There are a lot of objections from the SMB, especially when it comes to security. Some say they’re too small to be targeted. Others suggest the protections and policies are simply too cumbersome compared to the risk. One of rising objections, based on the feedback the IoTSSA team has received from the MSP community, is that it’s cheaper for SMBs to buy cybersecurity insurance than to procure their services. That topic was on many providers minds at last week’s IoTSSA Security Roadshow in Edison, NJ.

On the surface, that seems like a logical argument. Why pay out a decent sum of money each year for an IT security plan that has no guarantees when a less expensive insurance policy will cover your costs if a lapse were to occur?

The answer is in the fine print, but before we get to that, let’s put some context around the challenges and costs associated with this issue.

MSP-delivered cybersecurity protections can be a significant investment for the SMB. Between the tools and proactive services required to properly protect each endpoint, ensuring compliance with all relevant laws and industry standards, and implementing company best practices, adequately securing a business takes a lot of time and effort today.

No Guarantees

The caveat is, even with those measures and continuous network monitoring, the bad guys may still find a way into business systems. MSPs can’t and should never guarantee 100% protection. It’s simply not possible with the sophistication of today’s security attacks and the necessary inclusion of security’s weakest link ‒ people.

There is no way to stop a determined hacker ‒ though providers can make it difficult ‒ or keep clients’ employees from making poor choices, like opening suspicious email and disobeying security protocols. As IoTSSA speaker Bobby Kuzma says, “You can’t patch stupid.”

That’s where the cybersecurity insurance objections often come in. Many businesses shell out a lot of money each year for policies they believe will cover their mistakes and lack of adequate protection. Some of those companies will discover a little too late ‒ after their systems have been locked down by a ransomware attack or a hacker gains access to their valued data ‒ that they should have read the fine print.

Failure is Expensive 

What your prospects don’t realize is that most insurance companies don’t assume unnecessary risk. You don’t get to be a Fortune 500 corporation by making poor investments.

Cybersecurity insurance plans typically provide detailed expectations for the insured, such as which types of tools, processes, and policies must be in place. If not implemented and an attack was to occur, they may deny the claim in its entirety or pay a small part of the damages.

Insurance policies are, by design, constructed to protect people and businesses from accidents and unforeseen problems. Those knowingly flaunting laws and commonly recognized practices usually accept some liability. For example, some insurers will not pay out on an accident claim if the insured driver was under the influence of drink or drugs.

Ignoring regulatory compliance and basic cybersecurity standards may have the same effect for SMBs. If they haven’t made a “good faith” effort to implement data and network protection protocols and best practices, they may find themselves in a real jam if a breach or other attack were to occur.

MSP + Insurance = Total Protection 

First off, those businesses likely won’t have a security specialist on top of the problem from the minute it happens ‒ if not earlier. The steps taken immediately after an attack can lessen the damage, reduce potential fines, and get the company back up and running quicker. What’s that support worth?

For example, those choosing to go it alone with just a cyber insurance policy may find themselves waiting a long time before receiving a payout. In most cases, their insurance company will have to process a claim and investigate the situation before any financial or technical benefits are extended.

Unless the affected business engages its own cyber forensics firm to speed the process ‒ incurring astronomical charges for this emergency service ‒ it will likely take days, if not weeks to get paid. That is, if they don’t discover something that voids their claim.

Meanwhile, the business will have to front all the costs to remediate the issues and restore their systems. If their claim is denied, with no financial payout and serious security issues to address, how many SMBs would be able to recover?

As you can see, the cybersecurity objection should start a conversation, not end it. With the escalating threat landscape and increased compliance requirements, most SMBs will benefit from having the support of an MSP as well as a solid cybersecurity insurance plan in case the inevitable attack does occur.

That total protection will undoubtedly cost more, so compromises may be required. A great way for MSPs to increase their knowledge and their ability to carry on these conversations with their clients is to align themselves with a reputable broker. Find a regional professional able and willing to work with channel professionals, that go-to expert who will put you and your clients first.

Talk to your peers about cybersecurity insurance brokers. Ask for recommendations and examples of claims and other MSP-related experiences. The more you know, the easier it will be to strike up a conversation instead of walking away without gaining your prospects’ trust ‒ and their business.

Brian Sherman,