Expert: ‘Cyber Insurance Has Become An Essential Part Of Doing Business’

“Clients often ask, ‘Why do I need cyber insurance if I’m already paying you to keep me safe?’ I tell them, ‘Look, we do everything we can to secure your systems, but in today’s landscape even the best measures can’t guarantee 100 percent protection.’ Cyber insurance serves as a critical safety net while we handle any issues,” says Joe Brunsman, managing member of Brunsman Advisory Group.

In a bid to protect MSPs and their customers from the financial fallout of cyberattacks, one expert is calling for MSPs to require cyber insurance as a contractual obligation to reduce the legal and financial strain in the event of a cyber incident.

The cost of mounting a legal defense can be overwhelming for MSPs, often requiring expert witnesses and extensive evidence, making it financially draining even if they are found not liable, according to Joe Brunsman, managing member of Arnold, Md.-based insurance company Brunsman Advisory Group.

“Cyber insurance has become an essential part of doing business,” Brunsman said to a room full of MSPs at The Channel Company’s XChange NexGen show in Houston this week, hosted by CRN parent The Channel Company. “Clients often ask, 'Why do I need cyber insurance if I’m already paying you to keep me safe?’ I tell them, ‘Look, we do everything we can to secure your systems, but in today’s landscape, even the best measures can’t guarantee 100 percent protection.’ Cyber insurance serves as a critical safety net while we handle any issues.”

Cyber insurance is no longer just an option but rather a business imperative, he said. But he advised that MSPs should not fill out all the cyber forms for their customers. “I’ve seen cases where well-meaning MSPs filled out the entire form, but it opens you up to potential liability if the information is inaccurate.”

And if there are inaccuracies or monetary loss, customers are likely to sue their MSPs to recoup costs, he said. The key is transparency, documentation and using precise language when addressing cyber policies.

He stressed that documenting exceptions is crucial for ensuring accurate policy coverage. By using addendums, companies can clarify answers that don’t fit binary response categories, a practice that helps avoid future disputes with insurers.

“Anytime you see a question like ‘always,’ ‘never,’ or something with a binary choice like ‘yes or no,’ you have to be careful," he said. “A question like, ‘Do you have MFA for email access?’ sounds simple, but the answer is rarely black and white. That’s where addendums come in handy.

“Pass it on to the client, who passes it to the insurance agent, who hands it to the underwriter,” he added. “By the time it gets there, you’ve at least covered yourself, even if they simplify it to ‘yes’ in their records."

He emphasized the importance of “Identify, Contain, Refrain,” a framework he urges all MSPs to remember.

“You need to identify and contain the threat as best as possible, but refrain from making legal judgments,” he said. “Don’t say ‘breach’ or make statements that could be misinterpreted as legal admissions. That’s what your client’s cyber insurance and attorneys are for."

Keith Nelson, CEO of Irvine, Calif.-based Vistem Solutions, said he always hears that most claims are denied after a cyber incident but that Brunsman put that rumor to bed.

“I think that was enlightening,” he told CRN. “I also hear MSPs say, ‘I got my client back up in two days,’ after an incident. I’ve responded to breaches that occurred from other MSPs, and it doesn’t go up in two days. Let the insurance companies do their forensics and clear the system. I’m glad he echoed that sentiment.”