Building Trust in MSP Cyber Insurance: Edouard von Herberstein Discusses Spectra's Impact

[00:00:02] What if the biggest bottleneck in MSP cyber insurance isn't the coverage, but the certification process itself? My guest is Edouard von Herberstein, a 20-year veteran of complex risk management who saw firsthand how broken the system was for managed service providers. So he built Spectra, the first MSP certification platform recognized by major insurers.

[00:00:23] If you've ever been frustrated by insurance paperwork, questioned the ROI of certifications, or wondered how to stand out in a risk-averse market, this one's for you on this bonus episode of the Business of Tech. Edouard, thanks for joining me today. I really appreciate it. Thanks for having me, Dave. All right, let's start with the beginning. What was that moment or insight that made you realize that the risk management and cyber insurance process was broken for managed service providers?

[00:00:53] Edouard von Herberstein, Ph.D.: So I would not use the word broken, which is something we hear sometimes. I would use not built properly. Edouard von Herberstein, Ph.D.: If you come from insurance like me with 25 years of insurance and reinsurance behind you in an industry that's hundreds of years old, the IT industry is 30, 40 years old. Edouard von Herberstein, Ph.D.: So there's a lot of things that we're discovering as you know, in the IT supply chain, and that includes the channel, obviously, that need to be built.

[00:01:20] Edouard von Herberstein, Ph.D.: So I wouldn't call broken something that was not built or is not fully built yet. So that's the first thing I would say. Edouard von Herberstein, Ph.D.: I'll say one more thing. What was maybe the epiphany for me in realizing that the channel was the answer to cyber resilience and cyber risk management?

[00:01:39] Edouard von Herberstein, Ph.D.: Was sitting with the leading cyber insurers globally in Germany, in lots of London, in the US, in Bermuda, and realizing that they had no ways to understand, monitor, or trust cybersecurity information coming from SMEs.

[00:02:01] Edouard von Herberstein, Ph.D.: And as I was trying to understand how insurers could get their customer, their policyholders to protect themselves properly so that they could be eligible for comprehensive and well-priced insurance, cyber insurance, that is. Edouard von Herberstein, Ph.D.: There's only one answer to that. That's the channel. That's the only trusted door into the customer.

[00:02:23] Edouard von Herberstein, Ph.D.: So when I discovered that the MSP industry was 30, 40 years old, maybe 20, 30, and $300 billion, $400 billion annual revenue, depending, I was like, oh my gosh, why don't these guys work with insurance? That was the epiphany. Edouard von Herberstein, Ph.D.: Gotcha. And you're adjusting the way that the engagement would work because Spectra certifies the MSP as an organization, not the individual technicians. Talk me through how that process works.

[00:02:52] Edouard von Herberstein, Ph.D.: So the first thing when I ask insurers, why don't you work with MSPs? They say, well, we don't trust them. They are systemic. We don't know anything about them.

[00:03:02] Edouard von Herberstein, Ph.D.: And that's completely. If we don't trust someone, it's very hard to work with them. And so the obvious answer to that was, well, let's certify them. Let's inspect them. Let's talk to them. Let's ask them how they protect themselves. How are their solutions resilient? The solution they sell to their customers and customers.

[00:03:27] Edouard von Herberstein, Ph.D.: Their backup as a service, their disaster recovery as a service, their business email compromise, defense solutions, their endpoint solution. Are those structured and delivered following best practices or not?

[00:03:42] Edouard von Herberstein, Ph.D.: And because it's an unregulated industry, you find all sorts of things in the channel. You find very good, less good and not good at all. And so the certification at the highest level looks into certifying the organization, the MSP itself, how it protects itself.

[00:04:00] Edouard von Herberstein, Ph.D.: Because again, insurers are concerned about an MSP getting compromised and spreading that to all their customers at once in a systemic way. So ensuring the MSP itself is protected is important. Then looking into the solution they sell, as I said.

