THE CYBER-INSURANCE ISSUE
A relatively new but very consequential issue is currently terrorizing small businesses—comprising 99% of all U.S. firms. Small firms are at a significant disadvantage when attempting to do business with large enterprises or government entities. This is precisely because they are small and therefore unable to access the innate advantages of size, such as economies of scale, vendor leverage, and legal and lobbying resources. To exacerbate matters, this challenge lacks the “shiny object” appeal that typically captures the attention of traditional media companies, even for a fleeting moment. Any broad interest would, at least, put a momentary spotlight on a glaring complication.
Insurance companies are increasingly refusing to renew cyber-insurance policies for smaller enterprises. Despite their adherence to strong cyber-hygiene practices, many insurers are reluctant to underwrite policies for these businesses. Charles Weaver, CEO of MSPAlliance, highlighted this challenge, stating: “It has to be accepted and obvious that SMB providers can’t compete without insurance.”
The cost of entry for providing technology services to sectors such as government agencies, defense contractors, pharmaceuticals, manufacturers, financial services, and life sciences now hinges on having a robust cyber-insurance policy in place. Without such coverage, initiating business with larger enterprises becomes exceptionally challenging, if not entirely prohibitive.
We recently discussed this issue with the senior management of a company that requested to remain anonymous. The organization had implemented rigorous cybersecurity measures: Every employee participated in monthly cyber-awareness training, all equipment had a state-of-the-art cyber-defense system, and their systems were monitored 24/7 by a dedicated cybersecurity firm. Additionally, their technology successfully passed security screenings and penetration testing.
Despite these proactive measures, the company faced an unexpected setback when their policy renewal came up for renegotiation. Without warning, the insurance provider refused to renew their previously unused policy. To address the issue, the company consulted an independent broker, who managed to secure coverage by combining policies from two different insurers. However, this multi-policy solution came at a significantly higher cost, with premiums continuing to rise.
As Weaver observed, “In some cases, we see the cost of cyber-in¬surance doubling despite multiple decades of lack of claims.” This troubling trend underscores the growing challenges that even well-prepared companies face in securing affordable and reliable cyber-insurance coverage.
CYBER-INSURANCE PROBLEM NOT LOST ON INDUSTRY GROUPS
This issue has not gone unnoticed by industry groups such as the MSPAlliance. As an international association representing cloud and managed service providers for more than 2 decades, MSPAlliance has steadfastly advocated for the managed services industry.
To address the growing challenges of cybersecurity, MSPAlliance has introduced a framework for federal and state cyber-immunity legislation aimed at encouraging businesses to adopt robust cybersecurity measures. This proposed legislation would grant liability immunity to companies and their IT service providers that comply with recognized cybersecurity standards, such as NIST and ISO 27001. More details can be found in the MSPAlliance press release.
If adopted, this framework would strengthen overall cybersecurity resilience, reduce economic disruptions caused by cyberattacks, and reward companies having strong cyber-hygiene by providing them with liability immunity. As Weaver aptly stated, “MSPs are agents of cyber-risk reduction.”
Equally important, this legislation would enable small businesses to remain competitive in markets they might otherwise be forced to leave, preventing further market consolidation. Excessive consolidation can weaken supply chains, making them more fragile and less reliable.
Businesses that invest in good cyber-hygiene practices deserve access to reasonably priced cyber-insurance, regardless of their size. Cyber-insurance is a prerequisite for providing technology services to large organizations across industries. Without it, businesses risk being excluded from critical markets. As the saying goes, “We risk being entertained by songs and threatened by sentiments while being smothered in the reality of Dirty Laundry.”