Managed service provider insurance and risk management guide

Managed Service Provider (MSP) Insurance & Risk Management

Insurance Expert, Simon Taylor

What is a managed service provider?

A managed service provider (MSP) is a company that provides outsourced IT services to support businesses. An MSP can take on responsibility for the day-to-day operation, management, and maintenance of their clients' IT infrastructure, including hardware, software, network, and security. 

MSPs will typically offer their services on a subscription basis, allowing businesses to outsource their IT needs without the need for in-house staff or infrastructure. The use of an MSP can also provide businesses with access to a wider range of IT expertise and resources than they would be able to maintain in-house.

What insurance do MSPs need?

In the current climate with sophisticated cyber-attacks on the rise, MSPs should be combining effective risk management with comprehensive MSP insurance. Below we take a closer look into both.

Cyber insurance and professional indemnity (also known as professional liability or E&O insurance) should be combined under the same policy. Failure to prevent a cyber-attack can trigger both a traditional cyber insurance policy and a professional indemnity policy. 

MSPs responsibilities will often go beyond what is agreed in the contract because it owes a duty of care to its clients. Adequate professional indemnity and cyber insurance is therefore paramount to safeguard against malicious attacks.

Cyber criminals are capable of inflicting damage by gaining access to clients through MSPs. They are increasingly targeting vendors and suppliers to gain access to a larger number of company targets. MSPs face real cyber risk, and the steady growth in this market has been accompanied by a rise in claims.

Access to client data, sensitive information, passwords, and the reliance of the business upon the IT company can mean they are suspectable to significant claims of compensation. In fact, all cloud-based models, MSPs, Platform as a Service (PaaS) and Software as a Service (SaaS) are exposed to claims from their clients resulting from a cyber-attack.

It’s becoming more common that insurers will undertake port scanning – which means your IT systems are scanned for open ports and other system vulnerabilities. If the insurer can identify vulnerabilities, they will need to be resolved before any terms are offered.

Technology and software business insurance is a valuable tool to protect against severe financial shocks to the business. However, the longer-term implications of a major cyber-attack can still impact the future viability of the business. Identify, prevent, detect, and respond is a key risk management strategy that should be embedded into the company culture. 

MSP risk management 

The future of cyber-related risk in the digital era may seem daunting but failing to take preventive steps to protect your business is a bit like permanently leaving the front door wide open and hoping nothing gets stolen. It makes much better business sense to educate yourself about cyber hygiene and put the appropriate elements in place to protect yourselves and your customers. 

Monitoring software and detection software, such as EDR (Endpoint Detection and Response), are a must for MSPs. As are firewalls or a network monitoring system, tracked 24/7 by an internal or external security centre. Once a hacker gets into a system, it is vital they are detected in time.

MSPs should identify exactly what products and services they provide to fully consider what can potentially lead to risk. An Information Security Management System (ISMS) allows companies to determine these details. This centrally managed framework enables them to manage, monitor and review their information security practices. 

Software companies generally devote a lot of time creating a secure product, however similar safeguarding for their own environments is often lacking. For example, clients are regularly asked to download the software from a website that is not well protected. 

Stopping cyber-attacks requires, at the very least, standard hygiene measures, including multi-factor authentication, adequate awareness training for staff, firewalls, scanning phishing emails, and filtering websites. 

MSPs really should have the best practices in place, given the greater potential impact of losses from a widespread event and increased duty of care responsibilities. A Privileged Access Management (PAM) system tool preserves identities, with special access or capabilities beyond those of regular users. It is particularly important for MSPs, which have many people accessing multiple programs through a central software package.

Software companies must also segregate their network and safeguard it with additional tools only developers have access. This development environment should not have an auto connection to the rest of the company. Other good risk management measures to reduce exposure and help with business continuity include continually testing backups and storing these offline, and a focus on encryption for passwords and other data.

One of the most business-critical elements for dealing with cyber-attacks is a clear incident response plan. Advanced planning will help a company react appropriately and quickly if they have been hacked. For a software company, this plan goes beyond their own IT environment and should also include a client communication and crisis management policy. 

Protecting client data

MSPs have a responsibility to protect its client’s data, therefore it is important to have a good contractual agreement on how to store and process their data. Prevention is not only about technical measures, but it’s about communication, service level agreements and data protection agreements. 

Personal identifiable information (PII) remains a hot topic for the insurance market. Any data relating to a natural person who can be identified directly from the information falls under The Data Protection Act 2018. Which is the UK’s implementation of the General Data Protection Regulation (GDPR). Everyone responsible for using personal data must follow strict rules called ‘data protection principles.

Sensitive information is described by the ICO (Information Commissioners Office) as Special Category Data, this is likely to be more sensitive, and as such should be given extra protection. This type of information could be the racial or ethnic origin, political opinions, or religious beliefs, financial data may be considered sensitive.

It’s also worth considering that an MSP has a duty of care to warn their clients about poor protection in a client environment. Clients should be informed in writing, and this should be recorded to offer protection about future liabilities.

About the author

Simon Taylor is a respected senior industry professional and a Chartered Insurance Broker with over 20 years’ of experience in the commercial insurance sector as an underwriter, broker and director.