The Insurance Trap: Is Your MSP Unknowingly Underwriting Your Clients? with Tim Stephinson

Show Notes

Welcome to MSP Mastery, the podcast for MSP owners and leaders who want to build a better MSP; one that actually works for them.

I’m Jeni Clift, joined by my husband and long-time business partner, Nick Clift. Together, we’ve spent decades building, scaling, and eventually exiting our own MSP business.

Over the years, we’ve seen firsthand that the MSPs who thrive are the ones willing to evolve. And right now, few shifts are more important than how we manage risk, professional liability, and the critical boundaries between our business and our clients’ data.

In this episode, we sit down with Tim Stephinson, COO at Sherpa Tech and an Australian insurance specialist with over 20 years of commercial experience. Tim helps us cut through the complexity and confusion surrounding cyber insurance and professional indemnity to ensure MSP owners are properly protected without the usual friction.

Here’s what we covered together:
 ✅ Why the phrase "we don't need insurance because our MSP has it" is a massive red flag
 ✅ The "survival vs. inconvenience" rule: how to prioritise the risks that could actually kill your business
 ✅ Why you must have the insurance conversation before onboarding a high-risk client
 ✅ The vital difference between a "process failure" and an "absence of process" (and which one is insurable)
 ✅ How to stop being the silent insurer for your clients and start saying "your data, your problem"

We created this podcast to share the real conversations and lessons we wish we’d had more of while running our own MSP; practical insights from people who understand the challenges, pressures, and opportunities in this industry.

Whether you are questioning your current coverage, struggling to explain cyber responsibility to your clients, or worried about being "on the hook" for a third-party breach, this episode with Tim offers a grounded and timely perspective on what leaders need to do now to build a business that is both profitable and fulfilling.

👉 Connect with Tim on LinkedIn: Tim Stephinson
🌐 Learn more about Sherpa Tech: sherpatech.com.au
 🎧 Listen to other MSP Mastery Podcast episodes here: mspmastery.blog

Transcript

SPEAKER_03 0:00

Cover yourself of your insurance for the things that are going to kill the business, not just the things that are going to be an inconvenience. You should try and get insurance first, because if there's a vulnerability that exists because of their poor environment and they're breached, well then who's responsible at that point? You're on the hook. We've seen some end clients say, well, we don't need cyber insurance because our MSP has insurance. And that's a big red flag for MSPs to go, hang on, your infrastructure, your data, your problem, if there's a breach or if there's an incident, you need cyber insurance to cover that exposure.

SPEAKER_00 0:37

Welcome to MSP Mastery, podcast for MSP owners and leaders who want to build a better MSP, one that actually works for them. I'm Jenny Clift, and alongside my longtime business and life partner Nick, we unpack what's really working in thriving MSPs, including insights from the trusted partners who support them. Between us, we've clocked up more than 60 years in the MSP industry, long enough to have tried all of the shiny new tools and the latest game-changing SaaS product that promises the world. This is MSP Mastery. Here's Nick, myself, and today's special guest. Today we're joined by Tim Stevenson. Tim is the COO at Sherpatek, an Australian insurance specialist focused on tech and IT businesses. He helps MSPs and technology companies cut through the complexity of insurance so that they can get the right cover, especially around professional liability and cyber, without the friction and confusion. With more than 20 years experience leading and scaling businesses across tech, services, and innovation, Tim brings a commercial real-world view of risk and protection that's highly relevant to MSP owners. Tim, welcome to MSP Mastery.

SPEAKER_02 1:53

Thanks for having us, Jenny and Nick. No worries, Tim. Good to meet you again. It'll be an interesting discussion because I've got a love-hate relationship with insurance, like I'm sure many of our listeners have. But you know, it's gonna be really interesting to get some insights from your perspective, what works, what doesn't work, what MSP should look out for, etc. So I'll be really looking forward to this discussion.

SPEAKER_03 2:14

Hopefully we make insurance a little bit more exciting and demystify it a little bit, because look, everybody's got a horror insurance story. Oh, at least one. Just one, just one. But what we try to do is actually help people understand what it really does. And there's different classes of insurance, and they can be approached differently. So yeah, we'll get into all of that once we start talking about all the exciting stuff.

SPEAKER_00 2:34

Absolutely. And Tim, you've welcomed us to challenge and dig deeper, so absolutely. And Nick loves nothing more than that.

SPEAKER_02 2:43

So that's what my caption on my shirt says today.

SPEAKER_00 2:46

Never underestimate an old man with a motorcycle.

SPEAKER_01 2:49

Exactly. And I've got five of them parked out at my villa. Watch out. Well, we could easily go off beast today and just talk about motorcycles. Um hundred percent, man. 100%. I'm down for that.

SPEAKER_00 2:59

And I don't know, we'll ask the audience motorcycles, insurance, which one's more interesting? Just on that note. So Nick's thing has become over the last couple of years riding motorcycles around the world. So he's done Himalayas and Thailand, and I think Vietnam is the next. Or going to Lombok next week. So yeah, we could easily spend 40 minutes talking about that, but let's try and stay on script today. So, Tim, I'll get you first. I'm an EOS implementer. I start all of my meetings with this. Please share your personal and professional bests from the last six months.

