Why MSP Cyber Claims Are Increasing | Justin Reinmuth

Show Notes

Justin Reinmuth joins Rob Scott to discuss the growing cybersecurity and insurance risks facing MSPs. He explains why contract coordination, cyber liability coverage, and incident response strategy are becoming essential for modern managed service providers.

Key Insights:

• MSPs face increasing exposure from ransomware, business email compromise, and cyber liability claims
• Cyber insurance carriers are tightening requirements around incident response and unauthorized remediation costs
• Strong MSP risk management requires alignment between security controls, insurance policies, and client contracts
___________________________________________________________________________
Don't Leave Gaps Unchecked - FREE MSA Review: https://hubs.la/Q0477T520

See how Monjur takes legal off your plate: https://hubs.la/Q042mCxG0

Connect with us:
LinkedIn: https://hubs.la/Q042mDZk0
X (Twitter): https://hubs.la/Q042mGRL0

Transcript

SPEAKER_01 0:03

Welcome to Talk Tech with Rob Scott.

SPEAKER_00 0:07

Justin, welcome to the show. Hey Rob, it's nice to see you again. How have you been? I'm doing great. I'm glad you're here for the first episode of Talk Tech with Rob Scott. And this episode is dedicated to cybersecurity awareness in celebration of Cybersecurity Awareness Month and you being an expert in cybersecurity and risk management. I wanted to ask you what is it that is important for business owners to be aware of when it comes to cybersecurity?

SPEAKER_02 0:37

I mean, I think first of all, is you know, to us it's it's a holistic approach that involves two things. One is, you know, making sure that they have the right security in place, i.e. their security stack, you know, whether it's multi-factor, EDR, the host of things that an IT service provider would recommend to their client. And then obviously, you know, things do fail. Uh, there are could be supply chain attacks. So um, you know, having a comprehensive cyber liability policy is also going to be extremely important. I think, Rob, one of the things to pay attention to is um, you know, all cyber isn't created equal. I mean, you being a lawyer, not all MSAs are created equal. So uh a lot of times people will opt for add-ons onto a business insurance policy, or you carry lawyers' professional liability, I carry an insurance agent EO. I've read the quote unquote add-on, and it's just not comprehensive enough where we are at in today's environment. So again, I think it's a two-pronged approach. You know, you got to have the security and you got to have the uh a comprehensive standalone cyber liability policy.

SPEAKER_00 1:30

And and thank you for that. And and and for those of you who don't understand insurance or or want to learn more, you can reach Tech uh TechRug, Justin's company on the web. Uh, just do a Google search for TechRug, and you'll see they have a tremendous amount of resources. And we have been referring clients to TechRug, and TechRug is the leader in insurance for managed service providers. And what I want to know, Justin, from you is what kinds of cases are you seeing? I know in my practice we see the gamut from ransomware to business email compromise and claims alleging that MSPs were negligent or breached their agreements. But for Cybersecurity Awareness Month, if you're an MSP out there and and maybe you don't have insurance or you have insurance and you haven't really stayed in touch with what's going on in in the market as far as the types of claims that are out there, share with the audience what are you seeing uh from a claims perspective? What kinds of situations are arising that uh come from cybersecurity risks?

SPEAKER_02 2:35

Yeah, I mean, I think you hit the major ones in terms of the ransomware, the business email compromises. Hey, the IT service provider only offered me A and B. They should offer me A, B, C, D, and E. Um, but I think two things that uh, you know, we've seen uh, you know, it's been a little bit of a troubling trend pop up is one are separgation claims by the insurance carriers. So um, for those of you who don't know, uh this is a very common risk transfer technique in the general liability and workers' comp world. Um but what we've seen is that you know, MSPs are getting involved in a cyber unauthorized access event, and the insurance carrier has not uh asked them to do that. And what we're finding on two cases, or I'm sorry, three cases now, but two different insurance companies that's come out is they've said, hey, based on our forensics, this was going to be a $15,000 problem had we launched our Sentinel-1 product or whatever it may be. It's now a $100,000 problem. You're on the hook for 85 and we're coming at you. So separation is a huge problem right now. And listen, with about 1% of the policies out there, cyber policies in terms of the whole total insurance market, uh, you know, they're talking about that number jumping to 5% in the next three years. So that's a significant jump in a short amount of time. And uh again, you know, anybody that has to get a certificate issued uh by their insurance agent or agency, you can see that 99% of those certificates are gonna have some sort of waiver of general or I'm sorry, waiver of segregation on the general liability, the higher non-no dot or the workers' comp. Um, now it's making its way into the uh into the cyber world. You know, and then I think the other thing is is, you know, the types of claims is when somebody gets hit with a ransomware attack, you know, there is no real playbook when your client has cyber insurance. So are we supposed to react when the insurance company hasn't told us to, or are we not supposed to react? Well, if we go ask the insurance carrier, can we react on their behalf? They tell us, well, that depends when the claim comes in. So there's this what do we do kind of gray area. Uh, and we've seen a couple cases where uh one particular carrier uh did not authorize what they call pre-tendered costs. And so the MSP tried to turn in a bill of $21,000 and the uh insurance carrier said, go pound solved. Um, you know, you could potentially, you know, deny your clients coverage. Again, an insurance policy is a sexy name for an insurance contract. Uh, the contract is between your client and the insurance company. Therefore, you need permission or else you breach the contract. So I think denial of service and segregation are two uh things that we've seen pop up unexpectedly.

