Help Your Clients With Cyber Insurance Questionnaires…But Protect Yourself
As cyber insurance becomes a necessity rather than a luxury, our clients are increasingly asked to answer lengthy questionnaires regarding their cyber security measures. They often approach their MSP for assistance in filling out the questionnaire. After all, they depend on their MSP to manage their network.
Most MSPs are happy to help their clients with this as they see it as a value-add. Also, first party cyber insurance carried by their client is a benefit to the MSP as it shields the MSP from potential primary claims in the event of a breach. In fact, many MSPs are now requiring their client to hold first party cyber insurance within their Master Services Agreement (MSA).
At our recent offsite in Dallas, Texas OTX Roundtable members discussed the practice and some of the precautions they should be taking when assisting client with cyber insurance questionnaires.
A recent lawsuit, Traveler's Insurance vs. International Control Services drives the point home. In this case, Travelers did not simply deny a cyber insurance claim, they sued the client to nullify the policy. The insurance company cited the fact that ICS claimed is had implemented Multi-Factor Authentication on their questionnaire. However, after a breach was investigated, it was discovered that ICS had only implemented MFA on portions of their network, not every ingress point. Travelers prevailed in the lawsuit nullifying the policy and likely recovering legal fees.
For MSPs helping their client complete the questionnaires, the stakes just got higher. Were such an event happen to their client, the client would likely sue for damages due to incorrect answers provided by the MSP.
Clients are often under the mistaken impression that their own cyber security and compliance is the responsibility of the MSP. When asking the MSP for help in completing the questionnaire they may assume the MSP is ultimately accountable for all answers provided, at least the technical ones. This could not be further from truth. It is the client that is submitting the questionnaire and attesting to its accuracy.
However, MSPs must be clear with their clients as to the services they provide and what is included. These are typically defined in their MSA and subsequent service orders. Not only does this make it clear to the client the responsibilities the MSP is taking on but it also defines the limitations of liability associated with those services. Those limitations of liability are applicable only to those services declared in the MSA or service orders.
An MSP is engaged in assisting a client with a cyber security insurance questionnaire, whether as a courtesy or as a billable engagement, is providing a service to the client. If that service is not declared in their MSA with the client, none of the protections provided by the MSA apply. In a case such as the Travelers incident, the MSP could be held liable for misinformation provided in the questionnaire.
At the OTX Roundtable Offsite, presenter Rob Scott of Scott and Scott LLP offered solid advice to our members. According to Scott, their latest iteration of their master agreement essentially states "we may fill it out and help you with it from time to time but the information is yours and any adverse reaction by the carrier, either in underwriting or claims, is not our responsibility."
So what's an MSP to do?
Make sure your contract stack is clear as to the services you are providing the client.
Regardless of whether you assist clients with cyber insurance questionnaires as a courtesy or a billable engagement, declare it as a service in your MSA.
Make it clear to the client that they are ultimately responsible for the cyber security on their network. When they sign the cyber insurance questionnaire they are attesting to its accuracy.
Work with legal firm that is familiar with the managed services to craft you contract language. Keep your contract stack up to date with recent developments in the threat landscape.