SPEAKER_03 3:28

Right. So professionally, I feel like one of the big things we've done is really help our clients understand risk better. It's it's interesting. Everyone sort of says, Oh, well, you sell insurance. And I sort of counter that with, no, we we actually help expose risk. So the first thing we try to do is actually get businesses to understand what are their risks. And insurance is just one of those mitigators. And I suppose from a a personal side, I've got two beautiful children and they're both at school now. So I feel like that's a win. I get one drop-off in the morning, so it's hard. We always joke.

SPEAKER_02 4:04

Our kids are obviously not even young adults anymore, they're middle-aged now, nearly 30. But we always joke it to people who have young kids and say, ah, it's great. School, getting to school's awesome, but it's the first 20 years of the worst. After they turn 20, life is just beautiful.

SPEAKER_03 4:19

Some of my friends keep saying bigger kids, bigger problems. So, you know, I'll see how I go on that journey.

SPEAKER_00 4:24

I'm now officially the shortest in the family, although I am taller than the French bulldogs. But yeah, it I think it doesn't matter what age they are, they're always good fun. Tim, I'll get you to introduce yourself. How did you end up where you are in the insurance industry and what was your journey?

SPEAKER_03 4:42

Yes, I've worked in a number of businesses over the years. I actually started out working in a family business. Mum and dad had a window tinting and construction business that we did interior fit out and a bunch of different services. And I worked there for a number of years and helped scale and grow that. And we sold that in 2016. And then I worked for a another organization as a chief operating officer doing lights, lasers, and fountains. And we had some really exciting projects where we used technology to control mechanical outputs being fountains, lasers, projectors, and putting together permanent installations. So Dubai, Singapore, the company's original project was the Hong Kong City Skyline back in the late 90s, with basically using technology to control all those assets to entertain people and advertise and do all sorts of other amazing things. And it was through that that I got a really good understanding of, I suppose, IT technology and control systems. And then I met my current business partner, Andy Bremner, when I sort of my wife said, You can't kick travelling around the world. That wasn't going to be sustainable. And not with young kids anyway. And yeah, I'd always managed risk in in everything that we did. I didn't always understand insurance. And it was when I met Andy where I'd sort of started to share a bunch of scenarios that I had in many of the businesses that I'd held over the years. And he's like, You actually had an insurance claim there. And I went, Oh, nobody ever highlighted that to me. So there was many angles. Had I have had the knowledge in my own businesses at that time, I could have used insurance as a tool or a lever to solve many problems. And that's kind of the way I touched on it earlier. We have a risk-based discussion where let's look at the things that are challenges in the business. And I used to accept a lot of risks, so I had a large fleet of vehicles, and we'd actually say we don't need to insure them. Because I had a lot of panel beta clients. And so we could fix cars if we needed them. And if we saved$1,000 a year and applied that to each car, we ran our own almost insurance pool in that way. And you can do that. And we encourage clients as well, if they've got the right vendors in the mix, to consider self-insurance in some aspects, but then maybe cover yourself with your insurance for the things that are going to kill the business, not just the things that are going to be an inconvenience. And that's where, you know, we say, where do you sit on that sort of risk tolerance, risk accepting spectrum? And then you can craft an insurance program that actually meets the needs of the business and your clients.

SPEAKER_00 7:15

Interesting. And yeah, I was as you were talking, I'm thinking, okay, so you started off in a family business in construction and then went into lighting. It's perfect segue into insurance.

SPEAKER_03 7:28

Well, apparently no one ever aspires to go into insurance. It's something you you discover later in life.

SPEAKER_02 7:33

Yeah, yeah. One of our really good clients was an insurance broker. And they were super successful because they took on massive building projects as the main, whatever you call them, risk, I suppose they called them back then, like a billion-dollar construction in Dubai or something like that. So they would do all the negotiations with the developers and the constructors and the obviously the underwriters. And yeah, they would take on a lot of so the risk profile for them was high because they would take on these high risk projects, but the rewards were awesome if you got it right. And because they had a really good sold system and a process, they were able to manage the all the different components. So yeah, I understand insurance, it's one of those love-hate relationships you have. But we're just talking with our financial planners last week, and my father's a classic example of an old school, he never paid us, he's very proud at 86 years old that he's never paid a cent of insurance to anybody. And he goes, I've only ever had one thing go wrong that I had to pay for myself. So in his mind he's won, it's a win, but he also was a bit self-centered and hasn't really considered the impact of other people around you. And in inside of an MSP business, it's not just yourself and your own owners of the business, it's your staff, the world well-being of your business and also your clients. And if you don't have the resources to recover from a risk event or some kind of event, that impacts everybody, not just you as the owner or the directors.

