ResourcesCommunity Fireside Chat | The Evolution of Cyber Insurance: Rethinking Carrier Vendor Panels
Cyber insurance carrier vendor panels have come a long way from simple lists of approved responders. Today, they’re dynamic ecosystems shaped by claims data, evolving threats, and tighter regulatory expectations.
In this Fireside Chat, we’ll get into how carriers are refining their vendor selection and response processes—and what that means for MSPs, security vendors, and insured organizations. We’ll discuss what’s driving these changes, how they impact response outcomes, and how to stay aligned in an insurance landscape that’s moving faster than ever.
Don't focus on best in class. There's a real delicate balance. If you always put the client experience at the forefront, you will make good decisions. When chaos hits, you need to have a playbook. And with that, we are live with the last fireside chat of twenty twenty five. It took me four months of the year to remember to say twenty twenty five instead of four. So just know that by next month, I will not remember that it is twenty twenty six. Welcome. Today, we're gonna be talking about how carriers, are refining their vendor selection panels. It's a whole bunch of cyber insurance talk, and I have two amazing experts on with me today that will not only be able to talk about what we planned on talking about, but can also answer a number of your questions. So, please, let's keep the chat and the q and a really busy, and let's let's try and stump these guys today. I am Becky Teal. I host most months for Huntress Fireside Chat, and I'm our community lead here at Huntress. And, I'm gonna go ahead and have my wonderful panelists introduce themselves. Travis, your first time on fireside chat. Would you please introduce yourself? Absolutely. Thank you, Becky. So my name is Travis. I live in South Dakota. I am the cyber insurance practice lead for Yukon, which is a fancy word of I'm the guy that reads the insurance policies. So I'm not a lot of fun at parties, but I do enjoy insurance. Wow. Definitely not a lot of fun at parties if that's how you introduce yourself. Travis is the is the in house cyber nerd who reads policies for fun. So I'm over here reading, like, Stephen King novels, and he's like, dude, did you see this coalition policy? Talk about a thriller. Thanks. And I've been on here before. I guess I'll go, Becky. Please. I've on here before, my name is Will Brooks. I'm the channel chief and VP of sales at at Yukon. And, also, I'm excited to be doing a fireside chat in a month where people will actually have fires in their fireplaces. Like, that's that's good. That is see? We themed it out properly today. I think my favorite line of the day, though, is gonna be Travis. Bad at parties, good at insurance. That's good. That's the tag. Great one. So we did again, everyone in the audience, we did a prep call. We have a bit of content to get through today, but it's pretty rare to have two folks with this level of expertise on to talk about insurance. So, please, all your burning questions about why rates are doing the things they are, why it's so difficult to get your customers to talk about it, all of those things. These guys have wonderful answers on it. So let's talk a bit about the problem that you two see MSPs facing with cyber insurance. I know very broad start here. Yeah. I mean, I can I can kick off with that? I've been to I've done a couple of talks at some MSP conferences, and a continual question I get, and one that I think is really fitting for being on a Huntress webinar, is the is the competing or perceived competition of insurance carriers providing security controls to clients and the potential conflict of interest there, or, you know, are they are they marketing things? I see someone brought up a company that won't be named in the chat just because I don't wanna be that person. But, yeah, there's there's a lot of issues out there. And and without going into all the details, there was a email chain that went out where a carrier is literally offering free MDR service for the remainder of policy term just because they didn't like a particular vendor. And that's I don't know if that's completely verified yet or not, so I don't wanna say that that definitely happened. But there's definitely wind of such a thing happening. So immediately, we see MSPs get all caught up in that and say, well, wait a minute. They shouldn't be selling security services in the same way that I'm not, as an MSP, gonna sell insurance. And it seems like this this issue. And the thing I I do bring up is I agree. I don't necessarily want someone whose professional level of service is not in the thing that they're soliciting. In the same way, like, I'm not gonna go sell high level arcade cabinets because I don't really know what goes into a good one versus a bad one. Right? Like and that's a really random example. It was the first thing that came to head my head. But what it gets me thinking though is from a risk perspective, carriers have seen that MDR of all security controls, MDR is the one that prevents the largest claim payouts because you can stop an attack pretty much in its tracks and really minimize the financial impact of a lot of these attacks, especially things like ransomware, you know, direct into the network attacks. Not not necessarily funds transfer fraud or something like that, but, you know, a more a more direct attack, you can stop. And that a carrier looks at that and says, well, let me do the math here. I can potentially pay out less on a claim if I can verify that a client has MDR. So in my mind, as a carrier, I'm gonna be like, oh, well, I'm gonna provide this Because by providing this and selling this to my clients, it lowers their risk, which means ultimately, it pays out less. And specific to the comment Chris put in there, I was on that Reddit post this morning, and I I commented. I was like, I'm really curious because I don't have the financial data, but I'd be curious to know how much money carriers