The role of Cyber Insurance when using Managed Service Providers
Small and medium businesses (SMBs) regularly use third party service providers to access specialist expertise, tools and hosting software in areas such as accountancy, human resources and legal. As businesses become more digital and reliant on technology, they are increasingly turning to managed service providers (MSPs), also known as technology providers, to help them harness greater efficiencies, remain competitive and gain market share. In fact, a recent survey1 by the Australian Bureau of Statistics found that 50.1% of small businesses and 65.7% of medium businesses in Australia use an external cloud service provider.
Understanding the potential cyber exposures when using MSPs
There is no doubt that MSPs offer businesses access to quality services and platforms in a cost effective way, removing the need for companies to invest heavily into establishing these from the ground up. However, using MSPs does not come without material risk. These third parties manage sensitive client data, supply foundational software platforms and often have privileged access to their customer’s systems. This makes them an attractive target for cyber-attacks; by targeting a single technology provider, the potential victim pool is significantly larger. A study2 by Soha Systems found that “63 percent of all business data breaches resulted either directly or indirectly from access via third parties, such as outsourcing contractors and suppliers”.
Cyber-attacks can be disruptive, expensive and damaging to business reputations. It is therefore critical that SMBs consider the cyber risk exposures that arise from using MSPs to manage their data and/or if MSBs have access to a SMB’s systems. Cyber-attacks targeting MSPs are generally outside of the client’s control, yet they can directly and seriously impact the client’s business financially, operationally and also on a reputational level. Additionally, because all eligible data breaches must be reported under the Notifiable Data Breach scheme to the regulator (Office of the Australian Information Commissioner) and affected individuals, a breach can leave your business exposed to potential regulatory actions if requirements are not complied with.
A recent MSP incident3 involving a software company was reported earlier this year, when it was discovered that threat actors utilised their software platforms to deploy malware to their extensive client base consisting of federal agencies and private sector businesses. The exposure arising from third party technology providers is so significant that the Australian Cyber Security Centre published a case study4 of an Australian company which was compromised via their MSP, outlining their key findings and mitigation strategies in a detailed document.
The role of cyber insurance
A cyber insurance policy is an extremely valuable risk transfer tool for every business. Just as you rely on MSPs for their specialist services, one of the most valuable components of cyber insurance is priority access to specialist vendors who can assist in containing and managing a cyber incident. Having immediate guidance from experienced professionals can help protect your business’ reputation and finances and can help minimise any damage or disruption from the cyber-attack.
With a cyber insurance policy in place, access can also be made available to cyber security training modules and risk awareness videos as part of your business’ policy, helping your business and your team to identify and prevent cyber-attacks.
Proactive steps SMBs can take to minimise their risk
MSPs and the services they provide are invaluable for businesses, like yours. To help mitigate the risk involved with using these providers, we’ve developed a checklist of the following proactive steps that your business can take:
- Don’t share more data and administrative access than necessary.
- Ensure that third parties have unique accounts that can be tracked, monitored and access removed if necessary.
- Regularly upgrade your business applications to implement important security updates and patch applications to protect against known software vulnerabilities.
- Conduct frequent cyber security training for all employees on effective cyber security practices, common threats to be aware of and how attacks can occur.
- Holistically evaluate:
- Which third parties currently have access to your business data and systems?
- What data and systems do they have access to?
- Why do they have access?
- When does your business regularly review this access to ensure it is secure and still necessary?
- Enquire with your third party service providers about their cyber security practices including network security, compliance with industry standards, employee training, risk monitoring, contingency plans, data privacy and application security.
- Determine what business data is more sensitive if stolen, versus other data that may be more disruptive if unavailable. This assessment will help enable you determine the potential risk level that each MSP has to your business.
- Ensure that Multi-factor Authentication is enabled by both your business and third party service providers.
- Reach out to experts in the field of cyber security consultation and cyber risk insurance to provide additional professional assistance, if required.
The cyber threat landscape is complex and rapidly evolving, meaning that no business is safe from cyber threats. Protect your business from cyber risk exposures today by talking to Marsh’s cyber risk experts for a cyber insurance solution to help keep your company safe.
To arrange a quote for cyber insurance, complete our online enquiry form and one of our friendly staff will be in contact with you shortly.
 Source: Soha PDF Report_1.3 (squarespace.com)
Source: msp_investigation_report.pdf (cyber.gov.au)