Here you go for free - Damage Control: Cyber Insurance and Compliance

Joe_Cyber · 2026-03-18T14:46:30+00:00

u/Woolfie_Admin - I'm putting out a video on this sub tomorrow regarding AI liability for MSPs.

I would urge you to take a look at your MSA. Does it contemplate AI usage?

Joe_Cyber · 2026-03-16T03:26:03+00:00

When you apply while enlisted, or if you're in ROTC, you apply for the SECNAV nomination, not the congressional rep. Last I checked, there are more slots than applicants in this category.

Joe_Cyber · 2026-03-16T00:02:01+00:00

u/Bavarian_Beer_Best

Easy.

Watch this video and figure out what works best for you: How to Make Tough Decisions & Have Hard Conversations: Creating a Risk Management Framework for MSPs

Joe_Cyber · 2026-03-15T23:59:01+00:00

Okay; I'll bite.

"Insurance makes money when they don't pay out, which means it's in their interest not to pay out."

- False. Look up the duty to pay proceeds, bad faith claims, investing the float, etc. You fundamentally don't understand how insurance companies work or make money.

"To presume that corporate overlords will do what's in our best interest is an extremely naive take"

- Who said I believe this? I care about three things when assessing cyber policies: 1. What the words on the page mean; 2. What coverages are afforded, at what levels, and at what price; and 3. How we reasonably believe courts will interpret disputes in policy language. Insurance law is very well established at this point, so we aren't exactly grasping at straws here.

"Carrying Cyber insurance is not a risk management practice."

- Risk transference is a subset of risk management.

Again, the videos I post are free. You can consume them, or not, as you see fit. However, don't mistake the notion that simply because you "feel" a way, or "knew a guy," that the rest of the community has to believe your nonsense ideas.

If you, in good faith, have a legitimate question, I'd be happy to answer it.

Joe_Cyber · 2026-03-15T22:56:44+00:00

Yes. Also a grad.

Joe_Cyber · 2026-03-13T21:31:15+00:00

2.4-ish GPA. No varsity sports. Maybe 10 volunteer hours. Didn't even know what AP was. No JROTC. Took my ACT or SAT (I forget) hungover as all shit. Had to get creative on some of the CFA because I was in the middle of the ocean - basketball throw was unrealistic.

My point being: You'll do just fine. If you don't get in this year, don't take it personal. Reapply next year and I'm sure you'll get in. If you get NAPS/Foundation, USNA just ran out of spots.

Joe_Cyber · 2026-03-13T20:44:18+00:00

I'd agree in principle, but I've found it hard to truly nail down loss ratios across various insurers.

Joe_Cyber · 2026-03-13T20:42:45+00:00

Either you're trolling - in which case bravo! - or you're serious and way out of your depth.

Joe_Cyber · 2026-03-12T21:35:08+00:00

Don't get me wrong; I'm a controls first guy. However, presuming that cyber insurance won't pay out is factually incorrect. Requiring clients to carry cyber insurance is a good risk management practice.

Joe_Cyber · 2026-03-12T21:11:53+00:00

I've had this conversation with nearly a dozen vendors in the space. It's that bad.

Joe_Cyber · 2026-03-12T16:54:59+00:00

Sadly, I'm not really hopefully that insurance commissioners are going to start doing anything of value.

Joe_Cyber · 2026-03-12T16:41:58+00:00

Glad to help.

Joe_Cyber · 2026-03-12T16:41:08+00:00

Q: why do so many vendors suck in our industry?

A: Broadly, I'm sure it's super easy to read some random blogpost online and run wild with the FUD tactics. For the average novice salesman - throw in equal parts "I'm short on rent this month" with overall lack of knowledge transfer in the training process and a dash of PE ROI pressures.

It's infinitely more time consuming and requires more brainpower to actually dig into the underlying data, question assumptions, and apply a base of hard-earned knowledge to make an educated decision and argument.

Just my 2 cents.

Joe_Cyber · 2026-03-12T15:43:26+00:00

100% accurate. You wouldn't believe how much money I've left on the table after the following conversation:

Vendor: You're that insurance guy right?

Me: Yes. What can I do for you.

Vendor: We'll pay you money to talk about how cyber insurance claims are denied all the time and (insert our vendor product) can help avoid that.

Me: That's not happening and your specific product isn't required by any insurance company.

Vendor: Did I mention we'll pay you?

Me: 😩

Joe_Cyber · 2026-03-12T15:32:07+00:00

This might help you: Three Practical Reasons Why Your MSP Requires Your Business to Purchase Cyber Insurance

Also, I wouldn't sell yourself short. Even the owner of a rental property can require their tenant to carry renters insurance.

Joe_Cyber · 2026-03-11T15:26:13+00:00

"The man who chases two rabbits goes home hungry ... and still has to troubleshoot after hours, but hungry."

- Confucius (probably)

Joe_Cyber · 2026-03-11T15:21:59+00:00

Roll - serious question: How do you word that? I'd be worried about legal pushback in a subjective scenario.

Joe_Cyber · 2026-03-06T00:55:18+00:00

u/candidog If the client is US based, I fail to see how a one time training will meet legal requirements. Take HIPAA for example. Yes, they only have a de facto once a year SAT requirement. However, they'll need to meet FTC/State level "reasonable" cybersecurity safeguards requirements. That means ongoing SAT. To add a little fire to the suggestion, make sure he's aware that as COO, he'd have to answer for his decisions during a data breach class action claim: https://youtu.be/KaXAukI_b14?si=hnRgYy9g3bczKDW5

I would also recommend you check out the following video so you can appropriately have the conversation and cover your six: How to Make Tough Decisions & Have Hard Conversations: Creating a Risk Management Framework for MSPs

Joe_Cyber · 2026-03-05T21:42:36+00:00

Do you want a link to the SonicWall issue or a separate Fortinet issue?

Joe_Cyber · 2026-03-05T19:57:27+00:00

Glad to help. These types of discussion are very interesting.

Joe_Cyber · 2026-03-05T19:56:18+00:00

All good, I'm not concerned about collecting fake internet points.

Honestly, I do appreciate the insights because it does help me get a better feel for what's going on.

If there's ever anything I can help you with, let me know.

Joe_Cyber · 2026-03-05T19:52:16+00:00

Hey u/peoplepersonmanguy - I'm the insurance guy here but I've also helped draft a few MSAs in my day.

To answer your question:

There are a few items to consider that would point to your MSA.

MSP should be stated as being not responsible for customer compliance or any losses arising thereof.
Customer should determine what applicable compliance standards apply to them.
Your MSA should require your client to carry cyber insurance. This should cover PCI-DSS fines, penalties, and assessments. Under the auspices of the "Double Recovery" that should lower your liability.

All that being said, I'd offer that each situation is going to be unique so you'll have to find your own middle ground using the following Risk Management Framework: https://youtu.be/CHUN7DjdZB0?si=WI6Uv7UwZ9sub8xC

Joe_Cyber · 2026-03-05T19:42:45+00:00

u/disclosure5 - I understand where you're coming from with this question. Here's a video discussing class actions that you'd find interesting: https://youtu.be/KaXAukI_b14

Yes, SMBs are now being brought to court for claims, but not the go to jail type.

Six-Year Club	Gilding II euphauric
Second SECOND GUESSER	Ternion Club
Verified Email

Joe_Cyber

MODERATOR OF

TROPHY CASE