Views: 11
Carol: Hi. We’ve been talking about various topics surrounding cyber insurance, such as why small and mid-sized businesses need it, how AI is changing the way insurance carriers and brokers will be servicing their customers in the future, and today we want to talk about the role that a managed IT service provider plays in helping their clients secure cyber insurance.
With me today is Lliam Holmes. He’s the CEO and founder of MIS Solutions. Thank you for joining me today.
If I’m a small business owner, how does an MSP help assess and enhance our current cybersecurity measures to meet the evolving standards required by cyber insurance carriers?
Lliam: Yeah, so I think it’s important to understand, if you go back a few years, that cyber insurance used to be sold as an add-on. You’d get your professional liability, and you’d get your ENO, and “Oh, do you want this cyber insurance policy, too?” And if you did that, yeah, it’s 250 bucks, and you could have it, and off you went, right?
And they went down this road for a couple of years, and it didn’t take long before they realized that these insurance companies were losing a lot of money. The claims for cyber insurance far exceeded what they were actually collecting in revenues. Obviously, that’s not a great business model, right?
What’s happened over the last couple of years is that These insurance companies have really gotten clued up about how to assess the risk before writing a policy. And that makes a lot of sense because a company that’s doing everything they can to make sure that their cyber readiness is in good shape and they’re spending money, and they’re training their people.
Those people should have a better premium than people who aren’t. And in that new ecosystem, what’s really happened is that these insurance carriers are now taking a much closer look before they write an insurance policy. Now, they’re not infallible, they make mistakes. They’re using automated tools, typically without your knowledge, to be able to go out and look at your domain, to look at all of the IP addresses, and to begin to look at everything that would be covered in your policy. One of the things that you find is that a lot of these IP addresses and a lot of the things that they find actually aren’t yours.
They belong to somebody else. And instead of them being able to assess the risk at this big, right? Because they’re looking at everybody else’s stuff, it turns out that you’re actually overbuying insurance. So your premiums are higher than you think that they should be. And one of the roles that we’ve seen, and there are certainly several pieces to this, but one of the roles is that when a company is going in their underwriting process for cyber insurance, a managed service provider can make sure that the assumptions and that the questionnaire that you have to fill out in order to get cyber insurance Is filled out accurately,
Carol: Those questionnaires have really grown over the years. Used to be five simple questions.
Lliam: Sure, they, they, really have. One of the things that these insurance companies have done is not only are these questionnaires not standardized from carrier to carrier, but there are a lot of questions on these things.
One of the things that these insurance carriers are doing is that they’re using the answers to these questionnaires to add a warranty statement to your cyber insurance. And by that, what I mean is if you, if they send you a questionnaire when you’re applying for insurance, and let’s just say it’s a 45-question questionnaire.
And the answer to most of these questions is to check yes or no, right? And then six months into this thing, something happens. The first thing that your insurance company does when you call them to file a claim is they’re going to pull up that questionnaire, and they’re going to say, “Let’s see how you answered those 40 questions. You told us that you were doing this, and you told us that you had this process, and you told us that you had these products and services. Based on all of these things that you said to us before we wrote the policy, you shouldn’t be having this problem today. Before we do anything, we want to audit to see how this could have happened.”
And they’re using these questionnaires actually in the claims process as well. Making sure you’re answering those questions correctly is really important. You don’t want to fudge any of those things. In the event that the answer to a question is yes or no, you might need to add some clarity around the answer to that question.
And I think that one of the things that a managed service provider can really help you do is to understand if the answer to a question is yes. Is it no? Or are there some exceptions that you need to call out?
So that in the event that somebody brings this up when you try to file a claim, you have clarity on what, when, where, and why this may have happened.
Carol: So how does an MSP prepare a company’s network infrastructure and security protocols to increase their eligibility for favorable cyber insurance terms.
Lliam: It’s like anything. In our industry, we call it configuration management, and the reality of it is, if you think about any network over the course of a year, lots of things change, and as hard as you try to document everything and make sure that decisions are made, in real-time as you make those decisions.
The truth of the matter is things happen. New products and new patches come out that may expose you in ways that you didn’t know. And as a best practice, you want to know when your cyber insurance is going to be up for renewal. You probably want to start about 60 days prior to that, and you want to run both a penetration test as well as a vulnerability assessment on your network.
