Login

u/Joe_Cyber

One Ransomware Event. +5M MSP Lawsuit.
▲ 14 r/msp

One Ransomware Event. +5M MSP Lawsuit.

I pulled the court documents on this lawsuit and it's wild.

The MSP (named redacted) had a nearly decade old BAA with no liability cap; along with many other terrible one-sided provisions that could cost them millions.

However, they do pull out the boldest claim defense I've ever seen. They're either going to dunk on the plaintiffs, or the court is going to dunk on them.

At the end of the video, I put down a list of action items if you've already signed a BAA.

One Ransomware Attack. +$5M MSP Lawsuit: Lessons Every MSP Needs to Know

Question for chat: What is your standard limitation of liability cap in your BAAs?

ex: 1/3/6 months of fees?

u/Joe_Cyber — 21 hours ago
▲ 0 r/msp

A.I. Said These Are Your Top 25 MSP Insurance Questions. Is It Right?

I for one, welcome our new robot overlords.

But until SkyNet becomes self-aware, I thought I would use AI for good. AI said these are your top 25 MSP Insurance questions.

https://youtu.be/Tcw3BYTZ2GM

00:26 What types of insurance does an MSP specifically need?
01:42 What's the difference between E&O and Cyber Liability insurance, and do I need both?
02:08 Does my general liability policy cover technology related claims, or do I need a separate Tech liability policy?
02:30 What does my policy actually cover vs. exclude when a client suffers a data breach?
03:13 Are my subcontractors and vendors covered under my policy, or do they need their own?
04:30 Does my cyber policy cover ransomware payments, and are there limits or conditions?
05:12 What's the difference between first-party and third-party cyber coverage?
06:02 Does my policy cover business interruption losses if my RMM or PSA platform goes down?
07:01 Am I covered if a breach originates from a vendor in my supply chain (e.g. a compromised tool)?
07:43 does my policy cover social engineering and funds transfer fraud attacks against my clients?
08:13 CCA and Xclause
08:37 What's the claims process and how quickly will the insurer respond during an active incident?
09:53 Does my policy provide access to a breach response team, legal counsel, or forensics investigators?
10:08 What are the most common reasons MSP claims get denied?
10:35 Am I covered if a former employee causes a breach or data loss?
10:50 How does a "claims-made" vs. "occurrence" policy affect my coverage for past incidents?
11:48 What security controls do insurers require MSPs to have in place to qualify for coverage?
12:49 Will my premiums increase after a claim, and by how much?
13:35 How does my policy handle clients in regulated industries (healthcare, finance, legal)?
14:02 Do I need to meet specific compliance frameworks (SOC 2, NIST, CIS) to maintain my policy?
14:38 How are my coverage limits determined, and are they sufficient given my client revenue size?
15:02 Should my MSA/client contracts align with my insurance policy language to avoid gaps?
16:06 Can I be held liable beyond my policy limits if a client sues for negligence?
17:24 Does my policy cover legal defense costs if a client threatens litigation, even without a formal suit?
17:58 Am I required to carry certain coverage types or minimums to work with enterprise clients or specific verticals?
18:50 How much insurance coverage is enough, and how do I avoid being over or under insured as I scale?

If I missed anything, or you want clarification, let me know.

u/Joe_Cyber — 8 days ago
▲ 18 r/msp

Heads up: I'm seeing cyber insurers push “post-event hardening” services (again)

A pretty prominent SMB cyber insurer is now offering “Post Cyber Event Hardening (PCEH)” mid-policy and reaching out to clients directly. (weird in this world)

This kind of offering existed 7-8 years ago but mostly disappeared, so it’s interesting to see it come back.

What they’re pitching:

  • Services covered under the policy (retention [effectively a deductible] + $25K sublimit)
  • Initial consultation
  • Security assessment + recommendations
  • Some level of hands-on implementation (MFA, controls, etc.) offered.

My take:

This doesn’t look like insurers trying to become an MSP (at least not yet). It looks more like they want to reduce the chance their client has another claim. (There are a lot of economics on the insurance side that I don't want to bore you with)

Because this is only a $25k sublimit, I see this as a lightweight engagement - not a full on security program.

That being said, here's where I'm skeptical / currently light on information:

  • How deep are these assessments compared to an MSP onboarding?
  • How cookie-cutter is the implementation?
  • Are they optimizing for the specific client or are they looking at loss ratios?
  • Are they trying to use this as a funnel to sell into preferred vendors and paid services? (probably, but I'll reserve judgement)

This could be a net positive for an SMB with no MSP and/or no real IT dept.

My first client just agreed to the initial consult. He previously had a cyber event.

FWIW, when speaking with him, he had never even heard the term MSP before. His take was basically: "Yeah, I don't want my insurer running my security, but I'll take the input." That's fair.

What this means for MSPs:

While I'm sure I'm going to see the "Its the beginning of the end!" comments, I don't agree with that. I think this will:

  • Validate what you're probably already saying to client - but they're ignoring.
  • Act as a potential funnel to the MSP world in general once SMBs realize that this isn't ongoing support.

Neither of us will stop insurers from doing this, but I do think you can use this to your advantage. If nothing else, I'd be ready to have this conversation with clients.

If there's interest, I'll report back or make a video on feedback from this client.

reddit.com
u/Joe_Cyber — 22 days ago