[00:04:17] Edouard von Herberstein, Ph.D.: And the last thing we do when we certify, we also certify deployments. Because it's not enough to certify the MSP and their solution. You also want to make sure that the customer gets the certified solution, not a low grade version of that backup as a service. They want, you want them to get the certified solution. So these are the three steps of the certification. Organization, team process people, the solution themselves, and the deployment.

[00:04:45] Edouard von Herberstein, Ph.D.: Okay. Now the deployment piece feels like that would be a technical operations question. So talk me a little bit through the way Spectra is looking and the way an MSP should prepare to go through the certification process. Edouard von Herberstein, Ph.D.: So the certification, again, starting, I'll get to the deployment in a second, but again, we look at the control they have in place for themselves. A lot of that overlaps maybe with a SOC 2 or a CMMC certification.

[00:05:13] Edouard von Herberstein, no one really looks at the solution themselves. So the company controls, we do things that you would find in other, you know, certification solutions. When you go into looking at a backup, is the backup resilient enough? You know, what's best practice? We're not trying to be elitist. We're trying to just follow best practice.

[00:05:33] Edouard von Herberstein, Ph.D.: And what I'm hearing from my cybersecurity team, the team that certifies MSPs, is you need, you know, that three to one setup, three instances of data, one in production, two, you know, replication of that. Edouard von Herberstein, Ph.D.: Tech diverse, geo-diverse backups. One has to be encrypted and one, maybe the same one offline.

[00:05:56] So that's the solution itself. Who certifies that? Who calls a good enough backup to an SME who has no idea what a good backup is? Even what I explain is just too much for them, you know? They don't want to go through that. They just want their data to be available when the laptop falls into the pool. And, or worse. And so we look into that.

[00:06:20] And then at the solution level, and then finally, the deployment, it's not that intricate. We don't believe in agents and connectors. We believe in verifying just enough so that trust can take from there until the next check. But it's a, the deployment will look for a screenshot. Show us that the customer did get that firewall as a service with DDoS mitigation.

[00:06:49] And that can be, from a screenshot, you'll see the customer name on the console. That's the tech stack that we certified. And DDoS mitigation is checked. You know, it's, it's that simple compared to what exists currently, which is, you know, those cyber questionnaires, which obviously have no ability to verify anything behind the firewall. Now, let's get a little bit of an understanding of the way that works. Because, you know, is that screenshot automatically collected via software?

[00:07:16] Or is that part of like a human-driven process where they audited and show it? Talk to me a little bit of a way that works. In order for us to activate, because we offer a warranty with our certification. Okay. And the same way that AAA, I don't want to digress, but the AAA repair shops, they repair and give, you know, add new parts to your car. That's warranted for 24,000 miles in two years.

[00:07:43] By the same token, we believe that the MSP should warranty the performance of their service. And so we have a way to do that. In order to activate that warranty, the last step of that activation, of that certification, is a screenshot that the salesperson at the MSP effectively uploads through our platform, which is then, you know, verified through our team.

[00:08:12] And that warranty is in place for 12 months for that solution, for that custom. We'll be right back after this message. Are you ready to get your brand in front of the tech leaders shaping the future of managed services? Here at The Business of Tech, we offer flexible sponsorship opportunities to meet your needs, whether it's live show sponsorship, podcast advertising, event promotion, or custom webinars.

[00:08:41] From affordable exposure options to exclusive sponsorships, our offerings are designed to fit businesses and vendors of all sizes looking to make an impact. Prices start at just $500 per month, making our packages a fraction of typical event sponsorship costs. Be a part of the conversation that matters to IT service providers worldwide. Join us at MSP Radio and amplify your message where it counts.

[00:09:10] Visit MSP Radio dot com slash engage today to explore all the ways we can help you grow. And we're back. Okay, now the other, it was interesting you brought up that there's some skepticism of the MSP space. I would also say that there's skepticism of the insurance space from the MSP community. Like, how do you think the approach that you're using and the way Spectra is working is working to change that conversation between providers and insurers?

