Will your clients’ cyber insurance policies require a second opinion on your work?
It’s that time. Cyber insurance renewal time that is.
This year, your clients most likely will see changes in what’s expected of them before they get a shiny new cyber liability policy renewed.
While cyber insurance providers are increasing technical control requirements, such as:
- Multi-factor authentication
- Documented patch management process
- Documented and tested backup recovery procedures
- Vendor management controls
- Endpoint detection and response (EDR)
One of the newest requirements popping up on many renewal applications is a regular third-party analysis or vulnerability scan.
Third-party? Does that mean you can simply do it as their IT provider?
Insurance companies are looking for external third parties to evaluate whoever is performing the IT function for the organization. They are requiring proof of these assessments in order to renew contracts going forward.
What does a third-party assessment entail?
If you have no recommendations for assessors and your client is forced to find one on their own or use one recommended by their insurance company, better believe that every rock will be unturned with a focus on problems.
In these assessments, the assessor will not entirely focus on pressing issues (the ones that are highest risk from ransomware or recent cyber events). They’ll focus on every little detail—whether there is tangible risk or not. Their job will be to point out the problems.
Many of these companies will follow up by selling antivirus, firewalls, or other security tools. They are simply using these assessments to gain a long-term client.
And that’s not saying that some clients might not just see ads online for free assessments—assessments offered by your competitors.
In the best-case scenario, the assessor finds correctable problems and your client relationship is sound. You are able to fix any addressable issues (or work with your client to get the fixed).
In the worst-case scenario, a whole bunch of issues are uncovered, and your client loses trust in your team’s ability. EVEN if the issues are related to problems you’ve known about and communicated concern to them in the past. You might lose trust with your client, and they may end up seeking a second opinion or solicit for quotes for IT support.
My message to you—it doesn’t have to be this way!
What If You Could Actually Win More Clients With Those Same Assessment Requirements?
Why not be the easy path towards fulfilling insurance requirements rather than a roadblock? After auditing hundreds of MSPs, I can tell you tweaking your processes and security stack to fit changing demands from the insurance world won’t be that hard. I’ve already seen some of our partners do this very thing WITHOUT having to invest in expensive tools AND without hiring new people.
Here are 3 simple steps to achieve this:
- Engage a third-party assessment company that you trust—find a firm that you know is doing the right thing. Someone that does not have a stake in the game. If they advertise selling additional products to assessments, they will likely use their assessment to lure your client into their funnel, later selling them services that you should and could be managing for them.
- Make sure your assessments are on-going—set up third-party assessments that happen at an interval. We recommend using a quarterly interval, since it aligns with business needs and the cadence of insurance companies’ operating procedures.
- Educate your clients on assessment items and get them to buy into improved security strategies—get your clients to understand why they need to invest in your cyber stack offerings. Whether it’s adding MFA to accounts, implementing additional controls, or investing in newer firewall technology, use the findings in your report to create AHA moments with your client as to why they need a change.
The only way to win with cyber insurance requirements is to be transparent and upfront with your clients. Their policy requirements will be changing. And unless you are there to help them realize what that means in terms of their IT, they may start getting second opinions from elsewhere.
Are you prepared?
Galactic Advisors offers a third-party assessment process to clients of MSPs. We do not sell anything other than assessments. We have no stake in the game. We want to keep as many businesses safe as possible.