Pretend you’re the insurance guy. You want to assess your own risk and then you want to be able to fix any and all of those things that you find. And some of those things you may find are things that you can’t fix. And you want to go ahead and think about what your response is going to be when an insurance company comes and says to you, “Hey, we see that you have X on your network. And because of that, we are going to do Y with your premium.” Probably a really good example of that is a manufacturing company that maybe one of their pieces of equipment has Windows 10 and it can’t be upgraded because it’s part of that machine.
You’re going to want to know that and you’re going to also want to think thoughtfully through what options you have to quarantine that off so that when you’re asked, “Do you have any out-of-date operating systems on your network,” you can say, yes, we do, but here’s what we’ve done about it.
And that’s probably a great example of why you wouldn’t want to check yes or no. You would want to explain why that is the way it is and what they could expect to find.
Carol: And I can imagine in an example like that, your average business owner is not going to have a clue about that. They’re going to need to depend on their managed service provider to provide them with solutions.
Lliam: And that’s really the expertise that I think that provider brings to you. To look at that penetration test from the internet into the network [to see] what things that customer could potentially be exposed to. That’s a penetration test.
Whereas a vulnerability assessment is on the inside of the network. What is it that that customer could be exposed to? So, you want to check both of those things. And then once you have that list, you’re going to want to categorize them low, medium, and high. And then from that, you want to have an action plan to be able to mitigate some of those things or be able to create some talking points around why it is that you have what you have.
You’re going to want to be transparent with the insurance company as you apply for cyber insurance so that they know that and that you’ve done your due diligence and that you are making sure that accidents don’t happen.
Carol: Are there any specific documentation or audit trails that an MSP maintains that can support a strong cyber insurance application or claim process?
Lliam: There are there quite a number of things. Sometimes what happens when you have something happen on your network is there’s a point in time right in the beginning where you’re not sure what happened, right? You know something happened, but you don’t know, was it an employee? Was it just a system glitch? Maybe you were attacked. And questions start to swirl as to who, what, when, and where. And, really, having good documentation, having an incident response plan, understanding what kinds of insurance you have, making sure that you are training your people to these processes.
All of these things are really helpful not only in preventing it from happening in the first place, but typically when you file a claim, your insurance carrier is going to start asking you all of these kinds of questions. You’re going to want to make sure that that managed service provider is working with you through that claim so that you answer these questions correctly and that you’re not exposing yourself to more risk than what maybe you actually have. So all of these sort of documents and processes around, should you call it a breach or is it an incident? Do you have a documented process? Can you show where we’ve trained our people? Do you have various controls, whether they are technical controls, which tend to be all of the things you think about in technology?
Or is it an administrative control, like it’s a policy or procedure that’s written by a company? Do you have all of these things in place? And can you show an insurance company that you are doing your part to prevent something from happening? Knowing that in reality, things happen to everybody, right?
And it’s not that you are never going to be hacked. That’s an unrealistic expectation but to at least be able to show that you’ve done your part. You have created processes, you have trained your people, you have bought the technology. You are doing your part to prevent something like this.
Carol: So Lliam, in the event of a cyber breach, how does an MSP act as a liaison between my company and the insurance provider to facilitate a smooth claims process?
Lliam: Yeah. when something happens, emotions run high really quickly because none of us like to have our systems down, our reputations tarnished potentially, our ability to service our customers possibly impacted. None of these things are really good for anybody, right? And one of the things that you have to be careful of in an event like this is that when you file a claim with your insurance company, in accordance with whatever their process is, you are oftentimes going to find yourself in a conference call with six or seven or eight people.
There’s going to be attorneys involved. There’s going to be people who have very deep technical expertise involved. And all of a sudden, you are going to feel quite overwhelmed and under matched.
Carol: Intimidated.
Lliam: Intimidated, right? And you’re going to want to have somebody who can speak on your behalf as to exactly what did or didn’t happen.
In many cases that I’ve been involved with, typically there is somebody technical that wants to collect a lot of data. They’re going to want a lot of log files that come off of all of the computers, the firewall, the wireless access points. They’re going to want to look at your policies and procedures.