[00:09:39] So I'll give you two stories and hopefully that'll explain. I'll tell you what I heard when I started in 2022. The most extreme views, which are not exceptional, you would have heard them. MSPs will, some MSPs will tell you insurers are just making money by not paying claims. Okay, that's the most aggressive, you know, aggressive, extreme view that you hear sometimes.

[00:10:06] And the most extreme view that insurers would have told me is like, oh, MSPs, they're just there to squeeze the customer. They had no value. They're just, you know, they're just there. The customer has no ID and they don't really add any value. Obviously, those two things are completely wrong. Two or three years into talking to insurers and MSPs, certifying some, sourcing insurance, recognizing our certification.

[00:10:32] And last Friday, I was on the phone with brokers and MSPs that we connect so they can refer business to each other. And they're falling into each other's arms because the broker, and I don't exaggerate. I mean, the brokers are telling us, are telling the MSP, we get, you know, 10, 20, that one broker, we get 10, 20 mid-market customers a month looking for a fix on their cybersecurity posture in order to get insurance.

[00:11:00] I'd love to have a list of third-party certified MSPs locally that I can push that customer to in order for that customer to obtain insurance. They're expecting nothing in return. There is value for the broker to push an insurance applicant towards a list of good MSPs. Now, imagine we had the whole leadership of that 15 million revenue MSP on the other end of the line. Warm lead from brokers? Are you joking? Is this real?

[00:11:30] Well, we've never heard of insurers working with us. If anything, they try to eat their lunch. That's what we've heard every day for the last two years. And you know why I said that, Dave. It's been everywhere. So because there is something natural about letting people swim in their own lane, MSP secure, and insurers insure with brokers,

[00:11:53] not having either broker or insurer or MSP just trying to do everything is exciting. Because then, you know, insurers don't have to try to sell security. And MSPs don't need to obtain a broker license or sell a warranty to replace insurance, of all things I've heard. So it's once people understand that we're effectively bringing simplicity to cyber resilience by saying, hey, that MSP is certified.

[00:12:23] They have all the foundational security you need. We have the proof that their customers have managed backup, managed endpoint, managed, you know, PC defense. And then the broker knows that through that, there is a path to a fast quote from a good insurer with full coverage and low price. It's exciting. It's new. And it makes sense. Well, one of the pushback questions that I hear all the time is that insurer frameworks are far too removed from day-to-day operations,

[00:12:52] that it becomes a very checkbox exercise. And I could make an argument that every 12-month check-in, like, leaves a lot of variability in that process. How do you respond to those criticisms that this process is just far too removed from day-to-day operations? Yeah. So you've got two, you've got three options. One is do not status quo. Don't talk to the MSP. Another one is to do annual inspection. Another one is to plug, you know, an API connector, an agent, and just monitor 24-7. The status quo doesn't work.

[00:13:22] I mean, I believe that. And it's obvious. People say it's broken. I think it's not been built. Then the other extreme is let's put connectors and just monitor everything, you know, 20 connectors and monitor every single vendor out there in the environment. I don't believe there's a single example of an insurance line of business where the insurer monitors 24-7 the security of the asset that's insured. Yep. So why cyber? Why would that work?

[00:13:51] Since when insurers are equipped to play SOC 24-7 for SMEs, this is not their swim lane at all. So what's the middle ground? The middle ground, I believe, is an annual certification. And Dave, every time we go through phase three of the certification and verify deployment, we get to verify that the tech stack is still what we've certified them for. So there are multiple.

[00:14:18] Every time they sell a new certified service, there's a checkpoint through that year. So it's not just once a year. It's continuously we verify that what they deliver to their customers aligns with what we've certified them for in the first place. And then we re-certify them annually. Now, I'd like to get a little bit of a sense of like the size and the value that you perceive on where insurance lies.

