“A managed service provider is seen as an outsourced IT department,” said Eugene Eychis (pictured), Director of Cyber & Tech Underwriting at Tokio Marine HCC – Cyber & Professional Lines Group (CPLG), member of the Tokio Marine HCC group of companies headquartered in Houston, Texas. “They provide a variety of IT services, such as data hosting, backup and recovery services, network management, software updates, and security monitoring.”
While the largest companies use them, small and medium-sized businesses also tend to rely heavily on them.
MSPs allow such companies to “focus on their core business, save money by not hiring an in-house IT staffer, which can be expensive, and trust that their IT systems are run by IT experts.” , said.
The most common type of policy for MSPs is a technology errors and omissions policy.
“MSPs are actually the most common type of class that we see when underwriting technology companies. They are pretty ubiquitous,” he said. “We have a lot of experience writing them directly, as well as many of their clients. MSPs are used by a variety of businesses and industries, from education, to manufacturing, to healthcare. We see both sides of the exposure: the MSPs themselves and their clients.”
unique challenges
MSPs can operate anywhere, and that comes with challenges when it comes to cybersecurity. Eychis explained: “Due to the large number of customers they have, MSPs have access to a wide range of customer data, which typically makes them a valuable target for hackers.” Often multiple clients are managed on the same service or network, “which can increase the risk of an attack,” she said. Essentially, hackers can gain access to the IT systems of multiple companies at once.
MSPs typically have administrative privileges that give them “special system-level permissions that allow users to make certain changes.” Then hackers could suddenly find themselves with these privileges in hand, where they can “install software and access various important files.”
Many MSPs rely on RMM (remote monitoring and management software) to “gain remote access to their customers’ systems. If the MSP system is compromised, hackers can use that same RMM software to gain access to their customers’ systems and install malware or launch ransomware attacks.”
This makes an MSP something of a treasure trove for a hacker.
“From a hacker’s perspective, it’s much more valuable to gain access to an MSP that has many customers with sensitive data rather than trying to gain individual access to several separate businesses,” Eychis said. “Once inside the MSP network, a hacker can potentially request a ransom demand from the MSP and/or can request individual ransoms from individual MSP customers. We’ve seen this play out,” with a ransomware attack claim, where the hacker requested a large ransom demand from the MSP, and affected customers received smaller ransom demands.
This creates a situation where the MSP faces liability for its clients, not to mention reputational damage.
Solutions
So what can MSPs do to prevent a ransomware attack and help better protect themselves from a potentially ruinous situation?
“There’s definitely not some kind of silver bullet, but a combination of key things will go a long way,” Eychis said.
These may include:
- Have MFA (multi-factor authentication), especially for RMM.
- Have EDR (endpoint detection and response) for all endpoints. EDR is a tool for continuous monitoring, which records and stores behavior at the system level, as well as detects suspicious system behavior.
- Have offline system backups.
- Conduct phishing training with staff.
- Be selective and restrictive about who has special administrative privileges, as well as conduct periodic reviews of those accesses.
- Make sure you have adequate cyber insurance from a provider who has experience with MSPs.
On the last point, he explains that a policy can “help mitigate the costs of a ransomware event. And the coverage is relatively inexpensive relative to the potential monetary and reputational damage of having a ransomware attack and having to deal with it without insurance.”