They’re going to want to understand what impact it has. One of the things that’s important to recognize is that as you’re going through this process, that company is not particularly interested in how to get you back up and running in business. They’re really interested in servicing the claim that you’re filing with them.
One of the things that can actually happen, and happens more often than not, is that the company is trying to get itself back in business. They start restoring systems. They’re starting to restore services so that they can service their customers, and inadvertently in that process, they’re overriding data and logs that the insurance company needs in order to be able to service that claim.
When they do that, sometimes the claim actually gets denied because they don’t have access to the logs and things that they need to be able to service that claim. And getting advice as to not only gathering this information, but understanding how to navigate that, a good managed service provider can really help you with that.
In some cases, particularly if you have legal obligations, you might want to bring in what’s called a breach coach. A breach coach is somebody you can ask about your obligations, about things that you should have or should not have done or things that you want to be able to discuss legally offline before you have these conversations with your insurance company. A breach coach can be a very useful instrumental person in this process because any conversation that you have with that breach coach is protected under client-attorney privilege. You can ask all of these questions without worry of opening yourself up to further liability, or worrying about maybe saying the wrong thing and potentially having your claim denied, particularly if it’s a really large claim.
Carol: This all plays into having an incident response plan and a dedicated incident response team already in place before the bad thing happens.
Lliam: It really does. And this is a highly emotionally charged event, as you would imagine because you have people’s livelihoods on the line here.
People don’t often think clearly through how to get their business back up and running and how to take care of their clients while trying to service their financial obligations and insurance obligations as they navigate this process. Having a pre-written incident response plan, an incident response manager, potentially a breach coach who you’ve already screened and identified.
Somebody who could help you navigate something that is going to be really stressful and it’s going to potentially be a defining moment for your company.
Carol: Does the MSP play any sort of role in helping their clients get that incident response plan and team in place prior?
Lliam: They absolutely do.
In fact, I would say to you that typically your managed service provider is the primary driver of that incident response plan, right? They are your technology experts, right? And so they know things that you don’t. And you’re going to want to work with them because there really are a couple of sides to an incident response plan.
There’s the technology side, which is important, but there’s also the people and process side. And as a managed service provider, we know a lot about your technology. But we may not know a lot about your products and services. You’re going to want to think your way all the way through as best you can, who’s going to be in charge of what.
And I’ll give you maybe two really simple examples, right? When something happens, who’s going to be in charge of telling your customer service people what to say when clients call? You’re going to want to think your way through that because in the absence of somebody telling them what to say, they’re going to say all kinds of things and they’re probably not going to say things that you want them to say.
What do you do if this becomes a media event and Fox News shows up at your front door Who’s going to handle that?
So you’re going to want to think your way through some of these things that may not have anything to do with technology but certainly could have a huge impact on your business.
Carol: Certainly not the time to try to wing it.
Lliam: No, not the time to wing it.
Carol: What role can an MSP play in continuously monitoring and updating the cyber defenses to maintain compliance and cyber insurance requirements?
Lliam: Yeah, we all see with applications, with Windows, how many updates are coming out on a near daily basis? Like it happens all the time. And companies that are not paying attention to updates to their applications, or updates to their accounting systems, or updates to their Microsoft Windows, or whatever it is that they’re using. The longer this goes on, the more potential they have for actually having a vulnerability become realized and actually becoming an attack, right?
And I think the other thing, too, that’s important to recognize, is that they’re not all technical things, right?
Carol: You talked previously about administrative controls and policies.
Lliam: Yeah, so when we think of a vulnerability, or we think of a hacking attempt, this is somebody forcing their way into your network in some unexpected way by taking advantage of a flaw in technology.
From an insurance perspective, though, they see that very differently from a social engineering attack where somebody convinces you to take an action. Whether they’re calling you on the phone or they’re sending you an email, or however it is that they’re doing it, they are convincing you that they are somebody else. They are asking you to do a just action on their behalf, right?
From an insurance perspective, that’s not a cyber insurance claim. That a social engineering claim. And so you’re going to want to talk to your insurance broker about all of the different kinds of cyber policies. And do you have everything that you need based on the kind of business that you run?