SPEAKER_03 8:55

Well, I mean, one for your listeners out there is they can just write down on a piece of paper what are your big three risks? They can be anything from customers, clients, employees, cyber breaches, supply chain, but have a look at your big three risks and then sort of start from there as a way to navigate whether you insure or how you approach that. I think insurance as well, it's a little bit like IT. Sometimes it's very misunderstood for the function it plays within a business. And that's something we try to do is help our MSP customers understand how the insurance players operate in the market. So from underwriters to brokers, now to vendors aligned with insurers as well. And then if they understand that well, they can also help their clients navigate that world. And not that they have to consult or solve the insurance challenges, but they can at least highlight gaps in that risk program that they might be plugging or even uplifting for end customers, and really use it as a bit of a sales tool to engage on as well. Yeah, I agree.

SPEAKER_02 9:54

Because you think about being in this game for a long time, 1996. And back then, 1996, you had a screwdriver, some cables, and maybe a modem in your bag, and you had the uh universal disc adapter, so you can have IDE or SARDA or PADA discs, and yeah, that was your toolkit to go fix tech problems.

SPEAKER_00 10:13

And a car, because we were original Victoria, so our guys would routinely do 70,000 kilometers driving a year.

SPEAKER_02 10:18

I had a pager, not even a phone. But it's changed. Like the technology providers today, it's a given everybody can fix the tech problem. So managed service providers or technology service providers, whatever you want to call them, the successful ones, and I'm interested to get your take on this. The successful ones are ones that understand their clients' business better. It's not just fixing a tech problem, it's how do you apply technology to your business and how do you reduce the risks running your business? And as you just said before, our mantra has always been how do we help your clients' clients? Because you've got to create that depth and be their trusted advisor and make sure that you are adding value to the whole relationship. Yeah. I was talking with one of my clients yesterday and he was saying that he did a QBR with a client, and they actually sat down and went through the PL of the client's business. And all open book, now that's trust, right? That's a long-term trusted advisor and trying to get some advice on how they can mitigate this downturn one segment of their business. And yeah, there that's where you want to get to. And I suppose from today's discussion helping MSPs build a better business, it's like, how do we bring insurance and risk into that and make it better?

SPEAKER_03 11:30

Well, I think there's also tools now available that help drive that conversation with a lot of your clients that sometimes they're not all as open as that, where they're wanting to, you know, show you your PL or show you what they manage. But there's tools, our diagnostic tools that exist that the insurers are using basically to de-risk their own products. Things like security scorecard, upguard, there's another one called Kind, amongst others, where they scan the third party's environment and basically say, well, here's what your digital footprint looks like. And I know a lot of MSPs can be critical of those tools because they don't always give a true reading of how they would see the risk of their clients. But we've been advising MSPs to use those tools to their advantage and say, well, here you go in client, 80% of this we currently manage for you as part of the managed service. But it'll pick up if a third-party marketing company is connected to the domain or some area and could be negatively affecting the risk store that the insurer looks at. We see it with a lot with e-commerce sites or other platforms that is outside of the MSP's scope, but the client doesn't realize that responsibility is on them. And that's where we've seen some end clients say, well, we don't need cyber insurance because our MSP has insurance. And that's where that's a big red flag for MSPs to go, hang on, end client, your infrastructure, your data, your problem, if there's a breach or if there's an incident, you need cyber insurance to cover that exposure. And so the ones that we've seen be successful with that will survey their client base, almost like if when you had your MSP, many of your customers would ask, do you hold professional indemnity, do you hold public liability? And later in the piece, cyber insurance. But it good MSPs will ask their customers, do you hold cyber insurance as part of an onboarding step? Because if they leave a gate open or they get fished or something, that exposure's on the client, really, not the MSP.

SPEAKER_02 13:31

And it's a shared responsibility model, isn't it? It's not like you can't abdicate the responsibility for a cyber risk or data protection.

SPEAKER_03 13:39

And we've we've seen a number of claims in the last couple of years as well where the MSP will get paid through that breach by the insurer.

SPEAKER_00 13:46

And Nick, you mentioned abdicating. I I can't remember where I saw this, but it's I would say in the last year where somebody was asked a question, and it was a client of an MSP, about their policies and whatnot around security, and their answer was our MSP has cyber insurance, so we've got free reign. We can do what we passwords, don't need those. Our MSP has cyber insurance. I don't think it works that way.

SPEAKER_03 14:13

Yeah. And I look, it's something we do with a lot of our clients is sort of go through their policy documentation and confirm what do you or don't you have coverage for. To go a little bit back a couple of steps, cyber insurance is a really new class of insurance. So it's only been around about 15 years. And so you get a lot of variation between different policies. And it's really important that clients understand what is included in those policies because everyone jumps to the well, am I covered for a million or five million, or what's the top line number? But below that, there's a lot of exclusions or coverage limit differences for different sections. And the worst thing is if you have a claim and then you thought you were covered for something, turns out you're not.

SPEAKER_00 14:53

You have to read that PDS.

