Author Dustin Bolander is the founder of Beltex Insurance.
I’ve had a front row seat to the impact of cyber insurance on the MSP industry. I currently own my second MSP where we are security-first and focus mainly on law and investment firms. As cyber insurance became a pain in our you-know-whats in 2020, I ran headfirst into it, to the point where I am now licensed for insurance in most states. I started off consulting for insurance companies on how the MSP industry works, worked to build the MSP channel program at Fifthwall, and now own Beltex which has it’s own cyber insurance policy for SMBs with high cybersecurity, and where MSPs can participate (and be reimbursed) in claims for their customers.
As an industry, we’ve come to accept the compliance enforced by insurance, which has helped raise the cyber security poverty line somewhat. However, mature and advanced cybersecurity is still beyond the scope of most insurance requirements, and the next fear of the MSP industry is the onslaught of security products, such as MDR (managed detection and response,) that insurance is starting to sell.
Good news - this is actually more of an opportunity than a threat, it further legitimizes what MS(S)Ps provide and tell their customers they need. Insurance companies have been historically bad at not only building and deploying cybersecurity tools (when was the last time you saw an accurate and thorough vulnerability scan from insurance?) but also at getting uptake on these types of bolt-on services. Talking to insurers and at insurance conferences I consistently hear less than 2% uptake total. I expect that will continue to be the case this time for a few reasons. First off, the products they're offering are more enterprise focused, and the pitch that buying their security services will offset your premium is almost never reality as of today. So the likelihood of a sale is very low when they are working with small businesses and midmarket. There is an upside - insurance talking to customers about these security services provides a great justification for customers to purchase further security from their MS(S)P. The trick here is to leverage insurance's marketing and influence to talk to your customers about what they need to be doing for security and what products you can provide to fulfill those requirements. Look at this latest initiative as free marketing awareness. If you are having the conversations regularly with your customers already (in QBRs!) then insurance should be the final push they need to level up their security.
MSPs have always aspired to have a seat at the table as a trusted advisor, alongside your customers’ lawyer, CPA, and…insurance agent. QBRs that cover patching status and ticket volume do not make that happen, but conversations around risk do. This is an important position to be in due to the coming onslaught of MISSPs.
The threat that I mention is from hybrid insurance MSSPs, or what I am calling a managed insurance, security and services provider (MISSP, sorry for yet another bad acronym!) There are several MISSPs that have been in business for a few years, are already very mature, and executing on this playbook. Now they’re able to authoritatively (by being an insurance agency and advising on financial risk) provide best in class security advice, plus insurance due to being a licensed agency.
TL;DR? The most important takeaway is that you as an MS(S)P should be a proactively engaging customers about insurance, that way whenever they are approached by an actual agency (or MISSP), you customer immediately pulls you (the MS(S)P) in because you have already been having that discussion. This is not only playing defense, but setting you and your customers up for success so that the MISSP or agency ends up pushing your initiative over the finish line.
QBRs in road map should be used to cover the certain security services that are needed. By the time they are approached by insurance about MDR, you should have been talking about Huntress, BlackPoint, etc. for a year at least. That makes a layup sale for you, and improves the customer’s security.
In the same way we saw a huge uptake for MFA because of insurance, MDR is next. The last six months I kept hearing at insurance conferences that “2024 is the year of MDR” – it sure is, but only because as MSPs we’ve been offering it to customers for years, and now insurance will help us push the remaining holdouts over the finish line by talking about it.