Don’t look now, but more states are enacting legislation to regulate the MSP industry. This was one of the takeaways from a session on “The Future of MSP Regulation: What’s at Stake for Your Business?” presented by Ben Nowacky, SVP of product, Axcient, at last month’s ConnectWise IT Nation conference.
The purpose of this legislation is to make the public aware of breaches and the amount of ransomware paid. Among the states that have already enacted regulation are Louisiana, Texas, New Jersey, and Connecticut. New Jersey and Connecticut, for example, require public notification of a ransomware or phishing attack.
“This is not unheard of, the world of cybersecurity is changing on a daily basis and states are trying to keep up,” said Nowacky.
As cybersecurity breaches escalate, cyber-insurance premiums are on the rise. Since 2018, premiums have risen from 5% to 15% per $1 million in coverage, according to Nowacky while some companies have experienced year over year increases of 2-500%.
“Carriers are acting like CISOs, CIOs, and compliancy officers mandating specific technologies, platforms or products, or else denying coverage,” observed Nowacky.
Meanwhile, some insurance companies have pulled out of the MSP market altogether.
Another revelation from Nowacky’s presentation was that MSPs have been specifically targeted for ransomware attacks because they have the tools and the data. He explained that supply chain and infrastructure attacks are hard to implement but are so profound because they impact so many people. They also, obviously, yield bigger payoffs.
A few other observations shared by Nowacky:
- The money you pay out is pocket change to these cybercriminals. The data is what they’re really after and even after a ransom is paid, the data is often resold.
- 29% of employers report having to eliminate jobs following an incident
- 80% of global organizations that have paid a ransom, experience another attack, often by the same people.
- 35% of businesses that are attacked go out of business within a year
Nowacky’s recommendation to MSPs is to regulate themselves to avoid regulation. He also suggested that MSPs protect themselves with a voluntary waiver of liability. That’s important because as he noted in his presentation, people are the weakest link when it comes to protecting an organization from a security breach.
Access Related Content