1:10 – That is the ratio of full-time, dedicated I.T. support staff to full-time employees that cyber liability insurance providers are requiring of their customers. Surprised? You are not alone. Many small businesses considerably underestimate the amount of work required to maintain the technology in their business and manage all the cybersecurity defenses necessary to thwart cyber-attacks. They assume that if their systems seem to be functioning fine, and if their I.T. person or service provider set it up correctly, then they are in good shape. There is good reason cyber liability insurance providers are requiring businesses to invest so heavily into I.T. and cybersecurity, though. They have found over time, after vast numbers of cyber claims, that most small businesses fail to adequately defend themselves against cyber-attacks simply because they do not have enough manpower, investment, and focus on cyber defenses. This underestimation of I.T. and cybersecurity investment isn’t the only misconception small businesses have about cyber liability insurance, either.
What is cyber liability insurance?
Let’s face it – falling victim to a cyber-attack isn’t just possible, it’s inevitable. While every attack is different in scale and intent, many of today’s cyber-attacks cause enough damage to close small businesses permanently. This is because today’s cyber-attacks don’t just impact a business’s operations. Required by law, businesses must notify their customers when a breach of their information has occurred. Oftentimes, the business must also provide a call center for customers to call into with questions or concerns about the breach, and even provide customers with identity protection services. With the business’s reputation on the line, many also engage a public relations firm to help manage the communications and image of the business. All these liabilities and services add up to a substantial cost obligation for a small business; a cost they simply cannot afford.
This is a terrifying thought and one that causes many business owners to look for solutions. Business owners quickly find cyber liability insurance as a viable solution. Not only does it provide funds for operational impacts, but many policies now cover all the costs of attorneys, breach notification services, call center services, public relations services, and even identity protection services. This type of insurance can certainly provide business owners with some peace of mind. However, there are some important considerations and prerequisites the business must not overlook.
AND not OR
A common objection made by business owners to managed I.T. and cybersecurity services is “I don’t need all these cybersecurity defense services; I already have cyber liability insurance.” What the business owners fail to realize is that the cyber liability insurance provider requires that they have all the cybersecurity defenses in place. In fact, when filling out the policy application, the business owner is asked to attest that they have dozens of different security protections in place. Not only that, but if the business isn’t outsourcing all these responsibilities to a managed services provider (MSP), and at least 10% of the business’s staff isn’t I.T., the business owner must explain how they are able to adequately protect their technology and information with so few resources.
Many businesses make the devastating mistake of lying on these policy applications. Or, even more tragic, they entrust an outside service provider that claims to deliver all the necessary cyber defenses. When a cyber-attack occurs, though, the insurance provider will initiate an investigation to determine if the claims and attestations made on the policy application were true. If the cyber-attack occurred because a missing security patch was exploited, and the business claimed that they actively monitored for and deployed missing security patches but failed to do so, the insurance claim will be denied.
Our MSP has insurance, so I don’t need it
Another devastating misconception business owners have is that they don’t need cyber liability insurance when they are outsourcing all their I.T. and cybersecurity responsibilities to a properly insured MSP. While outsourcing these services to an MSP is the favorable approach by cyber liability insurance providers, and while mature MSPs hold comprehensive cyber liability insurance policies themselves, this does not negate the business’s obligation to also hold a cyber liability insurance policy.
Following a cyber-attack, the cyber liability insurance provider also determines which party was responsible for the attack. If the MSP’s own business was attacked, and the MSP’s administrative privileges were leveraged to then attack its customers, then the MSP would most certainly be faulted for the attack, and their cyber liability insurance policy would be invoked. While this scenario does happen, it is far more common for the customer’s business to be attacked directly.
In most cyber-attacks, a user within the business falls for a phishing scam, fails to use multi-factor authentication, or performs some other act outside of the MSP’s control. In these situations, the business itself (not the MSP) is faulted for the attack. Therefore, it is critical that small businesses obtain their own cyber liability insurance policy, even if they are outsourcing their I.T. and cybersecurity services to an insured MSP.
A mature MSP can save your business money
Remember that 1:10 ratio? A small business with 20 employees needs at least two full-time I.T. employees on staff to adequately support and secure the business. At an average of $60k per employee per year including benefits, the small business must budget at least $10k per month for I.T. But that just covers the payroll costs. There is also the cost of all the cybersecurity solution licensing, backup services, equipment costs, and more. These additional expenses could easily add another $2k per month or more.
Alternatively, the business can partner with a mature MSP that has a comprehensive cybersecurity solution offering. With unlimited technical support, both remote and on-site, as well as all the cybersecurity defense solutions and ongoing management necessary to check “yes” on all the boxes for a cyber liability insurance policy, the business can expect to pay between $3k and $5k per month based on the region. For less than half the cost of staffing these functions in-house, the business can have a robust and effective solution by partnering with a mature MSP.
Of course, the business can secure savings in other areas as well. Partnering with an MSP reduces a business’s risk of a cyber-attack simply because they have more resources than an in-house team does. Additionally, partnering with a mature MSP that has a strong cybersecurity defense strategy further reduces risk. All these risk mitigation factors result in a much lower cyber liability insurance premium, making it a no-brainer to carry this additional insurance.
In summary, every small business must:
- Either dedicate at least 10% of their full-time staff to I.T., or partner with a mature managed I.T. and cybersecurity services provider.
- Implement and routinely audit the dozens of cybersecurity defenses listed on a cyber liability insurance policy application before attesting that the solutions are in place.
- Obtain a cyber liability insurance policy, even if the business is outsourcing its I.T. and cybersecurity functions to a mature MSP.
By taking these important steps, small businesses can breathe a sigh of relief knowing they have adequate defenses and protections in place for an inevitable cyber-attack. Not only that, but this preparedness also gives the small business a significant advantage over its competitors that don’t make similar investments into cybersecurity.