MSPs: Are your small business customers struggling to get cyber insurance? With premiums rising and policy terms tightening, cyber security insurance for small businesses has become a minefield.
With 47% of all claims linked to identity and privilege compromises, 40% of insurers are now requiring least privilege access and other identity-focused controls. Businesses that fail to comply face higher premiums or a loss of coverage. But what if the key to slashing cyber insurance costs was hiding in plain sight?
This is where password management comes in.
In just a few moments, our cyber insurance guide will provide tips on how you can help your small business customers meet cyber security insurance requirements and qualify for coverage.
Cyber insurance for small businesses: The terrifying new reality causing skyrocketing premiums
But first, let’s talk about why premiums are high.
According to the ITRC Annual Data Breach report, the number of data breaches increased from 419,337,446 to 1,350,835,988 in 2024 – that's an unprecedented 211% increase from 2023.
The increase was due in part to five “mega” breaches:
- Ticketmaster Entertainment (560,000,000 victim notices)
- Change Healthcare (190,000,000 victim notices)
- DemandScience by Pure Incubation (121,796,165 victim notices)
- AT&T (110,000,000 victim notices)
- MC2 Data (100,000,000 victim notices)
The top two factors driving the rise in data breaches? Generative AI and supply chain attacks.
Supply chains consist of a vast network of vendors, partners, and suppliers - compromising just ONE weak link provides access to multiple organizations.
Between 2021 and 2023, supply chain attacks surged 431%, and the trajectory is expected to continue in 2025. Meanwhile, generative AI is enhancing the sophistication and scale of identity-related phishing attacks.
As a result, cyber insurers are raising premiums and exclusions to achieve a balance between income and claims.
And that’s not all: your customers can expect to see more provisions addressing the risks of generative AI, with coverage granted or rejected based on how they meet insurer expectations in handling AI-based threats.
Cyber insurance for small businesses: A simple but powerful defense against financial loss
As you know, cyber insurance (also known as cyber liability insurance) offers financial support after a data breach. Your customers may need either first-party coverage or third-party coverage - or both:
- First-party: Covers your customers when breaches occur on their own networks. This includes lost income due to a breach, recovery of lost data, forensic services, legal counsel, and penalties related to the breach.
- Third-party: Covers costs for lawsuits related to a breach, regulatory fines imposed by government agencies, and claims brought by third parties for privacy violations and intellectual property infringements.
If you have any customers in the IT sector, chances are high they’ll need both first-party and third-party coverage.
According to CRI’s 2024 State of Cyber Readiness report, business continuity disruption and financial losses represent the greatest risks SMBs face after a breach. The average data breach cost for businesses with fewer than 500 employees is $2.98 million.
For most small businesses, this is too steep a financial burden to bear. Combining both first-party and third-party coverage is no longer optional. It’s a critical safety net for SMBs, ensuring they’re protected against devastating financial losses from operational disruptions and legal liabilities.
Below, our cyber insurance checklist shows you five (5) easy ways your small business customers can qualify for lower premiums and better coverage.
The five (5) easy ways your customers can reduce cyber liability insurance costs
In today’s volatile threat landscape, it’s not a matter of IF your customers will be attacked, but WHEN.
With premiums more than doubling over the past five years and expected to double again (reaching $29 billion by 2027), here are the top five (5) ways your customers can beat the odds to qualify for coverage.
#1 MFA (multi-factor authentication)
MFA has become non-negotiable for cyber insurance. This simple yet effective measure can dramatically improve the security posture of SMBs and help them secure more favorable premiums and terms. Be sure to recommend FIDO-2 based MFA, approved by CISA and offered by LastPass.
#2 A robust incident response plan
Having a well-documented incident response plan (IRP) demonstrates proactive vigilance. Insurers are more likely to offer coverage to businesses that demonstrate they’re actively prepared for potential incidents.
And the best part? Your small business customers needn’t start from scratch in creating an IRP. CISA offers a FREE IRP roadmap they can reference.
- Unlimited amount of users
- 100+ customizable access policies
- LastPass Families for employees
- Directory integration
#3 PAM (privileged access management) controls
A massive 95% of businesses have had to implement identity-focused protocols like privileged access management to maintain or obtain coverage.
PAM can help your small business customers align with the principles of least privilege and just-in-time access. The first grants users just enough access rights to perform their job functions. Meanwhile, the second grants access only when needed and for a set time.
These principles reduce the risks associated with privilege escalation, unauthorized access, and insider threats.
PAM also helps organizations comply with industry regulations by providing centralized management of privileged access. This assures insurers they are taking proactive steps to protect their most critical assets.
#4 Regular security audits
Many insurers are now requiring evidence of regular security audits to assess and improve an organization’s security posture.