SPEAKER_03 14:55

Is that the You do well, your broker should, and your broker should highlight it to you. But also I like to take scenarios to insurers. So, you know, if you still had your MSP and you said, well, look, I'm concerned about this SaaS product we're using or this third-party vendor, what happens if they had a vulnerability? Would I be protected? And actually, this this exact example happened after the the crowd strike outage, where we had a number of people contact us saying, What if our vendor X had a similar incident? How would our insurance policy handle that? And and that's a great question. So we would take that then to the insurance provider and say, okay, our client, good customer of yours, they're concerned about would they be covered if insert vendor here went down in a similar manner? And the insurers came back in most cases and said, Well, our definition, for example, one policy is your network is defined by your physical network and your suppliers or your vendors. And so, in our view, they would form part of your network. So yes, they would be covered. And what that did was gave us a tangible example to say if that presented itself and you pick up the phone to, you know, us or your insurance responder and say, we've now got a claim, X has happened. We've already tested that assumption. We've got evidence we tested that assumption. And claims can take many different twists and turns. So insurers will always leave a little bit of wiggle room. But as a broker now, we can defend you. We can go in and advocate for you to those insurers. Nick, it was your comment earlier about you know having to fight with an insurer. That's that's the role of a good broker. Yeah. Yeah. Where people sometimes say, oh, do you work for the insurer? Do you work for the client? Like, where do you as a a business sit? And we very much sit, in our view, with the the customers or the MSPs. And I think there's some claims data around even on motor policies, if you're represented by a broker, that pool of insurance has a 20% higher payout rate than a direct held policy because there's someone who's holding the insurer to account.

SPEAKER_00 17:04

You said about the broker, and I remember having a conversation with our broker years ago when he was a new client and we decided to move all of our insurance across to him and his business, and he went through everything that we had in place and said, now if you have a claim, you ring the insurance company. And I said, I got your mobile buddy, I'm ringing you. And he kind of laughed and said, Yep, okay, do that then. And I don't think we ever actually had a claim through them, but we've been exceptionally lucky through the years. We've had very few claims, which I'm glad about. We've had a couple, but but yeah, my view was always have a broker, make sure that we understand what we're in covered for, what we're not covered for, which is often more important, and somebody to come in and advocate for us if we did need that. And just that advice. How do we approach this? How do we have the best outcome?

SPEAKER_03 17:52

I mean, sometimes I'm a little bit of a counselor to people as well. So I've been through some cyber incidents where it people need a sounding board to say what's the best path to take. And we'll always discuss it before bringing the insurer into the conversation. But we had a unique example where an MSP had some co-managed servers with a client, and those servers were ransomware and encrypted. And so it was a very stressed owner calling us saying, hey, we've got this situation, and our advice to them was to trigger their cyber policy immediately. We suspected that it actually wasn't their assets, it was the client's assets by definition. So, but we said, let's bring the insurer into it to arm you with that information to be able to not push back on your client, but at least give them a view very quickly for whose responsibility it is. Now, nothing stops that client making a professional indemnity claim down the track and blaming the MSP. But what it meant was the speed to response was super quick. So within a couple of hours, we had answers from the insurer saying, as far as they were concerned, it's not the MSP's responsibility from a cyber exposure perspective, and that the client needs to trigger their insurance. Now, the client actually didn't have cyber insurance, so we were then able to also give them connections at the incident response teams that the insurers provide to access those services directly. So very quickly, even though they didn't hold insurance, it was a large customer, end customer, they were able to access the incident response services directly through a law firm. The MSP was made to look good by helping them navigate it, but without being the responsible party.

SPEAKER_00 19:36

Yeah, without taking financial responsibility. Yeah.

SPEAKER_03 19:38

Yeah. And I think that's something where you can use your insurance providers to your advantage. Everybody's always fearful about bringing your insurer into a conversation. Yeah. And it's very much not the case in a lot of examples. They're there to help you. And we also say that as well with getting insurance. The more you tell your insurer at the process at the beginning of the process, the better the coverage. If you're doing something high risk, if you're doing SCARTA activities, we have options. You know, we can find insurance for quite niche and bespoke services. But if you fail to tell your insurer that, if you have a claim and then it's uncovered, the insurance won't respond. It won't it won't exist. So you'll then have the claim denied. And so we sort of take the view that if you're paying for something, you want to make sure it's real. It's not just a tick box thing.

SPEAKER_01 20:29

Yeah.

SPEAKER_03 20:29

Yeah, you've got to actually make sure it's fit for purpose. Yeah. Another thing we see with a lot of insurers, the underwriters particularly, is they misclassify business activities of MSPs because everyone loves to call themselves an MSP. So, oh well, I do managed services. And it's a big scary umbrella for insurance providers. But when I sort of start to unpick, and you know, when you had your MSP, you know, my first couple of questions would be around, oh, well, you're you're a managed service provider, but okay, how much is hardware? How much is SaaS? A lot of people group the Microsoft bill within the managed service. So there's things that you can pull apart there to really help the underwriter understand, well, what are the activities that we're really insuring for? And where does that exposure sit?

SPEAKER_00 21:16

My first actual question was around why now of cyber insurance. And I guess the biggest red flags that would cause an insurer to walk away from an MSP. So when you're working with a client, an MSP, who's come to you and said, I need to get some insurance place, how do you take them through that process of getting insurance ready?