[00:14:44] And I'm going to give you a bit of a kind of a premise to respond to that you can sort of tell me. Because one of the things when we think about it from a pure cybersecurity breach perspective is that breaches are inevitable. There will always be a mistake. It will happen. Right? It is inevitable. So the best actual solution is simply a good response plan, good backups. And in a way, you can oversimplify by just self-insuring, by having enough money to pay for the restoration and pay for the potential downtime. Right?

[00:15:12] You can self-insure in some level by simply preparing that way. And a small organization probably can do that. If they could restore themselves in a day or two, they might be able to put it back together. So where do you view like the way and the cost benefit analysis of where insurance makes sense when we're thinking this through? I mean, multiple levels. There is data suggesting that over 50% of SMEs who suffer ransomware do not recover.

[00:15:41] And, you know, with the best negotiation in place and incident response in place, they might, you know, drag along a few more weeks or months until they've lost enough customer. The cost of the ransomware is expensive. There's double extortion, reputation damage. And those things just drag on. Yeah? So most MSPs, more than half, don't recover from a ransomware. That's certainly the data that I've seen from both security vendors and insurers. So there seems to be some alignment there.

[00:16:09] Then, I mean, we were discussing this at lunchtime today. You, you know, you might say that you're driving such a big truck that any accident will be fine. You might just get a bloody nose. And you'll survive it because you have enough money in the bank. It's still a painful, problematic, you know, day. And maybe you hit somebody and then there's liability attached to it.

[00:16:29] And so I think it's not just the value of insurance goes beyond just the monetary, you know, support when you need the money. Certainly a big one for SMEs. But there's also the guidance after the incident as to what you should and should not do.

[00:16:51] And insurers are equipped to help you with bridge counsel and, you know, credit monitoring and all the services that insurers offer on the back of an incident that help an insurer, that help the insured effectively do the right thing after it happens. It's not just, yeah, we've got enough money. We can cope. I think the smaller, the more obvious that is. The question is more interesting for the very large companies. Do they even need insurance? And I won't name the companies, but you can just look at the large corporate, multi-billion dollar companies, very big ones.

[00:17:20] Do they even need insurance? You know, there was a big outage last July. That company is doing well. You know, the stock price is back to where it was or above. So you could argue they don't need insurance. Well, maybe you could say they've been lucky. Could have been a lot worse. Could have been malicious. And maybe they'd be out of business. And maybe for that, I mean, we've seen those bigger, you know, it's public, the Marks & Spencer, the Coop, the Harrods, Whole Foods. There's two insurance companies that haven't recovered their website in the last 10 days. I won't name them, but you can look up.

[00:17:50] It's not just the money. It's also the assistance to handle the backend. And I think a big piece of that is for good security channel, first and foremost, and then a good insurer. And you only get those together with some level of transparency, verification, inspection, and trust. So there's a lot of certifications out there, like ISO, SOC 2, CMMC. Why not just point the insurers to those instead of introducing something new? So, very good question.

[00:18:19] A lot of insurers are trying to do that. And they're trying to leverage, you know, those CMMC level 2, a SOC 2. And that's, you know, first of all, there is value, certainly in there. A SOC 2, a CMMC will not look into a lot of the controls or precautions an MSP should have in place should the worst happen like we do.

[00:18:45] We very much developed our certification based on what insurers care the most about and try to get their hands on. Because obviously they bring their incident response and their forensics and they learn what happened and how that could have been prevented. And so our certification is very purposely designed to mitigate 90% of insurance claims. Because we know what caused those claims. You know, that's what those incident response forensics firms typically do.

[00:19:16] And so it's built from the back end, if you want. You know, we look at what we're trying to avoid and then we built it from there. SOC 2 ISO are, you know, compliance certifications. And I'd say more than at least a third, if not half of what I think is important is missed in those certifications. And then finally, the majority, as you will know, Dave, the majority of MSPs do not have SOC 2 and ISO and CMMC. Maybe in 10 years, in 20 years, that will change.

[00:19:46] But for now, the bulk of them don't have certifications. So I'm really curious. You've worked across a bunch of different complex risk verticals over your 20-plus year career. What unique patterns do you see in the MSP space compared to the other industries that you've advised? What's unique? I see what's similar more than what's unique. I see, you know, the repair shop in the AAA ecosystem.