actually make from soliciting security controls versus how much they don't pay out on claims for people having that control in place in the first place. I think it's less to them about making money on the security and more to them about paying out less money. Do I think it's the right move? No. But I would really love to know that data personally. But that's that's my two cents on one of the biggest things I see MSPs coming up against. Travis, what do you got? Yeah. I'm I'm with you there. I think the real theme is proactive versus reactive. These carriers are reactive. They're getting their teeth kicked in, and their immediate immediate, response is, okay. Let's stop the bleeding. And rather than con being concerned about where their customers are getting security, they find a security solution that in their mind, again, these are not security experts. These are I'm gonna stereotypical stereo stereotypical what's Stereotype. I'm gonna stereotype and say that these are a bunch of old white guys sitting around a conference room going, this really hurts. Let's fix it. And so they go with that knee jerk reaction, and I've talked to some of these guys. And they do. They they say, okay. We know that companies with these MDRs in place, it may be causation. It may not be. It may just be a correlation. They don't necessarily mean the same thing. Sorry, Matt. I didn't mean to offend you there. No. He's he's are you offended by them, or are you offended by the comment, Matt? Just curious. Anyway, go on, Travis. But but these people are sitting in this room trying to make the hurt stop, and they are not being considerate of where these companies are act or where these customers are actually getting their security. And is that perfect? No. But, again, it's it's their interest that they're they're worrying about. And our role as, an insurance broker that speaks with carriers, right, part of my job is to have relationships with carriers. The other half is to have relationships with agents, and Will works with MSPs and end customers and vendors. We kinda sit in the middle of this, speaking all of the languages. And so part of what we're working on is letting your guys' voices be heard. Right? That's that's the end case there. Corey Corey asked something real quick before we get too far back. He just said he wants us a citation for a statistic that I gave. I think of the I don't know what statistic I gave, so I don't know if we had to pay it back. But I think it was more along the lines of carriers seeing that MDR severely lowers claim payouts. And to Travis's point, it could be correlation, causation, knee jerk. But it's often it is knee jerk. Insurance is often very knee jerk. So it's like a carrier could have a particularly good quarter, and they look at their data, and they're like, wow. I had a lot of clients with MDR, and I didn't pay out a lot of claims. So it must be the MDR that's doing the thing right. And, I mean, personally, I believe it does, but at the same time, like, I don't know, like and every carrier is operating kind of independently of every other carrier. So it's not based on, like, this. You don't have Huntress going out there and saying, here's our data on stop and the carriers are all looking at it on on their their iPads, looking at what Huntress just posted and said, I'm making my decision on MDR based on that. They're basing it on their own experience of claims payouts and what their loss ratios are saying. So while you do have a little bit of connectedness, like if one person starts doing something, I'm sure other carriers, and Travis could probably speak to this, I'm sure other carriers are like, well, I'm gonna get on board with that because if they're being successful with it, I should probably do it too. But I really think it's the law of large numbers as they continue to see things like a MDR actually lowering claims payouts, then you're gonna get more and more evidence that that's the case, and then you'll actually start to see it even more of a a reward. But even the fact that carriers are soliciting it themselves or a sorry. A a subsidiary technology company of the carrier or whatever they're calling it is soliciting it, shows me that they do take it pretty seriously. So And, I mean, we can look at historical data when you're when you're talking about that. So think about right after COVID twenty twenty one, twenty twenty two, the the name of the game was MFA. That's because Travelers posted a study that they did on all of their losses saying that MFA on email would stop ninety six percent of business email compromise. Now granted, this was a few years ago. That technology has kind of evolved. So as a security, we all know that. But that was a statistic that they put out there, and wouldn't you know it? The next month, every single carrier required it. Because they're like, well, ninety six percent's a big number. Right? Yeah. So and I think you've hit on something here that so much of these decisions are driven by actuarial data. And so there's not unfortunately, actuarial data doesn't tell you some of the story that, you know, in this particular quarter, there might have been a massive ransomware attack executed by a very specific group targeting this population. All they can see is we paid a lot out a lot more claims. And so when you can break down some of the storyline of some of it, there might be more causation than they realize, but it's all done with data. And I love that you called it iPads. I'm picturing them all with paper. Like, when I picture the white guy sitting around a table, it's paper. I can think of, like, two or three carriers that probably use iPads. There are some iPads. Alright. I like it. Or they're or they're trying to save money so they get, like, Android tablets or something. But, you know, offense to Android tablet users. IPads are just really expensive. So let's talk a bit more then or dig in a bit more on this evolution of the carrier panels. Travis, I know this is kinda your your area of expertise here. We