“Our MSP has an in-house SOC” and one other mistake that are increasing your insurance costs

Written By Dustin Bolander

Recently Beltex worked with a $30mm/year MSP on their insurance. This is an elite security focused MSP, they could even called themselves an MSSP in many ways. One of their bragging rights is a truly dedicated security team of almost ten people.

Why is this an issue? Their previous broker was labeling them as an in-house security operations center (SOC), despite the fact they lean heavily on a third party MDR provider for front line triage and after hours coverage of endpoints and 365. In the eyes of insurance, they are NOT a SOC, they are backed by a third party SOC.

Two of the biggest risks insurance carriers see at an MSP are a fully owned and managed hosting environment (even MSP owned and managed equipment at a colocation facility) and in-house SOC. Why is in-house SOC such a risk? Imagine the margin of error for helpdesk vs a SOC analyst. A mistake on a helpdesk ticket means that Bobby cannot print for another day. A missed indicator of compromise can lead to a successful ransomware attack. Much higher stakes.

So how do you want to fill out your insurance application? Truthfully. If your MSP is leveraging a third party SOC/MDR provider, then note that on the application. When it comes to insurance, you do not want to be stretching the truth on your team’s capabilities, both for your sake and to avoid any issues with claims or coverage.

If you are offering a SOC, make sure it is well staffed and well trained. The Beltex team once encountered an insurance agency using an “8x5 SOC” with just a few staff members who were splitting duties as helpdesk staff at the same time. This is a recipe for disaster, both from the insurance and cybersecurity standpoints.

Private Cloud, Hosting and other risky offerings

One of the Beltex founders previously owned an MSP with a $100k MRR hosting business, with gross margins of 80%+ for very little work. After starting his second MSP, he did not offer that business again. The reason why is aggregated risk. Much like MSPs are high value targets so that an attacker can access multiple businesses at once, an MSP owned and operated datacenter just puts more eggs in one basket. Simply look at the Rackspace attack, where one of the largest hosting companies in the world was crippled and could not restore their customers’ environments.

Dustin Bolander
Previous

Looking at multiple renewal options saved this MSP over $40k
Next

Business Interruption for MSPs…who cares?