By meeting these audit requirements, your small business customers will dramatically increase their chances of qualifying for coverage:
- Ensuring essential security controls such as MFA, data encryption, and endpoint detection are not only implemented but also functioning as intended
- Assessing IRPs (incident response plans) to ensure they are sufficiently robust to address emerging threats
- Implementing third-party risk management to ensure risks originating from external partners are minimized
- Maintaining up-to-date documentation to provide proof of compliance with regulatory standards
- Implementing continuous testing of backup and recovery procedures to provide proof of operational resilience
#5 Employee security training
Humans remain the weakest link in cybersecurity. A joint study by Tessian and Stanford University Professor Jeff Hancock found that 88% of data breaches are caused by human error. As a result, many insurers (81%) are now demanding security awareness training as a condition of coverage.
By implementing people-centric awareness training, your customers show they’re actively working to reduce risks caused by human behavior.
Ultimately, putting people at the center of cybersecurity transforms employees from being the “weakest” link to being informed, vigilant defenders in a human firewall. To that end, top companies like EY are using gamification and immersive simulations to increase participation and retention.
Your customers can begin implementing the same type of training with these five (5) FREE resources:
- Who is the Risk? This game was developed by the US Center for Development of Security Excellence (CDSE) and explores the risk of insider threats.
- The DOD (Department of Defense) 2025 Cyber Awareness Challenge. This game reinforces best practices to protect classified, controlled unclassified information (CUI), and personally identifiable information (PII).
- PBS Nova Cybersecurity Lab game. In this game, you’ll complete a series of challenges to defend a company against increasingly sophisticated cyber-attacks.
- The Weakest Link by IS Decisions. In this game, you’ll learn about securing the human link in cybersecurity.
- Trend Micro’s Data Center Attack: The Game, an interactive, virtual experience that puts you in the shoes of a CISO at a hospital. Your mission is to go back in time to stop a cyber-attack and prevent a massive loss of lives (1). The stakes are high: Will you succeed?
Ready for more? Check out eSecurity Planet’s top paid options for gamified cybersecurity learning.
How password management fits into cyber insurance for small businesses
Enhanced password security
With the alarming rise of infostealer malware, insurers are viewing compromised credentials as a major risk factor. Password management ensures employees use strong, unique passwords for every account.
Compliance with MFA requirements
Many insurers (79%) now require businesses to demonstrate the use of MFA to qualify for coverage. Password management can ensure MFA is enforced for highly privileged accounts and select access levels, reducing the likelihood of coverage being denied.
Granular access policies
Password management allows businesses to fine-tune access rights based on roles, job functions, and other attributes.
Insurers value tailored approaches because they reduce the likelihood of incidents and claims, making the insured a lower-risk client.
Protection against credential-based attacks
By blocking the use of compromised passwords, password management minimizes the risk of credential-based attacks and unauthorized access.
LastPass: The password management solution of choice for SMBs
LastPass provides a holistic, all-in-one identity security solution that combines enterprise password management, MFA, and SSO.
In 2025, LastPass is once again a G2 Grid Leader for top MSP password manager, MFA, SSO, and Dark Web Monitoring.
With these LastPass features, your small business customers can easily meet cyber insurance requirements:
- Secure military grade encrypted vaults to store, view, manage, edit, and launch logins
- Autofill function that inputs login details on legitimate sites only, reducing the risk of entering credentials on phishing sites
- Secure credential sharing on any device, without compromising privacy and accessibility
- LastPass password generator to create long, unique CISA and NIST-approved passwords
- FIDO2 MFA with hardware keys and biometric verification to prevent account takeovers, even if attackers manage to obtain credentials with AI-generated phishing emails – see how contact center specialist Afni reduced their cyber insurance premiums by 30% using YubiKeys
- Centralized admin dashboard with the ability to create customized policies and demonstrate improvements in password hygiene and overall security posture
- Event logs to demonstrate compliance, prepare for audits, and meet the prerequisites of qualifying for cyber insurance
In 2023, the ALSO Group, a leading EU distributor of IT solutions, was looking for an MSP password manager they could recommend to their clients. They sought a recognizable brand with a powerful reputation in the market, but more importantly, one that was built with Partners in mind.
LastPass stood out with its Partner-First approach, and since launching on the ALSO group’s cloud marketplace, there has been a 200% increase in LastPass being purchased.
Partnering with LastPass has allowed us to offer our customers the best in password
management solutions. Their commitment to user experience and proactive security aligns perfectly with our mission to empower organizations to stay ahead of cyber threats. ~ Raivo Reigas, European Partner Manager ALSO Group
If you’re ready to join satisfied MSPs like the ALSO Group and build your credibility as a trusted Partner in managing cyber risks, don’t wait to contact our Partner team today. For every password, we’re your Partner.
