Guest Post

MSPs need state societies before governments regulate them

Before more states follow Louisiana around regulating MSPs, providers need to band together and create an industry organization to ensure they have a voice in any future laws.

Dave Sobel is the host of the podcast "The Business of Tech" and co-host of the podcast "Killing IT." In addition, he wrote Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business.

This week, Sobel sits down with Joseph Brunsman, who is an insurance broker specializing in cyber insurance. They discuss cyber insurance lawsuits involving MSPs and how the MSP industry needs to develop state societies to regulate itself before more laws get passed without their input.

Transcript follows below

Dave Sobel (Host): Today with Joseph Brunsman. Joseph welcome to the Business of Tech.

Joseph Brunsman: Hey thanks for having me, Dave.

Sobel: Before we dive in, why don't you give everybody a little bit of background on who you are and why you're thinking about the managed services space.

Brunsman: I have a degree in robotics. Used to be called systems engineering but it confused everybody, so they changed the name. I [graduated] from the United States Naval Academy with a master's in cybersecurity law. And, I really just kind of started where the MSP community just really appreciated some general considerations about insurance that I was putting out there.

I'm an insurance broker by trade specializing in cyber insurance and technology errors and omissions insurance. And so, it just kind of hit off from there and then I just went down this rabbit hole because I love nerding out with other people who love nerding out on stuff too. That's kind of the genesis for all this.

Sobel: I want you to talk a little bit first around your thinking on insurance like errors and omissions (E&O) versus cyber, and what needs to be in there.

Brunsman: Sure.

Sobel: You said a couple of things that were certainly interesting to me in the way that I was thinking about insurance, that is going to be the baseline for our conversation. Tell me a little bit about your thinking about what an MSP needs. What a technology service provider needs from an E&O perspective.

Brunsman: From an E&O perspective, the one thing that I would say everybody needs to understand is that all those policies are different, right? So, obviously, they have to look at their own policy. But generally speaking, tech E&O has really two parts to it: There's something called third party and first party. Third party would be when a client sues you for something and a first party would be when you have a breach of your system and you're going to need forensics and potentially an attorney, et cetera.

So, there's really two sides to the tech E&O world which becomes important because, increasingly, it seems like a lot of MSPs are going, "Okay, well, do I need cyber insurance?" That's the next big question.

Sobel: That is the next big question.

Brunsman: I did make a video about this on my YouTube channel where people get a little more of the specifics. But the gist of it is a lot of that first-party coverage that I was talking about, you know, most tech E&O policies will have some provisions for credit monitoring, breach notification, the forensics, the attorneys, et cetera.

Cyber insurance actually grew out of the tech E&O world. So, in most circumstances, if you get a cyber policy with a tech E&O policy, you could have an overlap in coverage. Now that's not good because there's something called a mutually repugnant other insurance clause.

Sobel: The best named clause ever.

Brunsman: It's not like having twice as much insurance is twice as good. What that boils down to is depending upon the circumstance, if you have an issue, you could end up actually paying both those deductibles but still only having the same level of insurance that you would have had to begin with. So, it really depends upon the business. There are certain things in a cyber policy; for example, we were talking about bricking coverage, cryptojacking, like voluntary shutdown business interruption coverage. There are specific coverages that you really can only find in a cyber policy that you can't find in a tech E&O policy. But it's really going to depend upon that specific business.

I'd say for most MSPs, they probably are not going to get a cyber policy.

Sobel: Okay, now that we think about the knowing, okay they're generally going to have that. But then I want you to help us understand this. Tell me what's going on in the insurance market. Here's the context for that question. I keep talking to MSPs, I've got several of them that are all telling me that their insurance is going up dramatically. That it is, they're seeing 40% increases. I talked to one MSP that was talking about the fact that they were initially denied because they ran their technology on their own servers rather in a cloud.

It's clear that this market is getting a little wise to what's going on in the MSP space. From your perspective, as an expert on the insurance side -- what's happening to the market here?

Brunsman: So, it's really, it's a confluence of different events that are, that are actually coming together, which is increasing the cost of insurance for MSPs. Part of it is actually just COVID-19 related, where insurers, they're putting back these huge reserves because they're not really sure how the courts are going to deal with those business interruption losses. They're saying, "Okay, maybe we have to put a few billion dollars in this bucket just to wait."

In the meantime, we have shareholders, right, we have a stock price; obviously the CEO's very sensitive to that. We need to raise rates in some of these historically kind of lower premium businesses because we think that, we can pad the stats there to bring that in.

The other part of it is, obviously, the regulatory environment. That has insurance companies scared. Anytime a new line of regulations comes out, they're very sensitive to that. The other part of it is really the lawsuit environment, right? So, what is the legal environment that's currently occurring?

