Skip to main content

The role of cyber insurance when using managed service providers

As businesses become more reliant on digital technologies, they are increasingly turning to managed service providers (MSPs), also known as technology providers, to help them harness greater administrative efficiencies, remain competitive and gain market share. In fact, a 2019 survey1 by the Australian Bureau of Statistics found that 50.1% of small businesses and 65.7% of medium businesses in Australia use an external cloud service provider.

Understanding the potential cyber exposures when using MSPs

There is no doubt that MSPs can offer your businesses access to quality services and platforms in a cost effective way, removing the need for companies to invest heavily into establishing these from the ground up. However, using MSPs does not come without material risk. These third parties manage sensitive client data, supply foundational software platforms and often have privileged access to their customer’s systems. This makes them an attractive target for cyber attacks – and by targeting a single technology provider, the potential victim pool is significantly larger. A study2 by Soha Systems found that ‘63 percent of all business data breaches resulted either directly or indirectly from access via third parties, such as outsourcing contractors and suppliers’.

Cyber attacks can be disruptive, expensive and damaging to your business’s reputation. It is critical that you consider the cyber risk exposure that could arise from using an MSP to manage your data, especially if your MSP has access to your business’s IT systems. Cyber attacks targeting MSPs are generally outside of your client’s control, yet they can directly and seriously impede your own business financially, operationally and also on a reputational level.

Because all eligible data breaches must be reported under the Notifiable Data Breach scheme to the regulator (Office of the Australian Information Commissioner) as well as affected individuals, a breach can leave your business exposed to potential regulatory actions if MSP requirements are not complied with.

An MSP incident3 involving a software company was reported in 2021, when it was discovered that threat actors used their software platforms to deploy malware to their extensive client base, which consisted of federal agencies and private sector businesses. The exposure arising from third-party technology providers is so significant that the Australian Cyber Security Centre published a case study4 of an Australian company that had been compromised via its MSP, outlining the key findings and mitigation strategies in a detailed document. 

The role of cyber insurance

A cyber insurance policy is an extremely valuable risk transfer tool for any business. Just as you rely on MSPs for their specialist services, one of the most valuable components of cyber insurance is priority access to specialist vendors who can assist in containing and managing a cyber incident. Having immediate guidance from experienced professionals can help protect your business’s reputation and finances, and can help minimise any damage or disruption from the cyber attack.

With a cyber insurance policy in place, access can also be made available to cybersecurity training modules and risk awareness videos as part of your business’s policy, helping your business and your team to identify and prevent cyber attacks.

Proactive steps SMBs can take to minimise their risk

MSPs and the services they provide are invaluable for businesses, like yours. To help mitigate the risk involved take some proactive steps:

  • Don’t share more data and administrative access than necessary.
  • Ensure that third parties have unique accounts that can be tracked, monitored and access removed if necessary.
  • Regularly upgrade your business applications to implement important security updates and patch applications to protect against known software vulnerabilities.
  • Conduct frequent cybersecurity training for all employees covering effective cybersecurity practices, common threats to be aware of, and how attacks can occur.

Holistically evaluate:

  • Which third parties currently have access to your business data and systems?
  • What data and systems do they have access to?
  • Why do they have access?
  • When does your business regularly review this access to ensure it is secure and still necessary?

Enquire with your third-party service providers about their cybersecurity practices including network security, compliance with industry standards, employee training, risk monitoring, contingency plans, data privacy and application security.

Determine what business data is more sensitive if stolen, versus other data that may be more disruptive if unavailable. This assessment will help you determine the potential risk level that each MSP has to your business.

Ensure that Multi-factor Authentication is enabled by both your business and third-party service providers.

Reach out to experts in the field of cyber security consultation and cyber risk insurance to provide additional professional assistance, if required.

The cyber threat landscape is complex and rapidly evolving, meaning that no business – large or small – is safe from cyber threats. If you use digital technologies in any way in your business, you should consider seeking advice from a broker with cybersecurity expertise who can help you assess whether you have the right cyber security cover for your business, and put risk mitigation plans in place. 

[1] Australian Bureau of Statistics, 2019, Characteristics of Australian Business, 2017-18 financial year
[2] Soha Systems, 2016, Third party access is a major source of data breaches, yet not an IT priority, Report_1.3 (squarespace.com)
[3] Solarwinds, 6 April 2021, Solarwinds security advisory
[4] Australian Cyber Security Centre, 2018, MSP investigation report

Need help?

If you have any questions about the content covered in this article or the risks and insurance coverage requirements for your business, reach out to your Marsh risk advisor today or contact us.

Request a call back

LCPA 23/210

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage.

Marsh Advantage Insurance Pty Ltd (ABN 31 081 358 303, AFSL 238369) (“MAI”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226 827) which is a related entity of MAI. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from Marsh Advantage Insurance on request.