Cybersecurity Insurance – Are you covered? Wrap-up
In this series, we are looking at the built-in Cybersecurity Insurance traps for your business – no matter the size. Business Insurance Cybersecurity Riders aren’t the same as full Cybersecurity Insurance, but they are a good starting point to up your security game.
One of our partner companies – Ben Yarbrough from Calyptix – has posted an excellent article on ChannelPro Network for MSPs (like daviestrek) to evaluate their security stance and posture with clients to make sure the client AND the MSP are covered in the event of a disaster. “Cyber Insurance Litigation: 3 Pitfalls Every MSP Needs to Understand” is a great article with a number of points worth taking a second look at.
Note: The following FAQ was taken in its entirety from the article. Anything in brackets [ ] is my editorial emphasis or change.
FAQs
Q: Can an MSP be liable even if the client’s cyber insurance denies coverage?
Yes. Coverage denial can increase the likelihood of client disputes including breach of contract or negligence claims.
Q: Does Tech [Errors & Omissions] cover ransomware events?
Tech E&O typically covers cost of defense and liability for third-party claims alleging professional service failures or negligence (e.g., malpractice), not the ransomware loss itself.
Q: Are vendor warranties a substitute for cyber insurance?
No. Vendor warranties are marketing and sales techniques for assuring quality of a product or service and not substitutes for cyber insurance. Vendor warranties are limited, one-size fits all, unregulated, cancellable, and may exclude incidents and losses covered by insurance.
Q: Should MSPs help clients with insurance applications?
[Maybe.] Failure to assist could lead to gross inaccuracies. Any assistance should be provided carefully. Document and retain supporting details for applications and renewals and ensure they are completed accurately based on current facts at the time and not based on future services, controls, or projects.
Q: Who can be held liable in a cyber subrogation claim?
Common targets for subrogation claims include cloud vendors, MSPs, MSSPs, cybersecurity consultants, and software vendors whose negligence or breach of contract caused or worsened the incident. [This would be whomever you use for your IT needs]
Q: Can contracts reduce the risk of subrogation?
Maybe. Enforceable contracts with effective limits of liability and a waiver of subrogation may reduce the risk of subrogation but will not eliminate the risk entirely. Even with effective contractual defenses, the litigation cost of defense can be high.
Q: Is subrogation always successful?
No. Successful subrogation must overcome several challenges including attribution, contractual defenses, and financial viability. Subrogation claims may be abandoned once viability is exhausted. Even unsuccessful subrogation can impose significant costs on targeted firms.
Q: Can an MSP’s internal documentation be subpoenaed in a cyber insurance dispute?
Yes. Insurers can seek tickets, logs, on-boarding checklists, and configuration records during coverage disputes or subrogation investigations, including to verify underwriting assumptions and application details.
Q: Does a client’s waiver of subrogation automatically protect an MSP?
Not necessarily. Waivers must align with the client’s insurance policy language, and some policies restrict or override contractual waivers.
Q: Can social engineering losses ever qualify as funds transfer fraud?
Rarely. Courts generally require unauthorized system access to trigger funds transfer fraud coverage.
Q: Do insurers look at MSP contracts after paying a claim?
Almost always. Contracts, SLAs, and scopes of work are central to subrogation analysis.
Key Takeaways from this Wrap-Up:
It’s extremely important to talk with your IT/MSP/Computer Expert about any “cybersecurity” riders or insurance your business plan may carry. Then, begin the process of “beefing up” your security posture. Nothing is as valuable as your Identity and your business reputation. The proliferation of AI tools that make the Bad Guys jobs easier (they’re even franchising the tools/systems!!) makes security harder to push aside or ignore all together. Yes, you really DO have something worth stealing.
