Cyber liability insurance has become one of the most critical tools in the MSP risk management toolkit, but it’s also one of the most misunderstood. From claim denials to confusing coverage gaps, many MSPs and their clients are unsure what to expect from their policies.
In a recent webinar with Axcient™, a ConnectWise company, Dustin Bolander, Founder of Beltex, broke it all down in plain language, backed by first-hand experience as a two-time MSP owner and a licensed insurance professional in 46 states. Keep reading to cut through the noise and uncover what MSPs really need to know about what cyber insurance is and where it’s going.
Is cyber insurance a scam?
One of Bolander’s most quoted refrains is: “Cyber insurance is a scam.” That’s not what you’d think to hear from a man who started a commercial insurance company for MSPs. But, as he explains, that’s not because policies don’t work. It’s because most businesses don’t have the right kind of coverage.
According to Bolander, the common perception that claims are often denied stems from confusion over coverage. “Most of the claims we see get denied because the coverage doesn’t match the service.”
A general liability policy won’t cover data breaches or failed backups, and professional services coverage won’t protect against ransomware. What does work? A comprehensive policy that includes:
- First-party coverage: For incidents affecting your own business, such as ransomware or business email compromise
- Third-party coverage: For legal liabilities stemming from client data exposure or compliance issues
- Technology Errors and Omissions (Tech E&O): For services you deliver as an MSP, including backup, business continuity and disaster recovery (BCDR), managed IT, and security
“Professional services coverage is the most important for MSPs,” Bolander says. “That’s where the majority of claims occur—when something goes wrong with a service you’re delivering.”
What’s covered by cyber insurance?
Cyber insurance policies are designed to cover the costs associated with recovering from an incident. This includes legal services, forensic investigations, breach notifications, business interruption reimbursements, and reimbursement for financial fraud. While the specifics of each policy will depend on the carrier, the MSP, its clients, and, most importantly, its cybersecurity strategies; it’s essential to understand the purpose.
“The value is in the response,” Bolander says. “Most MSPs don’t have a forensics team or law firm on retainer. Insurance gives you access to pre-vetted, ready-to-go experts that step in when something goes wrong.”
These resources are invaluable in the aftermath of data loss, not only to cover expenses but also to protect your MSP from the external consequences of a breach. With that said, cyber insurance policies are inherently reactive rather than preventative.
“Insurance is not going to stop a breach,” Bolander reminds us. “It’s there to fund the response after the fact.”
What do carriers really want?
When it comes to cyber insurance applications, most underwriters are looking for clear binary answers: yes or no. According to Bolander, “Most of the underwriting is automated. Unless it’s a high-value policy, a human likely won’t even look at it. You want to check the right boxes to avoid a denial and get the best rate.”
The cleaner and more comprehensive your responses, the more favorable your outcome. These are the baseline foundational components that matter most in gaining and maintaining cyber liability insurance:
- Security awareness training: At least annually, including phishing simulations
- Multi-factor authentication (MFA): Especially for externally facing systems
- Encryption: For data both in transit and at rest
- Patching regimen: Within 30 days
- Email security: With filtering and protection
- Financial controls: For example, secondary verification processes for payment changes.
- Cybersecurity solutions: Antivirus, BCDR, endpoint detection and response (EDR), or managed detection and response (MDR)
This is a great starting point for what you can offer your clients to help them check those “yes” boxes and secure coverage.
Now, these are not best practices for a security-first approach, but Bolander notes that insurance companies are not great at security. For instance, most would agree that security awareness training should be conducted monthly or at least quarterly. Unfortunately, MSPs typically don’t receive a discounted rate for higher frequency.
Backups are still the last line of defense
As ransomware continues to evolve, backups remain a cornerstone of insurability.
“Every incident still involves restores—even the small ones,” Bolander notes. “Even if the MDR stops it, insurance still wants to be sure the system is clean, which often means reverting to backups.”
That’s why it’s essential to demonstrate the following to cyber insurance carriers.
- Off-site backup storage
- Immutability (as defined by each carrier)
- MFA-protected access
- End-to-end encryption
Axcient’s x360Recover solution for BCDR is designed with these requirements in mind, allowing MSPs to apply and secure favorable policies easily. As Bolander put it, “These are the controls underwriters are looking for, and having them makes you more attractive as an insured.”
- Geo+: Replicate backup data within the encrypted Axcient Cloud from one geographically located site to another
- Chain-free backups: Create immutable snapshots of data at regular intervals by capturing the state of the data at a specific point in time
- AirGap: Protect backup immutability with an enforced security archive for backups, honeypots, human factor controls, and time gaps
- MFA: Mandated for all critical systems, including Axcient data centers, which require a VPN with MFA access
- Encryption: Protect data in transit and at rest with AES-256 for at-rest encryption, TLS 1.2 for encrypting communications, and SSE
Talking cyber insurance with customers
One of the most overlooked benefits of cyber liability insurance is its influence in elevating cybersecurity standards, both for MSPs and your clients. Since 2019, Bolander believes cyber insurance has done more to raise the security baseline than anything else.
“We used to beg clients to turn on MFA. But now they see it on the insurance application, and suddenly, they’re demanding it from us.”
MSPs can use that to their advantage, leveraging cyber insurance requirements as the “stick” to get clients to adopt necessary protections.
“It gives you a business case to sell security tools, and in doing that, you’re not just securing the client, you’re increasing your MRR.”
To do so, start the conversation early. Ideally, during quarterly business reviews (QBRs) or onboarding. Don’t wait until a client is scrambling to respond to an incident.
Follow the basic framework below to guide the discussion. For more tips on maximizing client outcomes, check out our blog about QBR best practices.
- Ask about their current insurance
- Even if you have insurance, are you sure your policy covers the services we provide, such as backup, endpoint protection, and recovery?
- Are you confident you can answer “yes” to all the security controls asked by your carrier?
- Present yourself as a security enabler
- Conduct a mini risk assessment using the most common cyber insurance criteria.
- Identify and prioritize gaps that could delay coverage, deny a claim, or lead to higher premiums.
- Conduct a mini risk assessment using the most common cyber insurance criteria.
- Identify and prioritize gaps that could delay coverage, deny a claim, or lead to higher premiums.
Cyber insurance isn’t optional
It’s easy to view cyber liability insurance as a hassle, but the risks of going without it or choosing the wrong coverage are far greater. Incidents are no longer a matter of “if” but a matter of “when,” and when disaster strikes, insurance can mean the difference between survival and closure.
“If your client gets ransomed, even if you did everything right, they’re still going to be upset,” Bolander says. “Insurance gives you and them peace of mind and access to resources you likely don’t have in-house.”
Within our Marketplace, we have several ConnectWise Invent™ certified integrators who can help secure coverage for you and your customers, including SeedPod Cyber or ControlCase.
