Fast Track Cyber Insurance for MSPs & Their Customers

[00:00:00] Welcome to the Powered Services Podcast.

[00:00:05] Your one-stop shop for all the information, strategies and insights you need to supercharge your MSP.

[00:00:14] Get ready to hear from other MSPs and industry experts in the trenches and behind the scenes

[00:00:23] to help you change the future of your MSP and increase your MRR.

[00:00:29] Now, here's your host, Dan Tomaszewski.

[00:00:34] Greetings and welcome to another episode of the Powered Services Podcast.

[00:00:38] We're excited to have you all along with us today as we're going to dive into a pretty hot topic that we're seeing all over the forums.

[00:00:46] We're seeing it in different chat channels.

[00:00:50] We just got done with a peer meeting and people were talking about this.

[00:00:54] One of the things we're hearing is cyber insurance.

[00:00:57] I want to dive in so I thought I would bring on two experts on this.

[00:01:02] First, we have Mike Houglia who is the general manager of the Kaseya security stack.

[00:01:08] Mike, really excited to have you on.

[00:01:11] Thanks, Dan. It's great to be here.

[00:01:13] Yeah, this is going to be a really hot topic and we couldn't have this conversation as well without Kirsten Bay,

[00:01:20] co-founder and CEO of Sci-Surance. Kirsten, welcome.

[00:01:24] Thank you. Nice to be here.

[00:01:26] Yeah, and thanks to you both because we were just at Connect here just a few weeks ago.

[00:01:32] There's this new Kaseya Cyber Insurance Fast Track program which has got a lot of buzz going.

[00:01:38] What I want to set the tone is to what the industry is seeing when it relates to cyber insurance.

[00:01:45] We were talking in the green room, there's a lot going on.

[00:01:49] A year or two ago we were seeing ransomware as one of the top things that was going on.

[00:01:54] We're seeing a little bit of a pendulum switch with it now.

[00:01:57] It looks like a lot of social engineering and just can you talk to our listeners of what we're seeing in the cyber insurance world

[00:02:05] and what's going on for SMBs out there today?

[00:02:09] Well, you're right. There has been quite the shift.

[00:02:12] We were talking earlier, Mike and I, about how there's like a 700% increase in cyber attacks that were related to ransomware in 2020.

[00:02:20] That's a huge number.

[00:02:22] We saw a lot of losses and that was the thing that was really plucking the industry.

[00:02:26] But we also know that the adversary shifted a little.

[00:02:29] They have to kind of keep up with the new trends and trying to keep monetizing.

[00:02:33] And so now it is social engineering is starting to ramp back up.

[00:02:36] And you know, obviously credential theft. I'm hearing a lot about credential theft right now as well.

[00:02:41] You were back to kind of the old credential stuffing and looking for opportunities to leverage people's credentials across a variety of platforms.

[00:02:49] Thinking as well is keystroke loggers.

[00:02:52] So all of that related to that lure that ends up on someone's machine and starts making changes and then all of a sudden something's missing or at a full attack is underway.

[00:03:03] And so these are the things that are starting to ramp up in a different way.

[00:03:07] And also then just breach notification costs and claims management around those types of incidents is also really accelerating the claim costs as well.

[00:03:17] We're seeing that new states are implementing new data privacy laws.

[00:03:21] And so there's reporting requirements are accelerating.

[00:03:24] And again, those are driving back to a lot of people being fished and then data leaking out into the environment.

[00:03:31] Yeah, like Mike, how about from your side? I mean, you're overseeing all the security solutions and you know, from like MSPs.

[00:03:39] I mean, what are you seeing? I mean, Kirsten just listed off a ton of different things from security side.

[00:03:45] But like, what are you hearing with the MSPs that are dealing with on the security front and maybe leading into a little bit more of the insurance piece?

[00:03:53] Yeah, I mean, I think we are getting better as an entire industry of and I was talking to Kirsten about this earlier of having controls in place to either stop compromises from being successful or in a lot of cases limit the damage and severity.

[00:04:13] Because that, you know, when you get into insurance and just everybody's incident response plan and things, you know, it's one thing to be compromised.

[00:04:22] How early do you catch things in the attack chain? And, you know, the earlier it is, the less severe and costly it can be.

[00:04:30] And so while we're still seeing, you know, and you read it in the news and everybody listens to this podcast as a practitioner, you know, the we haven't seen a slowdown in the attempts.

