Late last year, Graff — the luxury British jeweler — was hit by Conti ransomware. When the cybercriminals began leaking data about high-profile clients, Graff paid them $7.5 million in bitcoin (half of the original ransom demand) to prevent further publications.
Like many modern companies, Graff was insured against cyberattacks, which are often financially devastating. Even if you can avoid paying staggering ransom demands, the operational downtime and reputational harm associated with an attack carry substantial indirect costs.
But when Graff attempted to recover their losses through their insurer, the claim was denied. They’ve now filed a lawsuit over the matter.
Cyber insurance is still valuable, but it’s not enough
Whether or not Graff’s claim was rightfully denied, it’s an example of an ongoing trend: the rising tide of cybercrime is forcing insurers to tighten their payouts.
Coverage in general is getting harder to qualify for. Many insurers now require prospective clients to demonstrate at least basic internal security practices, like the use of two-factor authentication, to qualify for a plan. Premiums, meanwhile, have been growing each quarter since 2019. A recent report by Gallagher found a median cyber insurance premium rate increase of 37% in Q1 of 2022 alone.
It’s not a matter of greed. Insurers have consistently reported rising cyber-related claims in recent years. Despite quarter after quarter of premium hikes, loss ratios in the industry have been near 70% since 2020 — leaving little room for profit. Insurance providers must contend with the aftermath of a seemingly endless flood of cyberattacks, and the associated damages are increasingly expensive.
All of this is tough news for you and your clients. Having a cyber insurance policy is still important, and may be the make-or-break factor in a business’ survival post-attack. Yet the average SMB is paying roughly twice as much in premiums as they did last year — for about one-fifth of the coverage they used to get. And MSPs are just as vulnerable in this new reality: your own premiums are almost certainly up as well.
Reset expectations and expand your security services
Cyber insurance isn’t quite the hedge that it once was, clearly. What should also be clear is that relying on insurance to mitigate the impact of cyberattacks is nowhere near sufficient.
Even if an organization is able to recover damages from their insurer, it may not be enough to contain the massive financial and reputational harm they’ve suffered: data breach costs are, on average, measured in millions of dollars. And if your clients are successfully attacked, their insurers may come after you in an attempt to recover some of that money.
There are a few steps MSPs can take to protect themselves and their clients accordingly:
- Start by getting your own internal security in order.
- Assess your vulnerability to supply-chain attacks, set up multi-factor authentication, and ensure that patches for major software tools are retrieved automatically.
- Insist that your clients subscribe to at least basic cybersecurity services as a requirement for working with you.
- Negotiate with your carrier regarding your own cyber liability coverage and costs, showing them the steps that you’ve taken to reduce their overall risk.
- Next, help your clients to understand that cyber insurance — while still necessary — isn’t the reliable backstop it once was. Going forward, a better risk management strategy is one that will help them shore up their cyber defenses, so that they have fewer breaches to contend with. This is something you can help with.
- Finally, sell clients on the value of increased cyber protection services. No matter their industry, it’s not enough to simply subscribe to data backup services and device provisioning: threat-agnostic cybersecurity is essential in this digital age. Most businesses would benefit from advanced security services, which can use tools like AI to detect phishing emails and other widespread social engineering threats.
An integrated approach — one that combines security, backup and disaster recovery — can ensure comprehensive protection across entire environments, while also enabling you to easily and affordably upsell additional services (like advanced email security or advanced data loss prevention), depending on a client’s specific needs.
Set yourself up for success
Cyber insurance remains a valuable tool, but qualifying for coverage is getting tougher — and the premiums-to-payouts ratio is dropping. This reflects a swelling cyberthreat landscape, where attacks are constantly evolving in frequency and sophistication.
In order for this to continue making financial sense, MSPs and their clients alike must take further steps to decrease their risk posture. That means establishing comprehensive cyber protection — the integration of cybersecurity and data backup — and maintaining general best practices around internal security. Doing so will make successful attacks significantly rarer, and strengthen your insurance claims if disaster does strike.
Integrated platforms like Acronis Cyber Protect Cloud enable unique functionalities — like defending backed-up data, automatically scanning it for malware before restoration, and collecting forensic logs and memory dumps for storage within the backup. These proactive measures are exactly the kind of things your insurer wants to see.
The new realities of cyber insurance, and how to reduce clients’ cyber risks (as well as your own) were covered in a recent Acronis webinar: MSPs: What you need to know about cyber insurance in 2022. Watch the replay on-demand for more insights from channel experts.
This guest blog is courtesy of Acronis. Read more Acronis guest blogs here. Regularly contributed guest blogs are part of ChannelE2E’s sponsorship program.
