The role of cyber insurance when using managed service providers
Insurance for professionals – how to protect yourself and your clients
For New Zealand professionals in various fields, including accountants, lawyers, financial advisors, and others, it's important to have effective cyber security risk management and cyber insurance to help protect your business, clients, and confidential information. Cyber threats and cybercrime are on the rise in New Zealand, with small to medium-sized enterprises (SMEs) increasingly being targeted.
According to the NCSC Cyber Threat Report 2024, New Zealand experienced a total of 7,122 cyber security incidents in the past year, reflecting a significant increase in cyber threats. Phishing attacks remain a prevalent tactic, with cybercriminals often impersonating trusted entities to deceive individuals and organisations. The report highlights that 60% of reported incidents involved phishing attempts, underscoring the need for heightened vigilance.
Cyber security is something all professionals need to take seriously.
Cyber risk and Managed Service Providers (MSPs)
Many accountants, lawyers, financial advisors, and other professionals use Managed Service Providers (MSPs) or technology partners to assist with housing confidential data and providing technology services. While these services can greatly enhance business functionality, using MSP services does not eliminate or reduce the need for you to safeguard against the cyber risks your business can face.
Managed Service Providers (MSPs) - who are they and why use them?
Managed Service Providers (MSPs) are typically technology experts who can provide vital technological support services, allowing your business to focus on what it does best - servicing the needs of your client base and offering timely professional advice.
Specifically, MSPs might:
- Provide technology support..
- Store and protect confidential and sensitive client data.
- Monitor your systems.
- Troubleshoot your technology.
- Upgrade your practice software when needed, and more.
MSPs, cyber security, and risk management
If you use a Managed Service Provider (MSP) for data storage and technology services, and your MSP has access to your IT systems, adequate cyber insurance is more than prudent; it's a 'must.'
MSPs having access to a large quantity of confidential data makes them a target for cybercrime, as there are more potential 'victims' of a cyberattack.
Cyberattacks targeting MSPs are generally outside of your control, yet they can directly and seriously impede your own business financially and operationally, as well as damage your reputation.
5 reasons why professionals should have cyber cover (even if you already use an MSP)
- Shared responsibility: Even if your Managed Service Provider (MSP) has security measures and insurance, your firm can still be held liable for incidents involving client information. A cyber insurance policy can help cover the costs associated with these situations.
- Coverage for breaches and attacks: Cyber insurance typically covers a range of cyber-related events, including data breaches, ransomware attacks, and other cybercrimes. This protection can help mitigate financial losses and cover legal expenses.
- Client trust: Having cyber insurance demonstrates to your clients that you are committed to protecting their sensitive information. 'Walking the talk' enhances trust and may even be a requirement in contractual relationships you have with them.
- Limitations of MSP's Insurance: Your MSP's insurance may not cover all aspects of your specific liabilities, especially those related to the services you provide. Therefore, having your own policy is essential.
- Regulatory compliance: Significant data breaches must be reported under the Privacy Act 2020 to the Privacy Commissioner, as well as to individuals that are affected. Adequate cyber insurance could help with the cost of notifying affected individuals.
Proactive steps business can take to minimise cyber risk
Within your practice:
- Don’t share more data and administrative access than necessary.
- Ensure MSPs have unique accounts that can be tracked, monitored, and access removed if necessary.
- Regularly upgrade your business applications to implement important security updates.
- Conduct cybersecurity training for all employees covering effective cybersecurity practices, common threats to be aware of, and how attacks can occur.
With your MSPs:
- Evaluate your MSP's cybersecurity practices, including network security, compliance with industry standards, employee training, risk monitoring, contingency plans, data privacy, and application security.
- Determine what business data is more sensitive if stolen versus other data that may be more disruptive if unavailable. This assessment will help you determine the potential risk level that each MSP poses to your business.
- Enable Multi-factor Authentication by both your business and your MSPs.
The cyber threat landscape is rapidly evolving. If you use any digital technology, consider discussing cyber insurance cover with a Marsh professional insurance broker. They can help you assess whether you have adequate cyber security cover for your business.