[00:04:43] We still see a lot of phishing. We still see people getting in through old techniques, you know, our DP that's left exposed and so forth.

[00:04:53] But a lot of organizations, especially the end customers are now understanding, I would say two things.

[00:05:03] Number one, where I've seen MSPs be more successful in expanding the services that they have is that they're understanding that what was commercially reasonable five years ago isn't today given the environment.

[00:05:19] I mean, they see it every day in the news, the governments are making up more regulations and laws.

[00:05:24] And number two is getting cyber coverage as a way to protect, you know, the business impact on that organization because if something does happen or win by some people's standards,

[00:05:40] you know, what's the financial impact to that company and that's why you have insurance in the in the first place. And that's why we started talking with with Kirsten and others to come up with a program because it's become difficult to obtain cyber insurance and,

[00:05:56] you know, extremely expensive over the past, you know, certainly over the past two years, but it's been ramping. Kirsten had a nice diagram of what's happened over time and really it started just before COVID hit of prices taken off.

[00:06:12] So it was a problem maybe outside of technology that we wanted to try to help solve.

[00:06:19] Yeah, and Kirsten, you know, Mike, we're going to get into the fast track program here in just a minute. But you know, one of the things we hear from a lot of people doesn't remember whether it's an MSP or just SMBs.

[00:06:31] I mean, I know a lot of folks that own businesses, and they're all saying like policies that continue to kind of keep creeping up. I mean, are we still seeing that in today's world?

[00:06:40] Like are the cyber insurance policies? Are we seeing premiums continue to rise? I mean, what do we what can we expect in 2023 as we try to get into the second half of the year?

[00:06:51] Well, we actually are seeing policies level out a little bit. But you when leveling out means we've already experienced anywhere depending on your your vertical that the company's in 500 to 3000%.

[00:07:04] You know, it's like, oh, we can take a little bit of a breath but people are still looking at cyber insurance rates that are really high. The other element beyond just the expense increasing what we also have seen as a degradation of coverage exclusions and other elements that that really tighten the boundary of what that coverage might be.

[00:07:23] So many policies now are 2000% more expensive and provide only 50% of the coverage for a ransom attack as an example, or they require you to have a 45 day patch cycle.

[00:07:35] And if you don't then you lose 25% of your coverage and then on depending on how much time goes by.

[00:07:41] So not only have we seen really excessive increases in the premium itself. We also see limits being reduced and other coverage elements that reduce the the opportunity for an organization to have the level of coverage they might really need, especially for ransom

[00:07:57] attacks and other really high vulnerability type attacks.

[00:08:00] And when you've been on before, you've mentioned this is one of the things that we've covered is not all cyber insurance is equal.

[00:08:08] You know, there's policies that cover different aspects. And you started to mention like if your patch cycles out it's 25% and like so as an MSP.

[00:08:20] It's working with SMBs and trying to communicate to them why it's important to be looking at cyber insurance. What are the things that we should be looking at from a policy to make sure that our policies covering, because again we just said they're not all equal.

[00:08:35] What should we be looking for?

[00:08:38] Well, the two that are the most apparent to me are around what we call sub limits and sub limits are reduced coverages around specific incidents like ransomware as an example. The other one might be what is referred to as systemic outage so if there's a zero day attack against a particular piece of

[00:08:56] software, you could have almost no coverage depending on what type of policy you have. So systemic outage ransom and then patching is now becoming another one that you want to be careful because a lot of times those are on page 77 subsection 3.2 and that little tiny font.

[00:09:13] So you want to be very careful that you understand either for your customer, the third through going through a renewal or if you're the customer yourself to make sure that you've identified any of those exclusions that may not be readily apparent in that particular document that you have.

[00:09:30] Yeah.

[00:09:31] And so Mike, I want to get into while we have Kirsten and I'll kind of bounce a little bit back and forth here for the next few minutes. So we have this, it was announced Fred at Connect announced the Kaseya Cyber Insurance Fast Track Program.

[00:09:46] Really, you know the message is to allow, you know MSPs and their customers leveraging the security suite to immediately qualify for coverage that's significantly lower than the market price which, you know we heard they're kind of leveling off but they're leveling off at a high rate.

[00:10:03] And so now being able to take the Kaseya security stack and I kind of want to have you kind of go through and tell us what are those products and you know like what does that mean and how does this program work?