saw them go from reactive to process driven. Talk a bit more about when they were reactionary. Like, where were they getting their data to determine what did and didn't work or what did or didn't constitute a good security stack? Well, everybody take out your tinfoil hats and put them on here. Again, when we're talking the Will, are you actually looking for your tinfoil hat? Yeah. I must have left it upstairs. When we're talking about big business that is insurance, right, we all know that the purpose of insurance is, one, to make money so that in the event that there is a claim, they have the money to pay it. If an insurance company is not making money, it means that they may not be able to handle a catastrophic claim. K. Now that that's out of the way, we all know insurance companies are good at making money. They've been doing it for hundreds of years, and they're not gonna stop anytime soon because that's part of their business model. Now in a line like cyber insurance, you mentioned the actu actuarial data. We don't have that for two hundred years. We have that on fires and natural disasters. We don't have it for cyber. So they got together, and they did what they do, business the heck out of this, and called all their business buddies that also may own security companies, may have stakes in it. And the first line of them like, think pre COVID. The first line of security vendors were people that they were friendly with. They may not have been the best. They they may not have even been good, but they were speaking the same language and came to amicable terms amiable terms. I suck at vocabulary. And that's where it started. Now evolve a couple years, and we're getting our teeth kicked in. We're like, amicable. Thank you. We're now evolve a couple years, and we're getting our teeth teeth kicked in, and we need to evolve again. We need to go, okay. We need somebody that's actually good at this. Again, they're already bleeding. The the damage has been done. They're like, okay. We gotta we gotta reel. Be reactive. Find the next best thing. What caused all that bleeding? So they put big old companies on their red list saying, you can't write companies that are doing this because we've been having major losses. Then that evolves, and it keeps evolving, and it keeps evolving. And what we've seen today is they're actually starting to listen a little bit. Right? Because they're purchasing companies that are actually specialists in this, and they're listening to those people that they just purchased. Most of the insurance companies in the last ten years have purchased a security company. Because, I mean, the first one, I think, was in twenty eighteen. They went out and bought the largest security company in Australia, and everyone's like, well, crap. That's a good idea. Like, then then we can control that as well. And that it's kind of evolved to now. Does that answer your question, Becky? I just kinda rambled. No. It does. So it helps explain because I I mean, I've only been following some the cyber insurance stuff for the last probably two or three years, honestly, since we started doing fireside chat. I was like, oh, this is the thing I wanna learn more about. And it I did see companies that were just kinda blacklisted. And when you looked historically, that company maybe two years before might have had a relatively significant incident of sorts where they took the blame. Whether it was their fault or not, it could have not been as big, but somewhere along the line, they would have caused insurance to have to pay out. And so that explains so given kind of the change in trends now, are you seeing them allowing some of those companies back in? Like, are they taking people off that list? Oh, a hundred percent. And but they're not doing it organically. Right? They're not doing it because they're out there doing the research and and saying, okay. Oh, yeah. Look at the loss ratios here. They they don't they're waiting for people to ask them. They're they're they're waiting for people to raise their voice and say, guys, this isn't really right that you're excluding them because a lot has changed in two years or a lot has changed in three years. And it'd be like us going back to your policy three years ago. It was completely different than it is now. Right? Everything is moving, and it's that proactive, both the security companies reaching out. It may be MSPs reaching out. I've seen both cases where they're like, hey. This we're being we're kinda being discriminated against because of something that happened a a while ago. We've changed completely since then. And then it's people like Will and I reaching out to our carriers going, please. Please. Just I'm begging you, please. But I I do wanna set a little more of a stage on how carriers operate because when oftentimes we're talking with MSPs, they're looking at insurance from the lens of cybersecurity, and cybersecurity evolves exponentially. Like, it's changing all the freaking time. Like, every year you've got not even every year. Every month, it feels like there's some new threat, some new attack vector that needs to be addressed from a security standpoint. And so we're looking at that, and then you look at the carrier and you're like, why are you not keeping up with this? This makes sense. You should be keeping up with it. Carriers have a history of being an industry insurance industry of, like, thousands of years old. Right, who have built entire their entire industry and way of doing business on understanding a risk and building actuary tables to help understand the risk. The real challenge is that the actuarial risk has to keep evolving with the threats of cyber. It's not like a fire that is the same every time. Like fire we know how fire works. We've discovered fire. We know how to protect against fire. We know the things that help protect against fire. We know how to put put fires out for the most part. It's just all that kind of stuff. Right? But now you've got cyber where you continually have changes and updates. So it's a whole different way of ensuring, something. Right? And so I think when you get that reactiveness from carriers and they need that input and that feedback, I do think, like, if you were to get on a blacklist for a carrier, it's probably a lot harder to get off than to just not be on a list at all. Right? Like, there's also this whole data collection thing that they do. So, I mean, Huntress, for example, right, was not on certain lists, and now they are on some of those lists. But part of the reason on that list is because Travis works his magic and goes to carriers and say, put them on the list. But there's also the actuarial side where they can then go back and be like, oh, wait. A ton of these clients had Huntress and they're awesome. You know, they they didn't show as many issues. And I think there's those two different approaches, right, that are that are really important. The carriers are consistently looking back on that stuff. The only problem is as you look back on that stuff, cyber keeps moving forward. So you you go into this accordion effect that really frustrates a lot of people. Well, we even saw it at one point when we were trying to get on one of the list because the carrier at the time was offering a discount if you use this set of providers, and we weren't on that list. And all we had to do is send them an updated screenshot, yes, a screenshot of our website because the one that they had was from a few years prior when we weren't categorized as an EDR. And it was a simple send them a screenshot. You had to get the right person paying attention, but then it was just a a screenshot of the website. They went, oh, okay. Cool. Like, it's there isn't anybody on their team responsible for staying on top of what the different tools are doing or what innovations they've added. Which makes sense. I mean Yeah. Again, they're not a cybersecurity company. Now when we look at it, it makes sense because you're like, well, don't you wanna know what the best opportunities are to protect your clients so that they're not gonna have as high of pay play out payouts, all client claim payouts, and all that kind of stuff. But really, they're like, well, if we have these list of five that we know work really well, we'll reward people for those. And then if people wanna write in things, great, and we'll do our due diligence on those and what it's just it's convoluted math stuff. Like, I almost went into actuarial sciences. I was a math major in college, and I looked at what was involved in that, and I was like, no, thank you. Like, it is very theoretical. All those proofs, all those all that deep theoretic theoretical math stuff goes into the formation of these actuarial tables. It's not just like some, you know, monkey on a a typewriter or calculator clanging symbols with his feet. You know? Like, it's a lot of it's a lot of mental math that goes on there. I, I have a cousin who actually is an actuarial tester, so he does the testing for it. He's fun at dinner parties. Yeah. It's it's a whole random science. So we do have a couple polls built in that can kind of help guide the next part of the conversation. So let's get that first poll up, and we'll we'll see. Oh, yeah. This was one of my favorite questions on there, Will. How much time do you spend on a single client's cyber insurance application? I like this question too because can't vote. You can't vote. I know. I know. Oh, that's okay. Yeah. We get a we get a nasty grim on the bottom that we're not allowed to sway the results. So we'll let everybody vote on that, and then we can get back to that topic. So I'm sorry. Go ahead. No. Please. What what were you about? This is to that topic. I just saw in at you know, about ten minutes ago, Chris Chris Robertson put in a chat, when will carriers just do an audit with scans instead of attestation forms, blah blah blah, like it is now? It's very fitting to this question. But then I always push back on that, and I'm like, do you want carriers doing crappy scans of your clients' networks? Or do you wanna install their agent on your clients' network? Like, what I don't know what if that's a good answer either. And that's, I think, one of the the big challenge of the right way to do this. And then there's also that's good. Less than an hour. That's nice. But I do think there's there's some real reality of because carriers do I said this earlier. Carriers are all operating independently too. It's like, who who builds the technology? Where does the technology come from? Who's accepting the use of that technology? It's it gets more challenging than because even a lot of people will be like, oh, you know, like Progressive where I could put that little thing in my car. And I like, that works great if you have Progressive as your policy. But what if you don't? Then you don't get that tool. Right? Like, it's it kind of but now you're looking at sea of cyber carriers who all have different underwriting guidelines. So they all have their own applications. And even though a lot of the questions are getting standardized, it's still a lot. But, I mean, it goes back to those questions are not proactive. They are reactive. They're asking about parts that have already came back to punch them in the face. They're asking about specific security controls that they know lead to claims that they've already paid out on. And when you have one carrier that may be very heavy in health care, they're gonna have a completely separate set of questions being influenced than one that's completely heavy in retail. Right? And so that's a lot of the time, it's these security questions. Yes. It'd be nice if they were all standardized, but the people writing them are writing them reactively. To that point, I'm looking at questions here. Yeah. Trying to up with that good time. Yeah. So so first of all, Laura says, can we agree that Cyber Risk evolves faster than traditional actuarial models are designed to update? Yes. Again, these are all reactive questions, and that's one of the big problems. And