SPEAKER_03 21:38

Yeah, so most good mature MSPs will already have an insurance program. So the first thing we do is really understand, like I said before, what are the services they're actually delivering for their clients? We're definitely seeing more MSPs now offer security and even governance and risk compliance, implementing ISO NIST CIS controls. SMB 1001 for their client base as well. So we want to make sure that the insurer has actually been made aware of all of those things. And sometimes the insurers don't ask the right questions across that. So we really help unpack that. And then we measure that against their actual insurance policies. So the biggest area of exposure is professional indemnity, which is bad advice or perceived bad advice being blamed for that from their customers. And that's what we saw about five years ago. A lot of the insurers started to walk away from managed services as an area that they wanted to insure for. People were, they were fearful of the clients blaming the MSP for their cyber vulnerabilities. We've definitely seen that change now. And with the inclusion of cyber insurance embedded with professional indemnity policies, now there's a lot less gaps for insurers. Insurers want a product that they can pay out on. They want certainty around claims, what they're going to look like. Clients holding cyber insurance has actually de-risked that because if your client holds a cyber insurance policy, they're more likely to make a claim on their own policy than come and blame the MSP. That makes sense.

SPEAKER_02 23:10

Yeah, it comes up a lot. And I had different views on this myself, but I'd take your advice on this one. As managed service providers, we look after a bunch of different clients with different maturity levels. Like you say, some understand risk, some don't. But they always come to the MSP to get an answer on their questionnaire for their insurance. So my one question is should the MSP complete the form on behalf of their client? And what risk are they assuming, if any, by doing that? So I don't know what my answer is. No, never do it.

SPEAKER_03 23:43

So I usually answer this question by you always want to look after your client and help them through that process. But I use an example that's really, really basic. So most insurers just ask, do you have MFA tick yes or no? And if you were to answer that on behalf of your customer, you're probably going to tick yes, that we provide MFA across the infrastructure. And chances are they'll have a instance of zero or an accounting software or a line of business CRM or something else outside of your management that you don't manage. It's the clients and it doesn't have MFA turned on. And if there's a breach and then it turns out that the data was exposed through a lack of MFA, the insurer may decline a claim and say, but you told us you had this control in place when it's not there. And if the MSP had completed that form, the client can point back to the MSP and say, But you told me we had this across everything. And that's drawing you into a professional indemnity claim. So, you know, we always advise clients to share the maturity across the products you do manage that you have that. But we try to avoid filling out the forms on clients' behalves. But have it, it's an opportunity to have a consultancy or a a sales, not a sales, a a risk discussion around, well, why don't you have MFA on these platforms? Or how can we help you enforce that across these platforms? Or, you know, what else do you need that we could service you for there?

SPEAKER_00 25:13

But our start, our team really complain about MFA because it's really annoying. So we haven't turned it on.

SPEAKER_03 25:19

Yes, or the the the director didn't want it on his his account.

SPEAKER_02 25:23

Here's the one that's vulnerable, yeah. Oh yeah, and I tend to agree with you, Tim, because I took it as uh I would not complete the PDF and email it back to the client with all the answers in it, would never do that. But I would take the questionnaire and say, here's my answers based on what we know. But if you want to be able to answer all these boxes, yes, this is the work we need to do. This is the journey we need to go on. And and most insurance brokers are reasonable. If you said, is MFA on, the answer would be mostly. But then you refer to a document that says it's guaranteed it's on these things, it's not on these things, it's out of our scope.

SPEAKER_03 26:02

That's a really good point you raised there that you need to arm the insurance broker. So a lot of insurance brokers aren't tech first, and that's that's okay. So as a tech provider for your clients, if you have any management reports that can export out to say, you know, we can verify that there's MFA on these accounts, not on these, just attach that to the proposal. Nothing actually stops you giving them more information than just the base questions they ask. And if anything, it actually works in the client's favor that it shows a higher maturity, that they've actually got controls across all these other areas. For really big accounts as well, we're not limited by just that question set they ask. We'll actually do a proactive submission where we highlight, you know, could be running beyond trust, and there's privilege access management, and there's areas that are segregated, and there's all these things over and above what the insurer's asking. But when we present on that, they go, gee, weiz, this is a good business. We'd like to be competitive for that insurance.

SPEAKER_02 26:58

Exactly. It's show the broker of the insurance company that you are a professional organization, you care for your clients, you go above and beyond in all this. And it's the same what popped into my head just then is when we used to respond to a lot of tenders. And some of the tenders were written very well, like they actually had a good specification of what the services and the products that the client need. Some of them were very generic. But the rule was you had to answer the tender. So you answer the questions that are asked, and then we would put in an alternative response that answers the questions you should have asked. And we won a lot of business that way because it showed that we knew more than the person who wrote the tender. And you have to be careful not to make people feel a bit inadequate. But it basically shows you're a professional organization and you say, Yeah, I get what you're asking here, and we're 80% compliant with that. But these are all the other things we do to mitigate these risks, or these are the other things we do for our client base. And yeah, it's just tell the story. It's not my overall comment would be don't hide from the insurance broker or the insurance company. If you're unsure, just be honest about it because they want to see that you're a professional organization, not someone who's trying to pull the wool over somebody else's eyes.