[00:20:14] I see Lloyd's Register for ships in Lloyd of London. That's what they do. They're certified ships from nuts to bolts, from, you know, kill to engine to everything. It's just looked into a lot of details. I just see, every time I hear cyber is different, cyber is unique, cyber is uninsurable. I see the opposite. I see cyber is no different. And we have all the pieces ready. We just need brokers, insurers to talk to MSPs, good MSPs.

[00:20:42] And if you have a third party helping out in the middle, making sure, you know, there's no conflict. That should be the end game. Because there is so much to learn from other industries. Now, of course, you could say the systemic risk and supply chain risk is a bigger challenge. But there is so much we can do to get smarter about cyber resilience. Resilience being security, insurance. You know, it's not one or the other. It's both.

[00:21:12] And let's just get organized with what we have and see how far we go. But I think there is huge progress to be built. And, you know, and you cannot do this without the channel. The channel is absolutely the answer. To scale, to accessing SMEs. It's not going to be a vendor-driven solution. It's going to be a channel-driven solution. That's what I do. So what do you think Spectra sits in the MSP's broader stack?

[00:21:40] Like, is this driven by the VCIO, the security lead, the business owner? How do you see Spectra fitting in? So, I mean, you know, ultimately, the way you get channel excited is through a combination of three things. One is differentiation, obviously, as always. But you have to differentiate enough to be exciting. So you differentiate with, again, certification ability to warranty your service at a performance level.

[00:22:07] Maybe access to easier, better, cheaper insurance. Obviously, not the MSP reselling it, but referring them to brokers who are, you know, in the game of working with certified and better MSPs. The one that we've discovered that gets MSPs really excited is when all broker partners say, hey, I've got 10 customers last week looking for, you know, endpoint solution, MFA, just to get better insurance.

[00:22:38] I don't know where to push them. But if you're telling me you've got, you know, a list of five MSPs in their region, you know, in their zip code, in their county, that could help them fix that in a couple of weeks for something that's affordable for an SMU or mid-market company, please give me access to that. And, you know, that's a world-lead concept. I hear, you know, MSP say it's holy grail. I don't believe it until I see it. You know, it's unique. Oh, it's coming from insurers? No way. They've never done one nice thing to us.

[00:23:08] Where would they start? Well, there's a reason why they should do it. And then seeing them just on the, you know, video conferencing, just effectively falling into each other's arms and saying, we need you, we need you. Let me drive 200 miles next week to meet you and talk about this. So lots of excitement around helping them differentiate, helping them being recognized by insurers, which is increasingly getting traction with very good insurers, as I mentioned.

[00:23:32] And reversing the referral as well from the insurance and broker market into the MSP. Edward von Humberstein is a seasoned expert in complex risk solutions with over two decades of experience, including a strong focus on cybersecurity. Frustrated by the inefficiencies of traditional risk management processes for MSPs, he founded Spectra to offer a smarter, streamlined alternative. Edward, thanks for joining me today. If people are interested in reaching out to get more information, what's the best way to do so?

[00:24:01] Spectra.bm, you can schedule a discovery call with the team and we'll, I'll be happy to join and share more about how we can make your life easier and bring some more leads and partnership with insurers and brokers at K-Lock. Well, thanks for the conversation. Thanks, Dave. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech.

[00:24:27] If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too. If you want to support the show, visit patreon.com slash MSP Radio and you'll get access to content early or buy our Why Do We Care merch at businessof.tech. Have a question you want answered?

[00:24:50] We take listener questions, send them in, ideally as a voice memo or video to question at MSP Radio dot com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn. If you've got a comment or a thought on a story, put it in the comments if you're on YouTube or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit MSP Radio dot com slash engage. Once again, thanks for listening and I will talk to you again on our next episode.

[00:25:22] Part of the MSP Radio Network.