At the end of last year, I talked three different businesses out of suing their MSP following a breach of their system. And as I'm looking at kind of the legal record across the United States, and talking to more and more MSPs, there are more lawsuits that are being brought against MSPs specifically for a breach.

Sobel: And that's the trend I've been seeing too, that's the trend. I've reported about a number of these lawsuits that are starting to happen more. It's interesting to hear you saying you're talking people out of it. That almost says that there's another whole group of lawsuits that were talked about that didn't happen. Is it a fair statement to sort of think of this that the insurance companies are realizing there's a lot more risk here than there was before?

Brunsman: Yeah, certainly. I went through something called the Westlaw, which is like the giant compendium of all lawsuits, uh, in United States like going back to before the Revolution.

It was really hard, historically, to find any lawsuit that really centered around an IT service provider, or an MSP, or SaaS provider; they didn't even have the names right. It was really hard to just even have a court define what that thing was. And then you see it's really starting to ramp up now because it's a tough economic environment anyway for both insurance companies and for the clients of MSPs. And they're getting sued for things that you wouldn't imagine that there would be a lawsuit for. For example, the bookkeeper had an MSP's client wire $2 million out the door to some like malicious third party and that disappears.

Sobel: Phishing, classic phishing attack, right?

Brunsman: Classic. And, easy to overcome in retrospect. But what's that company going to do? Are they going to go out of business, fire all their employees, lay everybody off? Are they going to go their own insurance company and hope to God it gets covered? Maybe they don't have the right insurance for that; they're going to come back against the MSP.

So, there are instances where I would argue that, legitimately, the MSP should face legal action for some sort of negligence or malpractice. But then there's also a whole slew of lawsuits where it's somebody's out a ton of cash, they don't understand technology, which is why they have an MSP in the first place.

Arguably that MSP probably could've provided additional controls, or at least offered them to try and prevent that. But needless to say, when you have millions of dollars on the line, people start getting a little litigious, I would say.

Sobel: The analogy I keep using on this is, let's call out what's happening right? Armed gangs of organized criminals are breaking into businesses, using weaponry, right? We can distinctly call this stuff weapons and they're holding business owners hostage. If this were happening in the streets, there'd be calls for police action and government intervention. And we all know, as technology people, this is happening every single day.

I think it's fair to say the insurance companies are waking up to that.

So, the other thing you mentioned is, let's talk a little bit about the regulatory environment. I’ve covered that on the show, and you came to my attention because you also mention this in your own YouTube channel. Let's talk about this landscape and what regulators are thinking. From your perspective, you know, what's happening here from a regulation perspective?

Brunsman: I think from a regulation perspective, various entities within the states, whether it's the attorneys general, secretaries of states, various legislation bodies as it were. They understand that there's a problem, they don't really have anybody to go to help them understand that problem, which I think is probably the biggest takeaway from this. They don't really have the background to understand this problem, but they're like, "Okay we have to do something."

And so what ends up happening is they do something that is, arguably, worse than probably having done nothing at all because there wasn't the requisite input necessary to actually make that statute meaningful and really have purpose behind what they were trying to do.

It's just like the California breach notification law. California was the first law to pass for breach notification. Nobody really cared and then all the states followed, and the dominoes fell.

And so, for MSPs, I think it's going to be much the same way.

Sobel: So, I would assume, it's fair to say you have a little bit more expertise, the insurance companies have lobbyists and regulators to get involved here right?

Brunsman: Oh sure. Yeah.

Sobel: What's missing here? What's missing to get this right from your perspective?

Brunsman: What I think needs to happen in a quick hurry -- and I mean like this has to start now. Because, you already had that shot across the bow. There have to be state societies for MSPs and MSSPs. Every other profession they have those state societies, and the primary function of those state societies is to actually lobby on behalf of their members. And so unless there's kind of this upswell and organization in the MSP community to actually create these state societies, to do some sort of self-governing with the code of ethics, et cetera, I think that increasingly states are just going to throw legislation on service providers that is bad legislation, that doesn't necessarily make sense, that doesn't necessarily fix the problem. But nonetheless, if that law gets passed, that's the law.

So, I think it behooves everybody in this industry to really start thinking about, "Yes there are some bad MSPs out there and, you know, they need to be regulated." I think the industry in and of itself needs to start thinking about, "Okay how do we fix that problem and how do we steer the ship moving forward so that the legislation that does get passed, because it's going to come one way or another, is actually like pertinent and useful to both MSPs as well as the public at large?"

Sobel: You said something that I agree with and I'm going to jump on it as it's happening one way or the other. What would you say to those providers who are out there going, "Well I'm good enough, I'm good at my job, I don't need to worry about this because, you know, they'll pass it and I'm delivering better than any law." What would you say to those providers?