SPEAKER_00 5:00

Well, and I appreciate you sharing that perspective. I often counsel my clients that sometimes when you get me involved in an incident involving one of your customers, my job is to protect you from your natural instinct to help the customer and and and by doing so increase the liability in the same way that you just described. So it's very important for the listeners out there to understand that sometimes if you're not a forensic firm and and you you're not in a relationship with the carrier that the customer is dealing with, the best thing you could do is write them a letter to say what you've learned, what you found, and recommending to them that they seek the assistance of a forensic firm and that they make sure that they work with their counsel, because Justin's point is a good one. If you don't notify the carrier of the expenses that you're incurring when you're treating an incident as an emergency, you run the risk of waiving the ability to recover those fees, which might have otherwise been recoverable if you followed the right processes from the claims perspective. And that leads me to my next point, which is when it comes to cyber liability today, MSPs are getting a number of different options. Lots of newcomers, lots of people want to be Justin for good reasons. And and and and it's hard to understand if you're an MSP with a lot, with not a lot of experience in managed services and insurance related to managed services. What are the differences out there? You know, I I I always tell my clients go to TechRug if you want a risk management partner, not just an insurance broke agent.

SPEAKER_02 6:45

Yeah, I think you hit the nail on the head and listen. Yeah, just fraught the differences? Yeah, sure. And and you know, again, we have a great partnership with Monjor and Rob Scott and his team, um, you know, because both of us need each other, right? And when it comes to the legal and the uh insurance related, again, what we call it tech rug, and you know, Rob's been instrumental in helping us what we call coordinate the contracts, you know. So um I think that you know, a lot of MSPs, if you aren't having these type of conversations with your agent or agency, that's a big problem. Um, you know, again, it's kind of, I guess, like going to the doctor and saying, hey, I've got a heart problem, I have a cyber problem. Can you tell me what the difference is between valve one and two in your heart? And they say, Well, gosh, I don't know. That's a problem. You're probably gonna walk out of the office, you know? Um, and I think one of the major things is, you know, to where our worlds cross is that coordination of contracts, you know. Um, I know that we've taken time here at TechRug to under Rob's got understand Monjour's philosophy and you know how the MSA is written, and we've tweaked some things to kind of mirror our EO policy. And that's a true coordination of contracts where you want to look at, you know, does my cyber ENO policy have any exclusions that are referenced in the MSA and vice versa? And I think, Rob, one of the great, just kind of a basic example would be a control group. Uh, you know, the control group and insurance policy are any directors and officers of the company, uh, you are not able to act like an employee. So an employee can go rogue, do something, shut someone down intentionally. If you have the right coverage, that will be uh covered. A director and officer cannot do that same thing. So, where is it in the MSA that that exclusion that's in the EO policy is referenced in the MSA? That's what I mean. If you have a great, great, you know, terms and conditions and statement of work and you're doing everything on that side and you've got a great insurance policy, and the two have taken the time to mirror each other. You know, I always get MSPs that will say, Where's the gotcha? And again, if it's well written, I don't think there's a gotcha. I can't think, Rob, the last time that I had to go to a client and say, that claim's not going to be paid. Now, I can't speak on behalf of other carriers and how they've treated policyholders, but you know, I just I really can't think of it. It's been years and years and years and years.

SPEAKER_00 8:50

Well, that's an excellent point, Justin. And I think Mary, the two of those excellent, highly specialized uh insurance agreements built for the managed services industry, coupled with a contracting and contract coordination, as you mentioned, with uh industry-leading agreements that you could go to market with. And then you add that to your first point from earlier, which is having the right technology stack and the right approach to mitigate the probability that things will happen. And now you've got a really risk, a good risk management strategy and your cyber secureware. Thank you, Justin, so much for joining the show. It's been great to have you on, and we look forward to having you join us for future episodes. Thanks, Rob.

SPEAKER_01 9:34

You've been listening to Talk Tech with Rob Scott brought to you by Monger. Monger is the first mover in providing contracts as a service solution specifically designed for IT managed service providers. For more information, visit larger.com.jur.com