[00:10:13] Sure, sure. Thanks Dan. You know as we said it's becoming a bigger and bigger problem so if we can help with that, that's what we're trying to do and you'll see more programs like this but in this particular case obviously you know kind of disgusted cyber insurance is expensive hard to get.

[00:10:32] So what we did is we worked with Kirsten and we certified five of our products. So if you have these five products installed it is Bullfish ID for training, dark web for monitoring dark web passwords,

[00:10:51] Graphus or SAS Defense for phishing protection and email, Rocket Cyber for monitoring and logging events in DATO EDR for having endpoint detection and response. We certified those products and that gave the insurance providers a way to say that we know that these controls are in place.

[00:11:15] Endpoint detection, monitoring 24-7 with MDR, phishing protection training monitoring. So we can cut down the amount of questions we have to ask the red tape and getting there.

[00:11:28] And number two is at a discounted rate because we know you have certain controls in place.

[00:11:37] And the way that you would proceed, I'm going to answer this in three ways. Number one is if you're using Kaseya One that's where all of this takes place. So you go into Kaseya One if you are in the US right now it is US only.

[00:11:53] We will be expanding geographically shortly. There are a lot of requirements in different regulatory environments but later on this year we'll go worldwide.

[00:12:07] You'll see a button that says Cyber Insurance Fast Track. You'll go in it will verify that you have those products and you're using them.

[00:12:15] It will then ask you, is this for you? For your MSP to protect your organization or is it for one of your customers?

[00:12:24] It'll ask who are they, contact info. What's their revenue below 50 million or 50 million to 100 million?

[00:12:31] And a couple of quick questions about some controls that you may have like nobody could just wire money when somebody calls and tells them they're the CEO and sends out $100,000 wire.

[00:12:44] And then you'll hit a button and it will go to your, you'll take you to CySurance because we're not selling insurance.

[00:12:52] You're not selling insurance. It is a benefit of doing business with us that we can fast track you through and CySurance will take that, get you the quote.

[00:13:03] We'll talk about that in a moment and you can put the customer can get their information right in there, sign up.

[00:13:10] There's really three reasons why this is interesting to an MSP in my opinion.

[00:13:18] Beyond getting coverage for themselves if they want to.

[00:13:22] But when they look at their customers, what I'm saying to all of you is that as part of being a Kasey customer, we have a program that can help make life easier for you at a lower price.

[00:13:34] Membership has its privileges. I used that earlier, Kirsten.

[00:13:38] You can now say that same thing to your customer. Number one, you can say, you know what? You should choose me because I am a more secure MSP and because you are a member of my customer base,

[00:13:52] I can have relationships with insurance providers to get you coverage at a lower rate. So it's a benefit of working with that MSP.

[00:14:02] Number two is that MSP probably doesn't have all their security services at that customer.

[00:14:12] So it's a way to expand, you know, their share of wallet because it's not just you telling them like you have been for several years that you have to do, you know, EDR or MDR.

[00:14:26] It's, you know what? It's not just me. Here's an insurance policy and all of them are requiring you to do this and I can help you.

[00:14:34] So it's another way to say there's a third party here saying you should be doing this type of thing and I can help you.

[00:14:40] And lastly, it makes them sticky. You know, cybersecurity isn't something they can just walk away from.

[00:14:45] And if they're using your services and they need to do that to maintain coverage, it's another reason to make them stickier.

[00:14:51] So then it just goes off to Kirsten and on size assurance, they do the quote and you get coverage.

[00:15:01] The end user gets the docusign and they can buy it.

[00:15:06] And I think if their, you know, ideas on what that coverage is and how much it is, you know, Kirsten can talk to that as well.

[00:15:13] Yeah, I mean Kirsten. So I mean we were talking about the things to be looking for one of the questions that I hear from a lot of MSPs and I know we can do this is hey, you know me or my customer, we already have cyber insurance, but it doesn't cover some of the things that this policy would cover.

[00:15:30] So I think the word that people are using is you can top off your existing policy. Can you, can you talk about like why people are doing that or like, you know, that process because I know that comes up, you know, in some of the conversations we're having.

[00:15:45] Yes, so you can use it to have additional coverage or for example, if you have a sub limit that we talked about with ransomware, that would be able to add to that coverage limit so that you really had good coverage around that type of situation.

[00:16:01] Other people are using it just to flat out replace coverage because it's so much less expensive.