to Chris's point, I'm seeing questions that are too vague. You still literally ask, do you have MFA? That was what the one of the questions were. Like, just do you have it? As if, like, it's this whole wholly one tool that you would turn on and all of a sudden everything is safe now. Right? And it didn't exist in multiple places. It was just a switch you turned on, and now you just have MFA. Right? It was extremely vague because it was reactionary. Right? And Chris Travis brought it up before. Sorry. I'm looking at Chris' name, but then I'm looking at Travis' face. So Travis brought it up before, but there's the whole reactionary element. I remember Microsoft dropping that stat of being like, hey. Everyone in our ecosystem would have seen ninety nine percent drop in cyber attacks if they just enabled MFA, and that's from a report in, like, twenty sixteen or something. Right? And that was specific to Microsoft. So Microsoft being like, if people enabled MFA within our ecosystem, we would see a very a very large drop in cyber attacks. And then carriers saw that stat, and they're like, then everyone should have MFA. So they just started saying, do you have MFA? Right? It was this reactionary thing without understanding the thing they were asking first. So it's it's a progression, and it moves slower than the industry is accelerating. Are you at least seeing now that they're being a bit more targeted of do you have MFA everywhere, or is it still just do you have MFA and I could have it and be like, yes. Nobody else has it, but I have it. Like, are they getting a bit better with the questions? Yes and no. There's there's fifty plus carriers out there with unique applications. Some of them still have, do you have MFA? A lot of them have moved to, do you have MFA on all email address excluding service accounts? Some of them have it. Do you have MFA on all remote access both locally and remote? So or admin access both mow locally and remote. So it's it's evolving. We've got our own hybrid version that asks all the right questions and has spots to actually, fill in and talk about what type of multifactor you have. So it it varies. It depends. I think the big issue Travis Travis identifies this a lot too, and I really appreciate. But one of the biggest issues with cyber insurance too and major pain point to MSPs is that they're not just filling out this attestation one time. Like, you have to do it every year. And it's it's like, Carrier, don't you have this on date on file already? Can I just verify it? Like, do I have to really fill this out again? And that I get it. On the one hand, some m MSPs come up to me like, I use it as a sales tool. Like, maybe I can upsell my client. I'm like, that's great. But wouldn't it be nice if it was already prefilled, and then you could look at the stuff they didn't have? And then you could be like, hey. Maybe I should try to upsell them on those things rather than having to fill it all out again. Like, it's that kinda there's just there's just these outdated procedures where it's like, why is the carrier sending me a blank application at renewal time when they already knew what I had last year? At least give me that. You know, it's just that kind of stuff that just continues to make the process slow and annoying. Yeah. That make I feel like maybe an update would make more sense than having to refill it out every single time. But yeah. But And there are again, it depends. There are carriers that just say, can you confirm if your revenue changed? And if you've done anything different in your security compared to these answers from last year? Those carriers do exist, but there's, like, three of them. And there's fifty of them that say, fill out this new application, please. Becky, I don't know I don't know. I I feel like we're hijacking your conversation a little bit, so I apologize. This is how it goes every time. I have these guys on, and it's my favorite. I do want dress something Sheila said. She said it twice now that carriers use these applications to deny claims. I don't know if that's true. I'm gonna push back on that one a lot. Only because they don't they don't look at those apps as an opportunity to deny claims. Carriers don't want the bad publicity of a denied claim. Like, that's really important. Like, if you if you think of it, travelers there's that story that Wes Spencer used to tell all the time from, like, twenty twenty one or something that was travelers specifically, and that literally became like this standard that Travelers denies cyber claims now. Right? And now everyone just thinks Travelers doesn't wanna pay claims or they did for a while. And it does create a very bad perspective for the the carrier. And, I mean, Travis could probably attest this more because he actually helps a lot on the claim size or slide at our company, but carriers are pretty pretty stinking awesome at working through claims. And I actually have a couple of friends who are underwriters, and they're like, look. Like, we're not actively trying to deny claims here. Like, we're probably gonna pay them out most of the time anyway. There may be some negotiation that has to go on because forensics comes in and it's like, well, this is clearly a misrepresentation of your security posture. But like, there are if there's also the reality that even if this did go to court for some reason, if cyber insurance applications are as vague as MSPs tell us they are, courts almost are always gonna side with the insured due to vagueness of language. Right? Like, that's just the reality of the situation. Like, if if you have a vague if you have a vague language and they said something like, hey, you do you have MFA? And to Becky's point, well, I do have MFA. So I said yes. But nowhere else is there MFA, but the only question on the app was do you have it? Right? That's extremely vague. So where's that gonna go? You know, like, how is that gonna play out? And I I do think it's really it's really important to, like, understand that carriers aren't actively looking to deny claims, but they are offering things like MDR because they wanna limit how much they're paying out in claims. That's really it's organized gambling. If Reid were here, he would say, it's organized gambling. That's his favorite phrase. That is his favorite phrase. I so I want to address the thing that Sean just said in the chat here just because I would like your opinions on this. I was told by our lawyer that the MSP should never fill out the form. We should only meet with the client to review it and have them complete the form. Yes, no. Should MSPs be filling out the forms for their clients? I'm not a lawyer. That's where I'm always gonna go with that. Yeah. I'm not a I'm not a lawyer either. There's a reason your lawyer said that. What I found is MSP should never attest. They they should not be the ones that sign the application. Or Brian just said it. Yeah. Brian just said it. And say that it's it's their their right. It's the business owner needs to attest that that stuff is true. Now the best practice is probably to do it with them. That's what I would advise. Set up that meeting with the insurance agent, with the business owner, and yourself, and go through it together. If if you guys know Wes Spencer or Alex Farling, they will tell you this is a great QBR opportunity and an opportunity for you to have a touch point with a client. So you could theoretically get that form and say, hey. Filled this out, but I'm not gonna sign it for you. I mean, I don't know if that's right or wrong because I'm not a lawyer, but I do know that MSPs who say, I really struggle with sales, have a good opportunity once a year get in front of a client and say, hey. Let's have a conversation about your security posture. Let's we you have that application. You brought it to me. I wanna help you fill it out, but I'm gonna have you do it, but I'm gonna tell you what you have. Right? Oh, but I'll also gonna point out some things you don't have that I really recommend you should. So now this becomes a sales opportunity for the MSP as opposed to just an annoying chore that shows up at your desk every year. But I also have to believe that not you're on the say on the flip side of that, not letting or not having your customers fill it out on their own because they might say that they have MFA everywhere, not realizing what that really means. Like, they could be committing to things and putting things down that they do not have and have no intention of adding to their stack. Yeah. And, like, one thing that I I am guilty of, I used to be that retail agent. Right? I was the one that would go to the MSP and say, hey. Can you help me fill out this client, this client's security? I mean, good on you for actually going and communicating with the MSP because I don't know if enough agents are doing that. But what we found that was most effective was that that situation where we have the agent, the business owner, and the MSP in the room, The agent is the one filling out the application because it's their application. Once it's done, they hand it over to the insured to sign it, and then it moves on. And the MSP is there to provide guidance, And I think that's a great way to do it. And if you can set that up with an agent, right, that relationship is not only you and the the customer, it's now you and the agent. That agent has a lot of customers. And when they see you see you approaching it the right way, as those other customers start to need that cybersecurity, they now have you in mind because they've worked well with you in the past. Oh, I like kind of a good symbiotic relationship there to get some referrals and to alright. That makes I I started and built my career on that relationship, right, with multiple MSPs. I mean, I was I was the agent, but I had clients with many different MSPs, and all of those MSPs began to know me as the guy that asks the security questions with them in the room. Not every insurance agent can be Batman in their off time, though, Travis, and have the technological understanding of a multibillionaire who hides in a cave. This this chat is spicy. I'm getting kinda sidetracked here. It's a good time. I I know. I keep trying to read it and come back and pay attention to what everybody's saying. So with our last because we only have about ten minutes left, and I wanna make sure we get to this part too because I think it's really important. What do you see in the in my notes, I have it that we called it the warning of looming hard market. What are you reading the tea leaves? I've talked to a few folks that are like, yeah. You know, you can pretty much get insurance at any state in your security journey at this point. You're gonna pay more, but that nobody is uninsurable. Do you think that trend continues, or do you think that we are setting up for a change? I mean, I could think it'd be helpful to find what an insurance soft and hard market really means. And in the soft market space, it is kinda what you said where carriers are really competing for business, and most are willing to write risks because they're saying, hey. We need to build up our book of business and putting it really simply. It's like, hey. We need to show that this is tangible. We can write this business, whatever. You wanna do a hard market. Everything clamps down. Right? And it gets real this is what less like the post COVID was the hardest the cyber market has probably ever been, at least on my understanding. So it's kinda that point where it's like it clamped down so hard that you were either seeing forex on your renewals or just straight out being non renewed by carriers. We had there were there were plenty of times during the hard market times where I would go get a quote for a client and the quotes from carriers would expire within like thirty to forty five days at the time. And the client would take their sweet time with the agent trying to get everything in. They'd come back, and it'd be, like, two days after the quote expired, and the carrier would be like, yeah. Our appetite's changed. We're not writing that anymore. Like, just straight out done. Like, within thirty a month. Like, at a month at a time, they would go from, we'll write this risk and the price is pretty good to flat out declining to write it. And this was happening that's that's hard market territory right there. Whereas, like, in the soft market world, pretty much you're gonna get pricing and you're gonna find someone who's willing to write the risk unless it's extremely difficult, and then you have to go to specialty markets and do all this crazy stuff. But that's kinda just wanted to give that kinda overarching concept. But, Travis, what are your thoughts on, like, the the looming hard market? Because you're the guy who's in the carrier's faces all the time. Yeah. So right now, we're in a weird spot because there is so much potential. Right? There are a lot of SMBs that have no cyber insurance whatsoever. So there's a large chunk of the market that's still out there, that's still ready to buy cyber insurance for the first time. They've never had the security talk. There's still a wide open risk. And right now, they're they're kinda hanging out there because it's, you know, it's another expense, and they're not really ready for it. So carriers on one end wanna grab as many of those as they can. Because as this market starts to become more mature and starts to harden a little bit more, all of those could create massive profits down the road. Again, insurance companies are out to make money because that's how they pay claims. So they're they're trying to get as much of the market share as they can because there's a whole bunch of it out there. So there's artificially softening the market. They're lowering these prices to gather this market share. Now this looming hard market is coming because this year I mean, I don't know if you guys felt it, but I felt a massive increase in ransomware claims, stupid ransomware claims. Even ransoms where they are not even asking for a ransom, they're just deleting the data. Right? They're just they're being malicious. And as as those claims go up, you start to feel that hardening again. Will referenced twenty twenty one, twenty twenty two. My average, renewal was up two hundred and eighty percent. My book grew massive because of these huge renewals that were just doubling or tripling in price. I had a massive m massive manufacturer. They spent hundreds of thousands of dollars every single year in security, and we're always the at the bleeding edge of what is best in security. During that time when everybody else was taking the two hundred and eighty percent increases, they had a five percent decrease. And I think that's what we're gonna start to see is those customers that have been proactive and have a mature MSP that is doing the right things and documenting it and planning, they're not going to feel that hard market. The people that are just getting in this year and are learning what MFA is didn't know the difference between EDR and MDR, they're gonna start to hurt. They're they're they're gonna start to see those increases. I just had one in the health care industry, a hundred percent increase because they didn't have any sort of advanced antivirus in place, whether it be an EDR, an MDR, next gen antivirus. Doesn't they didn't have anything. They already saw a hundred percent increase. With that same carrier in a very similar so I went from a cardio or cardiologists to a nephrologist, so very similar in risks. The nephrologist saw a flat renewal with the same carrier because they had everything in place. So it's Wow. Yeah. I wanna It's coming. Yeah. But I wanna that that's we've seen a lot of comments about, like, hey. I wish carriers would say if they had these security controls, would bring their cost down. Something we've heard for the past almost, I guess, seven years now. It is that is a a pipe dream. Honestly, it's it sounds like it's this really ideal thing. Right? Because we're looking at our personal policies. I'm like, hey. If I have if I have sprinkler systems, I'm gonna get a discount. If I have daytime running lights on my car, I'm gonna get a discount. Guess what? I can go out and buy daytime running lights on Amazon and install them myself, and it's super cheap. Getting MDR on all my endpoints, that's not necessarily super cheap. Right? When you maybe it is, but, like, what I'm trying to get at is, like, you've got you you have to justify the premium reduction enough to say that putting this tool in place is worth it because you're gonna see enough premium reduction, that can't be our sales tactic. Because this exact thing that Travis is bringing up, the hard market concept, it needs to be more about this cyber resilience concept to say, look, a hard market is looming. And if that hits and you don't have good security, we don't know what security is going to save you money. But if you have good security, if you have a good posture, you're gonna know you're gonna find coverage a lot easier, and you're going to find the best options for that coverage because you're the best risk. Right? You're what you're trying to do is reduce the risk enough for your clients that a carrier is willing to say, I'm willing to take on transferring the rest to me. Right? That's what insurance is all about. So if the MSP can reduce the risk enough and a carrier in a hard market sees that, they're like, that's a good risk. I want that. That's the place you want your clients to be. Right? So in my mind, that's the that's the thinking concept that we need to go into because that's the other point that we bring up a lot is, like, Yukon's a cyber insurance wholesaler, so we have access to a ton of carriers. But your typical local agent has access to, like, two or three direct, maybe five direct, six direct if they have if they know where they're going in the cyber market, a couple of them. But the reality is, like, the more access your your agent has to a carrier market, the more options that are gonna be available to them. Right? Like, if