dropping significantly and ultimately stabilizing over the last couple of years. Guim says he expects rates to remain steady going into 2025, with Bolander adding that he has not seen any clients' rates go up this year.
Bolander says cyber insurance is now in a “soft market,” which he further explained in a breakout session later Wednesday morning titled “Insurance is Evil: How We Went from an MSSP to Creating an MSP-Focused Policy.” While these soft market conditions mean acquiring cyber insurance is easier and less costly for customers, it also means the market is more competitive, leading to some “irresponsible” decisions, Bolander opined.
For example, some insurers may not require customers to implement multi-factor authentication (MFA) in a bid to lower the bar and sell more policies. On the other hand, Bolander sees MFA as a necessary and common-sense protection in today’s threat landscape. After all, without MFA, organizations are at a higher risk of suffering a breach – which will ultimately only drive their insurance rates up higher.
Overall, while the soft market is ultimately a good thing for customers, it means they will have more to consider when it comes to choosing the right policy and provider. Organizations should “choose wisely” when acquiring a new policy in 2024 and 2025, Roberts said.
MSPs’ role in cyber insurance
MSPs are in a unique position to advise their customers on cyber insurance and warranties due to their technical expertise and awareness of each customer’s security posture, Roberts noted. And MSPs can make a difference in convincing customers that they even need cyber insurance to begin with.
Cyber insurance raises the cybersecurity poverty line and may seem like an excessive and unnecessary expense to some customers, especially small businesses. MSPs can help shift this perspective by helping customers shop for more affordable policies, especially given the current favorable soft market conditions.
MSPs may also want to consider requiring their customers to have cyber insurance. Guim says PCH Technologies is considering this requirement in the future, thought currently it's only strongly encouraged; most already have a policy. Roberts noted that there have been improvements in attitudes toward cyber insurance over the years, especially as MSPs have made the process of acquiring it less painful for their clients.
At the same time, emerging services such as Coalition’s MDR and ElphaSecure’s combined cyber insurance and cybersecurity software offering are blurring the lines between insurance providers, MSPs/MSSPs and cybersecurity providers, Bolander noted during his breakout session. With this in mind, MSPs can benefit from taking a more active role in discussing cyber insurance with their customers.
“If you’re not having that conversation, someone else is going to,” Bolander said.