[00:16:07] You know, our mission really, and this isn't a sound weird coming from insurance company but we actually trying to drive down the cost of insurance so that we can shift those dollars back into security spend.

[00:16:17] That's what makes the difference right and so that's really what we're trying to help incentivize and so that's the real benefit and when we look at this stack in particular, it really covers the key areas where

[00:16:30] like ransomware as an example and those entry points that are now protected through these particular solutions enable us to mitigate social engineering risk and other risks that are so impactful especially to smaller organizations.

[00:16:43] Yeah, and Mike and Kirsten I'll put you guys on this so in powered services we're working with MSPs to help them go out and sell to their customers but help them bring the value in the message and I know Kirsten, you've always been active with our community you've

[00:16:59] always been active with us resources things to help the MSPs to be able to go out and to be able to you know talk about cyber insurance and I know Mike and Kirsten and myself we're working right now to continue that to help everybody have what they need to be able to go have conversations

[00:17:15] and really teach their customers on the importance of having good cyber insurance and you know anything you know any best practices Kirsten for an MSP that's going out and like having it because like Mike said it's not like they're buying the cyber insurance from the MSP

[00:17:33] they're just kind of being the gateway right now to getting to this so as an MSP what should that conversation look like when I talk to an SMB that's my customer I know I Mike I heard you say the one and I really love that but like you're going to come back and say, you know are you my insurance person like what does that MSP say Kirsten to kind of reassure folks that they're in a good spot.

[00:17:56] Well, one of the things and this is something that because we have worked so long together and trying to provide these services that we learned is the most important feature is to have standardization. And I think this is the thing that helps that conversation a lot because you the most definitive answer you typically get an insurance about any

[00:18:16] question is well it depends. It depends on your sector and your revenue and you're this and you're that what we've been able to do is make it standard, so that as you said if we're under 50 million in annual revenue, your price for $1.5 million is $1,700 the end right with some modest exclusions of course depending on some some key

[00:18:34] verticals but but the point being that's an easy conversation because you it doesn't require you to be an expert on the ins and outs of those small details that might put someone in harm's way or create liability. This is what we've really been able to create with this solution and so part of it is they can reach out to us for additional questions and support so we're happy to support that sales motion.

[00:18:57] We have standardized documentation we can co brand that documentation so we can do things and we will put new playboats about it back out in empowered services as we've had in the past. That can really help organizations say here, here you go here's what it covers and then if you want we can put that right through the K one portal and get you a plan in place and get that balance.

[00:19:18] And so it's a much simpler conversation and we know that so many MSPs are doing those application forms for their customers. I had a couple of MSPs that connect say to me they probably spend $40,000 worth of time filling up those applications. Now they can go you know what I've went better for you we can do it way cheaper and way faster and we also know you're going to be more secure.

[00:19:39] And so it's really about the security conversation and the benefits of it.

[00:19:42] Yeah, Mike I mean what are you hearing from the MSP since this is launched in going on I know I've been hearing nothing but positive things from the MSPs that I've been speaking to but love to hear like what you're seeing and hearing since this program has been launched and what the feedbacks been.

[00:19:59] Yeah, we've had a lot of people go through it. I've seen a lot of different use cases. You know the first big one is it gives them something else to have a conversation with their customer on it's kind of, it's a benefit if they can help them with something.

[00:20:15] You know, and it's always positive to have a conversation with a customer about something that they can help them with that, you know is a very minimal costs.

[00:20:28] It helps them have a conversation with their customers about the other security solutions that they should be using.

[00:20:34] And a number of them in Kirsten where there is, you know it also gave them a lot of, I guess the word is, you know confidence that as part of it, you know the insurance company can help with incident response and so it doesn't all fall on their shoulders.

[00:20:52] And I've also heard from a number of them even outside of this particular program that more and more are requiring their end customer to be a customer to have cyber insurance because they feel that, you know taking a customer that doesn't have any kind of financial protections,

[00:21:11] you know while contractually it may not put, it might not put the burden on them. They know they're going to end up doing the work if something happens and probably not getting paid for it.

[00:21:24] So I want to recap here because I know we're getting ready to wrap this up and I think we're probably going to need to do another insurance round like every quarter just so people can hear what's moving and changing because there's so many things that are constantly changing in the world of cyber insurance.

