cyber-insurance-riskAlready this year, insurers have significantly increased their premiums, limited their scope of coverage, and updated their requirements to be in good standing with many of the reputable insurance providers.

High-profile attacks, government interaction and increased demand all account for these responses.

What we’re seeing from an MSP perspective is clients (and MSPs themselves) getting dropped from policies simply because they have been deemed too high risk. Those that have not been entirely dropped have likely seen coverage changes and heightened requirements.

I want to walk through 3 requirements some insurance providers are now asking for that you might never have expected. The cyber insurance industry is in continual flux right now, and unless you start keeping up with their ever-changing requirements, you may find yourself having to foot all of the costs in the event of an incident.

Requirement #1: A Tested Tabletop Exercise

Do you have a tested tabletop exercise for scenarios related to ransomware events? If not, your clients soon may be out of luck with changing cyber insurance requirements. Several companies now require that you prove a ransomware or data breach tabletop exercise was performed regularly (at least annually). That means someone on your team will be expected to get involved with your client to walk through how a response should go. For an example of a tabletop we use with our partners, go to

Requirement #2: Have A CISO Or CSO On Staff

Some policies are now requiring CSOs on staff at client sites. That means someone with a well-defined role on the security side of the house that is overseeing security initiatives getting done. The insurance agencies want one single person taking ownership and leadership of the security program and are expecting someone fill that role. If you don’t currently have a CSO program within your MSP, this is might be a good opportunity to start.

Requirement #3: On-Going Third-Party Assessments Of Their Environment

They no longer want to take your word for it. Many policies are requiring either a third-party penetration test or network assessment to prove that common vulnerabilities have been addressed. Insurance providers are trending towards a requirement of an on-going assessment (quarterly assessments are becoming the norm). And checking your own work is not good enough anymore. Providers are requiring third parties to validate that requirements are being fulfilled. To see how a third-party assessment evaluating your cyber stack, consider a free cyber stack assessment.

If your clients wish to transfer some of their risk associated with data breaches and ransomware attacks off their shoulders, they are going to need a more sophisticated program to engage with insurance providers in today’s climate. From my perspective this is a big opportunity to educate your clients and prospects on why they need to invest in sound security solutions. An easy way to do this is by showing them what is at stake if they don’t act.