SPEAKER_03 28:09

While we're touching on tenders there, a big thing we're seeing at the moment is increased limits for professional indemnity, public liability, and cyber insurance on government tenders. So there was a paper published mid-last year from the Australian Government Solicitor's Office, which was an insurance paper around advice for government departments for what they should be asking as insurance requirements. And they've gone very heavy on the cyber requirement, and they only reference it in three lines professional indemnity, public liability, and cyber insurance. And then it's got$20 million against each of those. And as I shared earlier, cyber insurance is very varied in its coverage. And when we've been working with vendors trying to get onto those panels and apply to those contracts, there's a lot of room to negotiate around those limits because you can challenge: is it third-party cyber, is it first party, is it, you know, what's the actual specific requirement or risk need they're trying to cover? And that's a big area that always needs a discussion. So use your insurance broker to help you have those conversations because there are opportunities to reduce those limits if you help them break out how you might be mitigating those areas in other ways.

SPEAKER_00 29:24

Tim, I'll get you just share a story when you answer this question. But it's around the liability gap. Where have you seen that gap between what somebody thinks is covered and what's actually covered in a claim?

SPEAKER_03 29:40

Yeah, so the liability gap for us usually exists between the client's expectation and the MSP's expectation. So, you know, we're seeing it more and more where the MSP is responsible for more than just keeping the lights on when it comes to IT. You know, there's other services that they're introducing. And we've seen it where the clients want to blame the MSP for things that are typically out of scope. One of the big ways to prevent that is legal protections. So I always sort of tell clients when we're looking at liability gaps, before you call your insurance provider, you're going to have a conversation with your lawyer when it comes to liability gaps because you don't want to pull your insurance policy out as the first step. You want to go through, and by the way, I'm not a lawyer. We can recommend some really good lawyers. No legal well financial advice here, no. But you want to have clear scope of services. Make sure every party knows what are we actually here to deliver on and whose responsibility is it. You know, especially where you might have pass-through services. Ultimately, if you're billing your client for something that's coming from a vendor, if there's a claim for a failure of their service, it will most likely follow the line of contract. So it's going to go through the MSP before it goes to that vendor. It's good to have things like dispute resolution clauses in there, things that enable a path to resolution before you actually everybody throws the toys out of the cot and you know the relationship, you know, needs to rely on the insurance. Yeah. So, and anything you can do in that process, we've seen some quite large claim examples where MSPs have done really good things to improve their clients' experience, and that's ultimately reduced the cost of the claim, which then the MSP is going to have to pay an additional rate over the coming years as their insurance increases to cover the cost of that claim. So if you can minimize that and avoid that, and also retain clients through that as well. We've seen some great examples recently of a large supply chain incident where the MSP went above and beyond, managed it, did an incredible job, and actually reduced the exposure of his own business through that.

SPEAKER_00 31:58

We had Mitch Colton on a few episodes ago.

SPEAKER_03 32:00

That's what I was referring to in that example.

SPEAKER_00 32:02

I don't know if you were involved in that claim or not, or in that that whole situation, but he shared on our podcast exactly what had happened. So yeah, if you're interested, if you're listening and you're interested in what can go wrong, have a listen to Mitch Colton's episode.

SPEAKER_03 32:17

And Mitch's behavior in that is exactly textbook for what good looks like. He did an incredible job. He he looked after all of his clients and customers. And he had an excellent insurance broker and communications people around him to sort of support him the whole way through that. And one of the things that so his incident responder Atmos do is they offer pre-introductory services if you hold a policy that would trigger them ultimately. So one of the things we advise a lot of our clients to do is get to know who is going to be your incident responder before you need them. And that way you can short circuit that whole three, four days at the beginning of a catastrophe so everyone can respond quicker and you can save more time.

SPEAKER_02 33:00

I think that's a really good point, Tim, because like we tell our clients, it's not a matter of if, it's a matter of when. Like this is going to happen. The days of my father who got away with 80 years without paying insurance, it's just not going to happen anymore. There's the exposure ability to get breached by anybody in the world is getting faster and faster. And with AI stuff out there, it's actually going to be even more. So I'd say have insurance is one thing, but you need to have the response plan and you need to have your own internal action plan. So if when it happens, not if, when it happens, you know exactly what to do. You know what internally you need to do, how you're going to communicate, who you're going to contact, and play that what we call the desktop workshop, do the experience.

SPEAKER_00 33:43

Disaster recovery plan, yeah.

SPEAKER_02 33:44

We used to do DR for recovering servers and backups. Now you need to be doing that for risk and insurance stuff, just to make sure that it's not a surprise.

SPEAKER_03 33:52

So cyber insurance as well is at the moment in a soft market. So we're seeing falling premiums, expanded cover. In Australia, there's 48 providers and growing of markets that we go to for insurance. So emergence, chubb, CFC, coalition, silo, the list goes on and it's growing. And so we're seeing a lot of competition. We're also seeing a growing list of services. So all of those providers now provide value-added services as well. They're giving you things before you actually need the insurance, predominantly to reduce your risk. So they'll help you with incident response plans, they'll help you with other vendors that can also come over the top. And the reason they're doing all of this is to reduce their cost of claim. So it's becoming a more sustainable market as well.

