BlastWave and Cysurance Roundtable: More Fender Benders, Fewer Totals, and a Smog Test

Visit this link to watch the roundtable and learn about the future of cyber insurance from leading experts.

On September 12th, we hosted a roundtable entitled “The Future of Cyber Insurance and MSP Insurability.” The roundtable featured a broad range of experts in cybersecurity, cyber insurance and Managed Service Providers (MSPs). These included our own Tom Sego, Vince Zappula and Keao Caindec. Other attendees included Kirsten Bay from Cysurance, Scott Williams with Cloud Security Alliance, Jeff Ewing of 5Q Partners, Austin Morris Jr. of Morris Risk Management, John Franzino of Grid Security Inc., Jeff Dotzler of Elevity and James Kim from CTN Solutions.

The expert panelists held an honest discussion about cyber insurance, insurability, and the difficulty for MSPs in securing affordable coverage. There is no actuary table in cyber insurance, so pricing is fluid and can vary greatly based on numerous factors. Additionally, the IT environments of MSP clients are becoming increasingly complex, making them difficult to manage and protect. In the face of these challenges, what can MSPs do to improve their insurability? Read further for perspectives from each viewpoint and key takeaways from BlastWave.

Cyber Insurance: From Gold Rush to Wild West

Cyber insurance premiums have increased 80% in the past year, making them an unsustainable expense for many companies. In addition, cyber insurance was once a soft market where it seemed insurance carriers were covering anyone. Now, insurers better understand the sophisticated and persistent nature of the threat landscape, with cyber-attacks resulting in higher insurance payouts each year. Cyber insurance has changed into a tough market with draconian forms totaling hundreds of questions that different departments must answer. Due to a lack of standardization and the increasing complexity of IT environments, what was once a gold rush is now the Wild West.

MSPs experienced rising liability due to dynamic risk as they became the gateway for supply chain attacks over the past few years. These providers spend extensive time filling out forms yet are commonly denied coverage. The initial ransomware attack isn’t the only problem. After an attack, insurers must keep claims open due to the potential for litigation and exfiltration, making MSPs more susceptible to subsequent attacks.  

Technology, risk management, and insurance are becoming increasingly intertwined, but the challenge for insurers is that MSPs want the guarantee of zero risk. Bay elaborated, “Zero isn’t realistic. But effective security posturing can help companies get closer to zero by reducing the severity, impact, and frequency of attacks. It’s a matter of ensuring more fender benders and fewer ‘totals’ to improve your insurability.”

MSP Difficulties in Dynamic Risk Management

MSPs felt that, amid rising premiums and lower rates of coverage, the arduous questionnaire process is wasteful because it doesn’t accurately quantify dynamic risk. You can check boxes and legally claim you have a certain security product, but the actual risk reduction and implementation can vary. Furthermore, forms don’t align with how underwriters view risk - purely in terms of dollars and cents.  

Our CEO Tom Sego added that there’s a need for a standardized cyber risk “smog test” to replace the current questionnaire process. Attack vectors represent a dynamic risk that constantly evolves and has no historical precedent in the insurance industry. This makes the standardization of risk measurement extremely difficult. The lack of standardization increases the volatility of the market, complicated by the fact that many MSP clients don’t consider the importance of security posturing until an attack happens. This amounts to an operational difficulty instead of a technological one and necessitates a sense of urgency and a consistent way to rate insurability. In this market, MSPs must be pickier with their client choices, as there is not only a reputational risk but a financial risk if their client’s network is hacked and lawsuits ensue.  

Surmounting the Hurdles of Insurability

Across participants, there was an emphasis on a preventative cybersecurity approach to replace the prevailing reactive approach. MSPs are more vulnerable as they manage increasingly complex IT environments for their clients. For all the digitalization on the side of the “good guys,” cyber criminals are implementing automation in their own attack vectors, and even ransomware help desks. MSPs can address two key factors to increase their insurability and prepare for cyber insurance coverage.  

The human element is the underlying cause of 82% of cyber breaches. By eliminating credentials and minimizing the human element involved in authentication through a zero-trust approach, MSPs can reduce human error and improve their insurability. The second factor is reducing unauthenticated attack surfaces. MSPs can implement microsegmentation and device cloaking that keeps connected users, applications, and machines invisible to internal and external attackers, thereby reducing the opportunity to exploit exposed web services via CVEs, bugs, zero-day viruses, and more.

BlastShield, our Zero-Trust Network Access solution, creates a software-defined perimeter that includes phishing-resistant MFA, simple orchestration, granular access controls, peer-to-peer full-mesh networking, and device invisibility as a single solution. The solution presents no single public-facing TCP port for adversaries, amounting to virtually no attack surface. With BlastShield, we remove human decisions from the authentication process to simplify the security stack and reduce the possibility of human error leading to exploitation.  

No matter which perspective is closest to your own, we hope this provides insight on the current cyber insurance market. Let us know your difficulties related to cyber insurance and follow us on Twitter and LinkedIn. If you’re an MSP looking for assistance with strategic security posturing, contact us here.