Brunsman: I would say, quite frankly, "You don't know what you're talking about honestly." Because when you say you're better than any law, we don't know how that law is going to be interpreted. What you're essentially saying is, "Hey I would wager hundreds of thousands of dollars that I'm doing better than the other guy."

And personally, like I would not do that right? I want to know what the law means. I want to make sure that, at the minimum, I'm complying with that. And in a lot of regards, the way that these laws are written is, when it comes to enforcement and actually interpreting some of the provisions of these laws, the government's the hammer and someone's going to be the nail.

And so, to actually create a standard in the court system about what somebody's supposed to be doing, they're just going to bring some monster lawsuit against an organization and then that organization. I mean, are you going to fight the state? You don't have the funding that the state has, and they're going to make an example out of you. So, I would just say like they're on the wrong side there, right? If they think they're going to escape this, it's just not going to happen, it's not going to happen.

Sobel: So, the other refrain that I keep hearing is this idea of, "Well government gets it wrong all the time so what does it matter?” Do you think is it essentially the same argument or do you think there's another reason when someone says that?

Brunsman: Well so, you know, I do insurance for really all types of organizations. When you look at other professional services organizations such as accounting firms, law firms, architects, engineers, frequently they actually get it right. And the reason they can get it right is because they have this huge body of members that are lobbying that state to actually influence the legislation in a meaningful way.

I think the better argument is the government's going to get this almost entirely wrong except by accident unless the community actually moves forward and has these bodies where they can actually start influencing that legislation. You get, it's going to happen right as we keep saying, it's going to happen one way or another so you might as well have a meaningful voice in that piece of legislation.

And let's say something bad gets passed. That's what those state societies are for, right? They go back and they try and get that legislation changed, they can put together all of the pertinent data sets necessary to prove to that lawmaker that, "Hey, this isn't working how we thought was going to work. Here's a better example of something we think that would be more meaningful to actually get to the root of the problem."

Sobel: We've talked about the community of MSPs that need to get involved. And we've also talked about kind of the insure, insurers and how they're probably going to get involved. Who do you think the other kind of key stakeholders in this discussion are that need, that get, that need to be pulled together?

Brunsman: Any other industry experts. People in the certification sphere. I think that's going to be a huge element on the input here because eventually there's going to be some minimum certification probably that an MSP has to have.

We're already seeing that with other types of government regulations. For example, if you're a government contractor.

So there's going to be these minimum levels of certification necessary to provide services to, for example, financial services companies or merchants dealing with PCI DSS and payment cards.

I think there's going to be increasingly some level of certification that has to happen there, so I would personally love to see, you know, someone like CompTIA or whoever it would be actually coming forward and saying, "Okay, well here's kind of like some minimum baselines of certification that we think legislators, uh, could actually rely upon in, in a meaningful way."

Otherwise, if a guy hangs a shingle and says, "Hey I'm an MSP” then they're going to compare that to the guy who's like, "Well I'm a CPA. I'm licensed in state right. I've got 150 credit hours, I had to pass an exam that's overseen by the state, et cetera, et cetera, et cetera."

And it's just not going to hold water. There's going to have to be some meaningful certification there from I think the certification bodies that just have decades of experience doing this to help kind of guide that ship to a meaningful place.

Sobel: That makes a lot of sense. If I give you the magic wand, right, and you can wave it and give whatever piece of knowledge or mastery to this group what would be that takeaway for a technology services provider?

Brunsman: I'm an insurance guy so I guess first thing would be like, "Hey, make sure you have the right insurance." Probably number two would be, "Make sure your clients have cyber insurance."

But as pertinent to this conversation, I would just tell people that the time is coming. The industry has gotten this far, you've done well you've grown without that type of regulation. That time is over, you're now large enough where the government's starting to really take a close look at what you're doing.

And so really, it's up to every MSP because right now it's just kind of this like loose confederation of people all across the country. And if every MSP just goes, "Well, I'm going to let somebody else deal with that" then no one's going to deal with it and it's going to be an issue.

There's nothing stopping the biggest MSP in every state from just getting together, working with the other MSPs and saying, "Okay, let's, let's at least start trying to solve this problem, and move forward in a way that's productive for everybody." Because it's coming.

About the author
Dave Sobel is the host of the podcast "The Business of Tech," co-host of the podcast "Killing IT" and authored the book Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT solution provider and MSP for more than a decade, and has worked for vendors such as Level Platforms, GFI, LOGICnow and SolarWinds, leading community, event, marketing, and product strategies, as well as M&A activities. Sobel has received multiple industry recognitions, including CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro's 20/20 Visionaries and MSPmentor 250.

Next Steps

MSP industry regulation and how providers can shape it

Dig Deeper on Regulatory compliance for MSPs