SPEAKER_02 34:41

It's just like us as tech MSPs, we reduce the risk of our clients' networks by proactively managing stuff and fixing issues before they become real issues. So it's just moving up the stack, isn't it? And starting to work on business processes.

SPEAKER_00 35:02

But the insurance is a sales tool. So how does that come into the into play when you perhaps pick up a new client, you have a look at what they've got in place? They've got a lot of risk and you don't want to take that on yourself.

SPEAKER_03 35:18

Yeah, so we we have this conversation a fair bit with clients where they say, I'm actually bringing on a client that I see as high risk. Do you think they would get insurance as they currently stand? And should we improve their environment before we get insurance? Or should we get insurance first while we go through that process? And I would always argue that you should try and get insurance first because if there's a vulnerability that exists because of their poor environment and they're breached, well then who's who's responsible at that point? You're on the hook. There's more chance that the MSP will get blamed. So and if you were to onboard a client and they don't have cyber insurance, typically that client will maybe think that the MSP is the one that's covering that exposure. So, but if you clearly have that conversation up front to educate your client around, well, if their employee clicks on a phishing link, that's their responsibility. You know, you can put a layer around that or a security control around that, but they can still click on that link. So yeah, I think it it just drives that conversation. And back to the the contract and the the legal protections, it also helps drive that conversation about, well, what are we covering and what are we responsible for? And if the client then mentions that early enough in the piece, you can address that. Whereas there's nothing worse than both parties operating off the false assumption that something is true, and then you discover it at the very end.

SPEAKER_00 36:44

Wanted to touch quickly on the human side of risk. So we're talking about businesses, but at the end of the day, we've got to manage the whole human side of this. And we said then about people clicking on things, and often that's the biggest risk, and we've all done it. But beyond that, the tech stack, where does the human element or internal process usually fail an MSP when it comes time to actually making a claim?

SPEAKER_03 37:10

Yeah, so the failure of a process is insurable. The absence of a process isn't. So we'll have somebody that says, I want to get coverage for my accounts team paying away$100,000 to somebody. And we can't insure for that unless we can show controls that we're going to call, check a bank account, validate information. And so there's a failure, though, of that process where somebody missed the call or didn't follow up and then made that payment. We have at least enough to build a claim to say to the insurer, we had a failure. There was, and and that's what you're ultimately insuring for is human risk in in many examples, is the the unforeseen mistake that somebody has made. So you've also got, I think it was the stat that I was quoted the other day was about 80% of claims are driven by human exposures in cyber. So, and we see that as well with a lot of insurers now insisting on training programs and services that come from that. So if you can articulate that as well, you will get better insurance.

SPEAKER_00 38:20

Okay, let's jump into the future, the future of tech risk. So, with the emergence, very fast emergence of AI and supply chain threats evolving, which seems to be the ones that I've been hearing about. What is one thing MSP owners should do today to future proof their business?

SPEAKER_03 38:42

Yeah, so I think people are the biggest area that need to be invested in. With all like I love technology, but you'll never replace what we're doing now in communicating and talking to and understanding people. And I think the more you can use technology to empower people and you know, do the processing, do things behind the scenes, but empowering your people to have those conversations and actually use technology to be more human, it's probably a little less insurancey and a little bit more philosophical. But you know, really successful businesses all when they list their top assets, all list their people. You know, we've seen a lot of MA recently, and people are something that are a real reason why businesses get acquired. You know, what's the difference between many MSPs? They're all selling the same stuff at the end of the day, but the people. And so if you can really empower your people, I think that's a key differentiator. The other thing with I suppose MSP's biggest exposure is professional indemnity being bad advice or perceived bad advice. So you've got to keep a human in the loop to protect that. We've seen it with some businesses where they've turned on AI too quickly and it gives advice on behalf of the business. It's doing that the same way that you wouldn't put a junior in front of your most senior client and just let them run away with the security strategy. Whereas sometimes that approach can be taken with, you know, new, you you said you've seen it all with shine the shiny thing syndrome. I'm guilty of being a buyer of many shiny things. But, you know, you need people to make the right decisions and put their hand up and be in a culture where they're comfortable to say, hang on, that's not right, or I need to put a control around that.

SPEAKER_02 40:30

The key for me there is that human in the loop. It is very uh addictive, the AI tools, and you go to the highest level ones, which I think is Opus 4.6 now. And man, it's bloody good. Like you have a proper conversation with that and ask a question about something, and then what it comes back with is holy crap. I can't improve on that at all. But it's still just a draft, and it is like a junior or an intern. You can't take that output and stick it straight into production or straight to your client or things like that. You've got to have that, like you said, the human in the loop and review it and test it. And I've got a couple of bots I'm training at the moment, but I'm treating them like a two-year-old. Give them one one task. If you can do this task 15 times without stuffing it up, then I'll give you a second task and another task. And always checking, always checking. And it's a completely isolated, you know, it's the open core thing, unguarded, but it's completely isolated and only has access to its own Gmail account. But I can send stuff to that and it can do so yeah. I mean, the point is keep checking, keep checking, and keep teaching your team. And I insurance is something that we don't educate our team on.

