Tokio Marine HCC – Cyber & Professional Lines Group’s tips for mitigating exposure for MSPs
“A managed service provider is viewed as an outsourced IT department,” said Eugene Eychis (pictured), Underwriting Director for Cyber & Tech at Tokio Marine HCC – Cyber & Professional Lines Group (CPLG), a member of the Tokio Marine HCC group of companies based in Houston, Texas. “They provide a variety of IT services, like data hosting, backup and recovery services, network management, software updates and security monitoring.”
While larger companies use them, smaller- and medium-sized companies tend to rely on them heavily as well.
MSPs allow those companies “to focus on their core business, save money by not hiring an internal IT staff member which can be costly, and trust that their IT systems are handled by IT experts,” he said.
The most common type of policy for MSPs is a technology errors and omissions policy.
“MSPs are actually the most common type of class that we see when we’re underwriting technology companies. They’re quite ubiquitous,” he said. “We have a lot of experience underwriting them directly as well as a lot of their clients. MSPs are used by a variety of companies and industries, from education, manufacturing to healthcare. We see both sides of the exposure: the MSP themselves and their clients.”
MSPs can operate anywhere, and with that comes challenges when it pertains to cyber security. Eychis explained: “Because of the large number of clients they have, MSPs have access to a wide range of client data, which usually makes them a valuable target for hackers.” Multiple clients are often managed on the same service or network, “which can increase the risk of an attack,” he said. Essentially, hackers can gain access to several companies’ IT systems at once.
MSPs typically have administrative privileges which grant them “special system-level permissions that allow users to make certain changes.” So, hackers could suddenly find themselves with these privileges in hand, where they can “install software, and access various important files.”
Many MSPs rely on RMM (remote monitoring and management software) to “gain remote access to their clients’ systems. If the MSP system is compromised, then hackers can use that same RMM software to gain access to their clients’ systems and install malware or launch ransomware attacks.”
This makes an MSP a treasure trove of sorts to a hacker.
“From a hacker’s perspective, it’s much more valuable to get access into one MSP who has many clients with sensitive data rather than trying to get individual access into various businesses separately,” Eychis said. “Once inside the MSP’s network, a hacker can potentially request a ransom demand from the MSP and/or they can request individual ransoms from individual clients of the MSP. We’ve seen this play out,” with a ransomware attack claim, where the hacker requested a large ransom demand from the MSP, and the impacted clients received smaller ransom demands.
This creates a situation where the MSP faces liability from their clients, not to mention reputational harm.
So what can MSPs do to prevent a ransomware attack and help better protect themselves from such a potentially ruinous situation?
“There’s definitely not some type of silver bullet solution but a combination of key things will go a long way,” said Eychis.
These can include:
- Having MFA (multi-factor authentication) in place, especially for RMM.
- Having EDR (end-point detection and response) in place for all end-points. EDR is a tool for continuous monitoring, which records and stores system-level behaviors as well as detects suspicious system behavior.
- Having off-line system backups.
- Conduct phishing training with staff.
- Be selective and restrictive of who has special administrative privileges, as well as conducting regular reviews of those accesses.
- Make sure you carry adequate cyber insurance from a carrier that has experience with MSPs.
On the last point, he explains that a policy can “help mitigate the costs of a ransomware event. And coverage is relatively inexpensive in relation to the potential monetary and reputational harm of having a ransomware attack and having to handle it without insurance.”