As a managed service provider (MSP), you ultimately own the cybersecurity risk of all your clients. In the event of a security breach, your clients will reach out to you to find out what went wrong. At the same time, threat actors know that MSPs have the keys to the kingdom when it comes to getting to organizations. This brings up the importance of cybersecurity insurance (or cyber insurance, for short), which helps organizations protect themselves from the financial repercussions of cyberattacks and data breaches.
Speaking with your clients about cyber risk can make for one of the most important conversations you have with them, especially when it comes to preparing them to be good candidates for cyber insurance. This blog will guide you through effective strategies to discuss cyber risk with your clients and what insurance providers are looking for.
Why is cybersecurity important to my clients?
First off, cybersecurity incidents are not just possible, but inevitable. Every business, regardless of size, is a potential target for cybercriminals. In fact, 70% of ransomware attacks hit small and medium-sized businesses (SMBs). And one report out of the U.K. showed half of small businesses hit by a cyberattack didn’t survive.
As an MSP, your role is to educate your clients about the realities of cyber threats and the importance of robust cybersecurity measures. This conversation is not just about selling services; it’s about protecting your clients’ businesses and ensuring they are prepared for the worst-case scenarios.
Why is cyber insurance important?
Due to the all-but-certain nature of cybersecurity breaches, cyber insurance is a must, especially in heavily regulated industries such as government, healthcare, and the financial sector. Standard insurance policies such as general liability coverage and errors and omissions typically don’t cover cyber incidents. This means companies would be on the hook for the full cost of these incidents.
Cyber insurance policies help SMBs by covering such issues as ransomware payments and malware remediation. This helps companies limit the damage from cyber incidents and recover more quickly.
Key strategies for discussing cyber risk
Despite the troubling statistics, your clients might not take cyber threats as seriously as they should. That’s why it’s best to come in with a solid plan of action. To effectively sell cybersecurity to your customer base, talk about the importance of preparing for their industry’s cybersecurity insurance policies. While aligning with the CIS Controls framework may not resonate with them, emphasizing the need to be ready for industry policies will help them better understand why it’s important to invest in their cybersecurity posture. Take a look at our toolkit of resources to help make this conversation a successful one.
Speak with the right individuals
Ensure that you’re engaging with individuals who have the authority to make decisions about cybersecurity investments. This often means speaking with someone who understands and manages risk at the company, not just the IT department.
While an IT professional might not fully grasp the broader company risk, a CEO or CRO would. Ask the CRO if they’re comfortable with sending out breach notification letters that, while necessary, could potentially hurt the company’s reputation. They may be concerned that their sales teams will have a harder time talking to clients after they see you have exposed their data but should understand why it’s better to be forthright, lest you expose the company and its data to greater risk.
Present facts, figures, and examples
Use concrete data from reliable sources to illustrate the risks and potential costs of cyber incidents, such as IBM’s “Cost of a Data Breach Report,” which states that the average impact of a data breach on organizations with fewer than 500 employees is $3.31 million, with the average cost per breach at $164. And instead of merely describing why a cyber incident happens (which they may already know), get hyper local and hyper personal by researching incidents that have happened to companies like theirs, so they get the picture. One phrase that can help? “What we’ve seen with other clients,” which can help illustrate the point further.
Ensure they understand they’re a target
Regarding the last point, hammer home that there’s no such thing as too small a business to be a target. Far from it! Small businesses are even more at risk than larger ones because they tend not to have as robust security measures in place.
Tailor your offerings to their needs
Research your client’s industry-specific concerns and be prepared to discuss how cyber risks can impact their business operations. Tailor your conversation to address their unique vulnerabilities and regulatory requirements.
It’s understandable there are about a million different cybersecurity products available to MSPs. You can’t possibly know every vendor and product offering on the market. But you can have a security stack you’re comfortable with and confident in. Just make sure you tailor each of your offerings to the client. The tools of the trade can be the same, but you should choose what’s best for your client’s industry.
Guide them towards a better outcome they wouldn’t have arrived at on their own
You want to direct your client to the right path to cybersecurity success. This entails telling your clients about cybersecurity facts and incidents without being condescending but rather in an empowering way. Share positive, actionable steps, rather than scaring them into action, by offering to implement security frameworks and offering bundles.
Discuss compliance
Highlight the importance of compliance with industry regulations such as HIPAA, PCI DSS, GDPR, and others. Explain how non-compliance can lead to severe penalties and increased risk.
Suggest a risk assessment
Offer to conduct a comprehensive risk assessment to identify vulnerabilities and recommend actionable steps to mitigate them. This assessment can serve as a foundation for your client’s cybersecurity strategy.
Preparing clients for cyber insurance
Insurance providers are increasingly scrutinizing the cybersecurity measures of potential policyholders. As more cyberattacks happen, more organizations take up insurance, leading to higher prices and lower coverage limits. To help your clients become good candidates for cyber insurance, focus on the following strategies.
Create a plan to develop a strong security posture
To create a strong enough security posture for your clients so that they’ll be a strong candidate for cyber insurance, you need to develop a solid plan and communicate that to them. This plan should include implementing at least basic cybersecurity measures such as multi-factor authentication (MFA), endpoint detection and response (EDR), and security awareness training, which are often among the minimum requirements for obtaining cyber insurance. Use the cyber insurance readiness bundle as a starting point for clients that need to establish basic cybersecurity hygiene.
Highlight incident response capabilities
Explain the importance of having a well-defined incident response plan, which may also be a requirement. This plan should include steps for detecting, responding to, and recovering from cyber incidents.
Encrypt sensitive data
Your clients may need to encrypt sensitive data in order to get cyber insurance, which protects data from being stolen by scrambling it so that it can only be unlocked with a unique key.
Use privileged access management
To prevent the potential misuse of accounts scattered across multiple systems, insurers might mandate the use of privileged access management (PAM) solutions. For larger teams, PAM enhances cybersecurity by restricting critical resource access to only those with proper authorization.
Align with industry standards
Ensure your clients’ cybersecurity practices align with recognized industry standards and frameworks, such as the CIS Security Controls, around which the Pax8 Marketplace has been built. Compliance with these standards can enhance their eligibility for cyber insurance.
Are your clients ready for cyber insurance?
As an MSP, your clients depend on you to effectively communicate the importance of cybersecurity and to prepare them for cyber insurance. Remember, the goal is not just to sell services but to build a trusted partnership that enhances your clients’ security and resilience in the face of evolving cyber threats.
Ready to start the conversation? Download our cyber insurance readiness guide to make sure your clients are hitting every point before applying for cyber insurance. And be sure to register for a Pax8 Mission Briefing, where you’ll learn how to reduce your risk and sell more cybersecurity in a two-day event.