[00:21:41] But so I want to recap, you have to have an order to qualify. You have to have graphics, Bullfish, dark web, data, EDR, rocket cyber. You have to have all of those in place and operating on that customer or yourself as the MSP to qualify.

[00:21:59] And if you qualify by you having those and I'm sorry, graphics or SAS defense. I should have said that.

[00:22:05] Correct.

[00:22:06] If you have those products in place, then what you do is you're going to K1 and you just simply fill out the form it's going to take you through and at that point it's a couple questions and you're going to be getting the doc you sign quotes back over for you to review your coverage and what's going on did I miss anything in that because it seems pretty simple.

[00:22:29] We made it simple. So it's pretty straightforward. That's that's it and I would say one of the reasons that we worked with with Sy assurance in Kirsten is that, and she talked about it earlier. It's also comprehensive and we have details on what the coverage provides but it's, you know, it covers not just for, you know, recovery from ransomware or BC it covers compliance, you know, compliance fines, legal

[00:22:57] legal costs, reputation damage and so forth. So there's a nice chart and a lot of things that I've seen and Kirsten talked to a little bit about, you know, the realities of certain things like we have a million dollars of coverage and with my AV and the answer to that as well.

[00:23:13] No, you really don't. It covers up to $1000 per machine to fix it, not if you get a regulatory fine and by the way it's only per machine not for your company so it's really comprehensive which is what really attracted us to this kind of program.

[00:23:33] If I don't have all the solutions that say I've got four, you know, missing one. Simply what I just need to do is reach out to your my account manager have that conversation and then you'd be eligible but you know, is that the process might they just go absolutely yes so

[00:23:50] Now, I also get the question right we have promotions in place so that if you want to add one of the solutions for yourself or for any of your customers to be able to enroll in the program.

[00:24:01] We can make that happen and they're very attractive promotions but I also get the question of what if I don't have the product but I'm using some other vendors product well unfortunately I can't we couldn't we can't I can't certify

[00:24:14] Other vendors products because I don't own them so we tried to narrow it down to just the security products that we could certify so we could bring those costs down and make it simple.

[00:24:26] So you're still free to go out and get cyber insurance and go, you know, the other direction of like you normally would.

[00:24:32] But if you do have our products it is kind of a prerequisite to being able to be part of the program and I kind of like in it.

[00:24:40] I know it's not ideal but I kind of like in it to you know the American I'm an American Airlines frequent flyers program, I get a special, you know, discounted Marriott I know it's that's less complicated but

[00:24:52] If I'm not a member of the program I can't get the discounted Marriott and so that's kind of what we did what we were able able to do given our given the products we could we could provide for the insurance companies.

[00:25:04] No this has been really awesome and I think a lot of our listeners this is something that they're getting those questionnaires like Kirsten you were saying and everyone's getting asked so many questions and just making sure that they have the proper coverage to protect their customers.

[00:25:19] I think this is just an awesome opportunity and like you were saying Mike, this is also giving you the opportunity to talk about the solutions that maybe have been a struggle to get in and for your customers to understand that value so it really seems like a win-win solution across the board for everybody involved in.

[00:25:36] Kirsten as I end us is there anything you want to leave us with I'll go start with you Kirsten and then I'll finish with you Mike and then I'll wrap us up with a close out but what anything you want to leave our listeners with.

[00:25:50] Just try it out go check it out you know you can pop in you can get quotes you can see how it looks and just give it a test drive and and call us if you need us.

[00:25:59] Awesome.

[00:26:00] I agree I think that's the best way to use it and I think this is a great opportunity because ultimately you know it's low money but it adds a high level of protection for to really really help those those end customers.

[00:26:16] Well I appreciate both of you taking the time to come on the podcast help me out and help our listeners with this new program and like I said I'm definitely going to have you both back here shortly because this world's ever changing and we want to hear what's you know what's going on so thank you very much to both of you.

[00:26:34] Thanks Dan.

[00:26:35] All right everybody that's it for this episode of the Powered Services podcast until next time have a great week.

[00:26:42] Thank you for listening to the Powered Services podcast with Dan Tomaszewski.

[00:26:48] We're dedicated to giving you practical information tactics and strategies that you can use to supercharge your MSP.

[00:26:58] If you like today's episode leave us a rating and review on Apple podcast and be sure to subscribe so you never miss an episode until next time.

[00:27:07] This is the Powered Services podcast signing off.