My Clients Will Not Pay for Cybersecurity Services ...

I hear this all the time! I speak to hundreds of MSPs on a regular basis and hear that they want to sell cybersecurity services, but the client or potential client “will not listen.” 

While I have many thoughts on the topic of letting your current/potential clients decide on whether you can or cannot do the right thing by protecting them, I do have an idea (and, just like my wife would want to run when I come up with one of my ideas, hang in there for a second). 

Do they have a cyber liability insurance policy?

If not, they need one and this is a different opportunity and issue. If they do, when was the last time you or they reviewed the required controls that MUST be in place for their policy to pay out in case of an event? 

You see, they are paying all this money into a vortex monthly. They have certified they have certain things in place and, yet, I am willing to bet that they have no idea what they certified, if what they certified is in place, and if the things they certified are working properly. This could be a disaster waiting to happen.   

So, what do you do? 

You ask if you can do a “no charge” (not FREE, as it makes you sound cheap) assessment of their policy. You explain the above and let them know that there is no obligation, but it is a win-win. Either you bring back information that is critical to them about what they need to do to make sure their insurance will work as expected, or you verify that everything is fine. 

What is in it for you?   

Insurance companies are getting sneaky today. When your client applies for or renews their policy, the insurance company will ask if certain controls are in place. If your client does not know, the insurance companies are now sending out their own partnered MSPs to do a review and fix. THIS IS NOT FUD! This is fact. I have spoken to many MSPs who experienced this very thing.  

By offering this assessment, you become a true trusted advisor in their eyes, someone who is genuinely concerned about protecting their company, their employees, and their profitability. Psychologically, you establish yourself as someone invested in their success rather than just trying to sell them things. 

You will almost 99% of the time (unless you have been taking care of all this) find controls that are not in place and, therefore, would cause an issue to pay out if there ever was a breach. (And, we all know, despite our best efforts, there will eventually be one.) 

If they do not have these controls in place, it now opens a conversation in a new light where you can help them fix this issue. This increases your revenue and their security, which, in turn, protects your business, as well. 

How do I do this? 

• Step 1: Ask them for a copy of their insurance policy and review it for the controls it states need to be in place.
• Step 2: Review the client’s environment against the controls.
• Step 3: Call the insurance company (NOT ON THE CLIENT’S BEHALF, BUT YOURS) and find out what their policy is regarding pay outs when certain controls are not place. You state that you have run into several clients recently that are insured through them, and you want to make sure you can review things with your clients with accurate information. 
  
  (Side note: You are also showing that you are valuable to the insurance company, which can possibly lead to a partnership with them.)
• Step 4: Schedule a meeting with the client to review. Do NOT try and scare them. Talk to them from a business standpoint and just be matter of fact.  Tell them what you did and what you found out.
• Step 5: Ask them what they want to do about it? 
  
  At this point, you have, hopefully, established yourself as a trusted advisor and someone that cares about their business. This is now your opportunity to put your complete security stack in place, as it will meet all the controls. They do not need to know about everything in the stack and how it works, just that you have their back.
• Step 6: Charge them monthly for your security services and do a quarterly review of their policy.