SPEAKER_03 41:41

Yeah, we try to bring the business into those conversations as much as possible. One good thing with cyber insurance policies is they're all most of them are all currently written to handle AI and AI exposures. Because, you know, if the breach occurs because of AI, it's still covered because it's covering the the incident in that sense. What we are seeing, though, is professional indemnity policies staying silent or not addressing AI as a as a bit of a generalization. And so what that means is you're leaving it up to the insurer to determine if that AI exposure is covered or not at the time of a claim. We've got one SaaS client that's doing some really exciting stuff with an AI product in the medical space, but we've taken that example to the insurer specifically to get a clause included that actually protects them in the event that they had an exposure come from that AI. So that's where, you know, depending on the degree of risk, you know, that's its entire business model. So you want to make sure that's covered. So Yeah, cool.

SPEAKER_02 42:43

Awesome. That's been some great conversation. I think there's a couple of key points there for people to take away and think about. And don't be scared, just ask the question. Like insurance is a necessary part of your business, just like a bank account and just like a lawyer.

SPEAKER_00 42:56

So And I think just like an MSP, as MSP owners, we want to be at the table with our clients. And what I'm picking up here is that you want to be part of the MSP sort of board, if you like, of part of that conversation about making sure that the business is protected.

SPEAKER_03 43:13

Yeah. I mean, that's sort of the way I explain it to most of our clients. We're your internal insurance department. And the more you engage with us, the more we can help you. Most other insurance providers, we see them as a little bit of an afterthought. No one wants to talk to their insurance broker typically. So if we can be a little bit more approachable, we're we found it really easy to deal with our customers.

SPEAKER_00 43:32

So And I think knowledgeable to my probably early experiences with cyber insurance with our insurers was perhaps we had a junior person, but they just didn't know and didn't know what they didn't know. And it was quite a frustrating experience of it, it was feeling like I shouldn't have to teach you here. You should be coming to me, telling me, not me teaching you in this process and me teaching anybody about technology is a scary thing, isn't it?

SPEAKER_02 44:00

We have fixed three problems in 30 years, so it's good.

SPEAKER_00 44:03

I'm on a roll. One every ten years.

SPEAKER_02 44:05

Final question from me, Tim, at the start of this conversation, mentioned motorbikes. So what is your favorite motorbike and what's the best ride you've done in yeah, 30 seconds? I've had two.

SPEAKER_03 44:15

So I had a 1100 Monster Jucadie, and that was that was a lot of fun. I put the Tammy pipes on it. And then I had a Harley 886 Iron, which was a matte black Harley, which I rode for many years. So yeah, both of those bikes. But up in Sydney, we've got some great rides around sort of Wiseman's Ferry. So head up there and there's a pub on the water. And I never did I've never done long rides, but just short out for the weekend and back again.

SPEAKER_02 44:43

I did two weeks in the Himalayas, that was about two and a half thousand kilometres. And I did two days in Thailand, and that was a thousand kilometres in two days.

SPEAKER_00 44:53

But Himalayas was a bit higher, yeah.

SPEAKER_03 44:56

I'm heading to Vietnam at Easter, and I've said to my wife, I thought it'd be nice to hire a bike and go for a bit of a ride, do the top gear line that they did there. Yeah, yeah. That's a very popular one, yeah.

SPEAKER_00 45:04

We traded the Tesla that we left the day before we left Australia to move to Bali for a or we have various scooters, but PCX 165cc is the family one. Actually, no, it's probably the fun one for Nick and I, but the family one is we have a 110cc Honda Scoopy with a dog pod with the two French bulldogs on the front.

SPEAKER_02 45:25

Oh, beautiful.

SPEAKER_00 45:26

And we had the Harley.

SPEAKER_02 45:27

Yeah, next weekend we go into Lombok and we're gonna hire a couple of bikes to just go do some exploring. So it's quite good in Bali because the average speed of a scooter around the road is about 40 to 50 Ks maximum.

SPEAKER_00 45:38

Usu usually 20 to 30 in traffic.

SPEAKER_02 45:40

Like a an 1100 or 1300 road bike is just not the thing to have here. No, no. You'd never get out of first gear. All right, mate, Linda, pleasure having the chat.

SPEAKER_00 45:49

Yeah.

SPEAKER_02 45:50

Amazing.

SPEAKER_03 45:51

Great to meet you guys, and thanks for having us on. Very welcome.

SPEAKER_00 45:58

If this conversation hit home for you or got you thinking, head to mspmastery.blog and keep the conversation going. You'll find all our episodes there and more wisdom from the peers and partners who are shaping the future of our industry. And make sure you subscribe so you don't miss future episodes. We've got plenty more great guests and stories coming your way. Until next time, this is MSP Mastery.