if you're going to your agent, they don't know anything about cyber, and there's like, well, we do Travelers, and we do Chubb, and they do the ones that every agent has access to. That might be the best option for particular clients, but it might not be the best for others. And that's where, yes, reduction in premium. But we've even seen carriers that, like, do offer reduction in premium for security controls, but other carriers who don't necessarily still come in with better pricing options. Right? So it can't just be a reduction in premium because cyber is not unified enough across the carrier market to say a particular control is going to solve everything. Well and I don't wanna I don't wanna get caught up in price because that's a race to the bottom. What we're what we'll be talking about with the hard market is eligibility, the ability to qualify for these superior products. There's always going to be somebody to sell you a piece of paper with cyber insurance on it, but the ones that'll actually pay the claims, the ones that are will actually work with you, those ones will be an eligibility issue, not necessarily a pricing issue. Yeah. I mean, I just I just posted a video on LinkedIn earlier this week of some carrier language we found in some policy that was competing, and I went through it. And it was literally saying things like, if you work with an MSP, you're required to help us potentially sue them if there's an incident. Like, it was this language that was really harsh. And I was like, this is and my my whole point in the video was like, if you are working with an insurance carrier that is actively tell like, were providing their own MDR product, but then they said, if you go and outsource your cybersecurity and there's an incident, we may sue them and you're required to help us. And it's like, so, hey, buy our product, but also if you go and get any other security, we may end up suing the person who provides you that. Like, that that isn't about cyber resilience. That scares me. So that's where I'm looking and I'm saying, I wanna work with carriers who are actively looking to protect my business and also are looking to take on a risk that is good. Right? Not just blanket risks to to to do stuff. Sorry, Matt. I really can't get into that. It's just a personal thing for me. But if you wanna watch the video and then Google some of the stuff that's in there, you're totally welcome to. That's Let AI help you with that. So what I'm hearing, just to kinda wrap up because, jeez, guys, we're at time already, is that It used to be an hour. Know. It did used to be an hour, and that's actually a good segue into the next point. But I think what we're hearing is that just like the last time I had you on over it's a little bit over a year ago, which is crazy. MSP should still be an active part of this conversation. They need to find a specialist broker who understands their business and the cyber insurance business to work with to get the multiple options. I believe in the resource tab, there is a way to get ahold of Will to talk to an expert broker and and to have some access to that. But beyond that, continuing to be an active part of these conversations with your customers. Yeah. Well, do we have another webinar coming up that we can extend this to? Yeah. That's in the that's in the landing page we sent to Huntress. We get we actually didn't get any questions about it on this, and I'm very surprised. So we often get a ton of questions about tech e and o from MSPs and be like, well, what about my business protecting myself? So we are doing a webinar in January specific to that subject matter. But one of the things we're tasking MSPs with is like, hey, invite your agent to that webinar. Because we want them to know what's going on. Because there's also the reality of like, if you bifurcate your your insurance policy away from your agent and not work directly with them, your agent's gonna come and try and take it back next to you. Right? So you just create friction for yourself. So we wanna help agents understand how to write techie and O, and they can write we have some special programs they can write through us. So invite your agent to that webinar too. It could be a really good time. I love it. So Great. Thanks, Travis. That's a terrible title. So my ask of everyone in the audience, you received an email today from, I think, it's Huntress fireside chat team at Huntress. Look into that. What we did this year is we created kind of an end of the year survey for you about fireside chat. I'd like to hear your feedback on what you thought we did well or could have done better this year in previous episodes. There's also a section in there to get yourself registered for next year's series. We are gonna do a whole new registration process for next year. So if you just like to be auto enrolled, you can click yes in there, and we'll get you registered. My biggest ask of you, though, is in there is also a section on what topics would you like to see next year. All of these topics are selected by me. It's usually something I want to learn more about, but I know that you have things that I'm not covering yet, and I would love to get your input on what you would like to hear. So please go fill out that survey. Let us know what you think, and give me some topic inspiration, and we'll get that included for next year. Thank you so much for joining. Safe travels for those of you traveling for the holidays. Otherwise, we look forward to seeing you again in January when we talk about the great stack audit. I'm gonna have a few experts on talking about how they rationalize their tool stack. So thank you so much, and, we look forward to seeing you again in the new year. Will, Travis, thank you. I always learn so much every time I have you on. Appreciate it. Fun. Thanks, Becca. Awesome. Thank you. Thanks, everybody. Bye. Thank you, guys. It was awesome. We didn't get through most of the outline, but that was awesome. I know. We could do another one.
See Huntress in action