We all think about the tech. We all think about hackers breaking in to steal my stuff, right? But in reality, while that may happen, and there are certainly things that a managed service provider can do to help prevent those things from happening, recognize that’s only part of the story.
The rest of it is really is about these emails that people get with business email compromise. It’s about invoice fraud. It’s about people calling you on the phone, pretending to be people they aren’t. Right? It’s really broader than just a technology issue.
Carol: Those pesky humans. They keep wanting to give your money away to criminals.
Lliam: They do. And you would be amazed at how successful they are at getting people to do these things. It is because they’re tricky. They’re tricky. Very tricky.
Carol: All right. So how does an MSP stay informed about changes in cyber security policies? And how can they proactively adjust the security measures accordingly?
Lliam: Yeah. So this is really talking about a security program, right? Security is not a one-and-done, set-and-forget it; we do it once-a-year kind of a thing. We just talked a minute ago about how all of these updates are always happening with applications, firewalls, rules and regulations, and different compliance standards. Whether we’re talking about PCI for credit cards or we’re talking about healthcare or financial services, all of these rules and regulations are constantly changing. You have to make sure that your managed service provider has the technical expertise to know when a rule changes and could potentially hold you in breach of a contract.
Say, for example, you are CMMC compliant, which is companies that are doing business with the Department of Defense, providing products and services, right? That organization just went through a fairly major change in some of the rules and regulations. And if you’re a company that is providing products and services in that space, into that government space, then all of a sudden you may have a new set of requirements that you may not have known even existed. But you are going to be held accountable in the event that something happens or in the event that you actually go through an audit. You are going to be financially responsible.
Carol: Alright, so I just have one more question here. Can you provide any examples or case studies where an MSP, MIS Solutions maybe, has successfully supported a client securing or renewing cyber insurance through targeted security enhancements?
Lliam: This is a really common thing. We probably fill out, gosh, four, five, six, seven, eight of these questionnaires a month for our clients, where we are helping them understand the context of the question. Do they have something? Do they not have something?
One of the things that we do at MIS is track the renewal dates of cyber insurance policies for our clients. When we see that they’re coming up for renewal, again, about 60 days prior to renewal, we are looking at their technology stack, their solution stack. We are looking through all of the questions that other insurance companies are asking.
And we’re pushing those against how that particular company is configured. And we’re having conversations with clients about “do you have one of these? Do you have one of those? We need to do a penetration test. We need to do a vulnerability assessment. We need to get you well positioned because, in 60 days, you’re going to have to go through underwriting.”
And so this is actually a well-worn path for us in terms of making sure that our customers are very well positioned when they’re going through a cyber insurance renewal, right? And I guess a sub-component of that, too, is we are starting to ask questions about what kinds of insurance you have.
It’s really important that we recognize MIS solutions is not an insurance company. We’re not a broker. We don’t sell insurance, right? But we do play in the space of making sure that our clients are well protected. And so If we see something or we think that you potentially could be underinsured, we’re going to encourage you to have these conversations with your broker. If we need to get involved and help you articulate those conversations, we can do that. We sometimes have customers who come to us and will say to us, “This is something that we’ve been meaning to do” or “This is a conversation that we’ve been meaning to have, but we may not necessarily know who to have this conversation with or our current insurance carrier doesn’t offer these products and services. Could you refer us to somebody?”
And we will make a referral. And sometimes, it might be an insurance company to be able to buy these products and services, or sometimes like we’ve done in the past, people might be thinking their way through an incident response plan, and they might be thinking their way through, gee, I wish we had a breach coach that we knew that we could call. “MIS, do you have somebody that could service us, maybe even a conversation that we could talk to preemptively about what to expect and what their role would be and how they bill and, would it be covered and what kind of insurance do we have, really just being proactive around, understanding how would we react and what should we expect, not only in the event that something happens, but also in the event that we go through our annual review for cyber insurance.”
And I think that this is a really important thing that a lot of people are overlooking.
Carol: Liam, thank you. That’s a lot of information to digest. I appreciate it. And if you are wondering how MIS Solutions can help your company, please be sure to reach out to us. Thank you very much, Liam.
Share: