What is aggregate risk? 

Aggregate risk consists of an in-depth analysis of all individual risks an organization faces, adding up to the total amount of exposure to your organization. These risks could be an entry point for a much larger threat, and an attack to one system could be an attack to all systems tied into the ecosystem. We have seen this happen with Solar Winds, Kaseya, and other recent cyber-attacks. These events resulted in carriers relooking how they place coverage, and many are declining certain coverage to their existing insureds (see our article on Lloyd’s of London).

Why are carriers concerned? 

With increased cyber risks, insurance carriers are especially concerned when it comes to aggregated risk. These vulnerabilities can often be overlooked and underestimated by companies, but carriers know the risk they pose to them both. Insurance underwriters typically look for aggregate risk before placing coverage. Many underwriters are beginning to map aggregation to develop the most complete and honest idea of a company’s security posture.  

What does this mean for MSPs and those providing tech services to a large number of customers? 

MSPs and those offering tech usually have a large customer base and direct access to customer data and networks, making them a popular target for attacks. This also means insurance carriers will closely inspect their aggregate risk before offering coverage. These companies especially need to pay close attention to any vulnerability or weak spot in their security.

MSPs and MSSPs should maximize detection capabilities by ensuring log information is properly preserved and aggregated. Be sure to prioritize backups based on value and operational needs, as well as develop and test recovery plans to be prepared in the event of an attack. Use access controls with MFA and develop incident response plans to mitigate the spread of an attack.  In general, service providers should maintain strong operational controls and monitoring systems and review all contractual relationships. For guidance and examples of risks to identify, understand, and manage, CISA provided a guide on Mitigations and Hardening Guidance for MSPs.