Insurance Companies in IT?

I’m reminded of the not-too-distant past when the CPA firms were getting into the IT business. All of the sudden, annual accounting reviews included IT-related questions. Before they would sign off on an accounting audit or review, they insisted on details regarding the computers, the network, backups, and a variety of questions that I’m convinced the accounting representative did not understand or know what function they served.

Fast forward to the pandemic event which accelerated the work-from-home initiatives, opening many companies to cyber security risks and targeted attacks (hackers were huge fear-mongers), the insurance companies found themselves with claim payments that were quickly outpacing the premiums. They put together a new gameplan and implemented it quickly.

First of all, we applaud and thank the insurance industry for helping us share how important IT-related security measures really are, and bringing small businesses to the table for these discussions. No one likes to be strong-armed into anything, and the insurance companies certainly flexed their muscles. New Cyber Security policies would no longer be rubber-stamped with nominal premiums. If you needed Cyber Insurance (and you do), the renewal was predicated on having Multi-Factor Authentication (MFA) in place, at a minimum. Many have gone even further and most insurance companies have a questionnaire for you to fill out.

In the past, you may have made your ‘best guess’ when filling out these IT security questionnaires, but you have a lot at stake if any answer is wrong, whether you knew it or not. If you say you have automated patch management and anti-virus updates, but you don’t, and you have a ransom event or some other cyber security event, you may find your claim denied! The insurance companies will provide insurance, but you have to do your part to keep things secure. Many other policies include premium incentives if you agree to certain safeguards.

So what’s the fuss? It seems several insurance companies are still behind when they look at payouts versus premiums. The Managed Services Providers (MSPs), your IT specialists, have been running into a very deceptive tactic all across the U.S. You may have allowed them to run a scan of your network as part of your insurance application process. In some cases (not all, of course), when these scans come back, there may be questionable findings, or things that look concerning. The insurance company presents these to you, says they can’t renew the policy given the results, and offers to put you in touch with their MSP to get everything cleaned up.

Why would they do that? Why not offer to share the results with your MSP so your existing team can remediate what was found, or in some cases, debunk some of the findings? For many of our clients, there’s no local network at all, just a work group behind a firewall; all the servers might be in the cloud; the scan won’t include at-home computers which are more likely to be at risk. Why would they offer ’their’ MSP?

Turns out one of the fastest growing segments in the IT community, selling the most licenses for a Compliance Manager, is an insurance company! The scan results are delivered with some technical requests and something like ‘While we understand this contingency is technical in nature, please note that our security team is available to assist in the implementation of remediation measures.’ The recommended MSP gets the additional business and the insurance company gets a commission/kickback for referring the service, further helping them recoup their losses.
To be fair, sometimes a scan will identify something that needs attention. Any scan results should be reviewed by your current IT group, your trusted advisor. If you get ’geek speak,’ get a second opinion.

What to do next? Please connect with us (or your IT group) on a regular basis to review your security and systems. Thoughtfully consider the recommendations, then open your checkbook. You insure your car and still lock it. Insure your technology and take the recommended precautions and safeguards, including staff training! Let’s dive in and make a plan! – CMW