Edouard von Herberstein, CEO | SPECTRA
Some insurers see deploying telemetry as the answer to better visibility in risk posture. Other insurers go further and advocate deploying and managing MXDR security services. It is unlikely that either will work.
I spent years on the insurance side. Telemetry only seems to have gained some traction in transportation: car insurance and trucking specifically. The logic is sound: if you monitor where, when, and how people drive, you gain precious knowledge about their driving behavior. Speed, breaking intensity, frequently switching lanes, time of day, type of roads, etc., is valuable insight and correlates well with the risk of an accident.
In most insurance sectors, insurers rely on third parties to monitor activity, sometimes on a real-time basis, and to deploy security solutions to mitigate the risks.
Now, in the relatively new and emerging cyber insurance market, insurers having adopted point-in-time or sometimes continuous attack-surface monitoring (external/internet facing), are now looking at telemetry (watch the “gate”) or to manage endpoint security and possibly email security (internal) for their policyholders (watch the “gate” and post a “security guard” to respond) Those two controls (email and endpoint) are where most of cyber insurance incidents occur. Assuming (big ‘if’ in the current competitive insurance market) the insurer and the broker manage to sell and deploy telemetry or an MXDR/ITDR solution in the policyholder environment, the insurer is limited to detecting and flagging potential incidents to the policyholder (telemetry). Where the insurer decides to respond (MXDR), it becomes tricky. Killing a process can cause unintended business interruption. Deleting malicious files can cause loss of data for forensic purposes. Insurers solely managing an EDR or/and an ITDR solution for the policyholder will often lack context during a response to an incident, while potentially creating conflicts with the insurance policy or the MSP managing the rest of the IT stack.
The data problem
Look at how coarse and basic underwriting is at most insurers right now in terms of data input. “Check-the-box" questionnaires. Unreliable point-in-time assessments. Annual snapshots. The infrastructure to act on 24/7 monitoring of dozens of controls across an SMB client base does not exist yet. I'm convinced that if you piped all that telemetry to most carriers today, they would do nothing with it. Not because they don't want to. Because they don't have the workflows, the expertise, or frankly, the mandate to operationalize it.
And even if they did, who calls the client? Who contextualizes why a control disappeared? A patch in progress? A decommissioned server? A misconfiguration that needs two hours of hands-on work to fix? Everything points towards having a team of experts to handle those flags when they come up, contextualize them, and remediate them. That's not an insurer. That's an MSP.
The vendor stack problem
Some Insurtech's have tried a different angle. Prescribe the tooling. Tell MSPs which solutions to run, build the telemetry pipeline directly into those tools, and require adoption as a condition of preferred status or better coverage terms.
From the MSPs I've talked to, this isn't landing well. They see it as a way of getting disintermediated. Displaced. Forced to use prescribed tools that don't fit their clients or their workflows. And I understand that reaction because it's correct. An MSP's stack is not incidental to how they deliver. It's central to it. A carrier mandating a tool replacement isn't offering a partnership. It's renegotiating who owns the relationship.
I don't think insurers should become MSSPs let alone MSPs. Some, in the insurance market will disagree.. There are carriers actively saying they want to take over the entire security stack of their policyholders. I think that's the wrong direction. Completely. And as it turns out, many of the “cyber specialty” insurers continue to be outperformed by the legacy market year over year.
The automation argument
People will ask: What if you just automate the response? No human required. The technology handles the alert, remediates the gap, and closes the loop without anyone picking up the phone.
I'm excited about technology. I'm excited about AI-assisted response. But the idea that you can take people out of the loop entirely is likely to fail as a security strategy, at least for now. Think about leaving the best EDR solution with an SMB that has no team to configure it properly, no one to patch it correctly, no one reviewing the scans and logs, and responding when something unusual shows up. That's a good way to leave a lot of gaps for threat actors to walk through.
Technology and human expertise aren't in competition here. You need both. The MSP is the human-in-the-loop layer that makes the technology actually work.
Where this goes
My view on the next two to three years is that insurers will move toward partnering with MSPs rather than trying to own the security relationship themselves. Cyber insurtechs are developing MSP partnership programs as they realize they often control the client’s IT estate and security. Telemetry will stay with the MSP, who is equipped to act on it. The insurer will focus on coverage, portfolio management, and risk. The trust layer between them is a certification. Insurers can audit, inspect, and verify. They learn from MSPs about risk trends in the market. MSPs retain the freedom to choose what stack fits their clients best. Everyone in their respective swim lane. Insurers underwrite and settle claims. MSPs manage security. Everybody does what they're actually built to do.
Telemetry is critical. I've never said otherwise. But who controls it and who can act on it in real time matters as much as the data itself. For SMBs, that's the MSP. It has to be.
The SPECTRA Business Advantage Program recognizes MSPs built for this relationship. See how it works.