Share this
dnsUNFILTERED: Dustin Bolander, Clear Guidance Partners
Mikey Pruitt is joined by Dustin Bolander, CIO of Clear Guidance Partners and founder of Beltx, a cyber insurance company. They discuss the unique challenges MSPs face when working with law firms, the importance of specialization in the MSP industry, and the evolving landscape of cyber insurance.
[00:00:00] Mikey Pruitt: Welcome everybody to another episode of dnsUNFILTERED. Today I'm joined by Dustin Bolander. Dustin is the CIO of Clear Guidance Partners, A MSP, focusing on lawyers, which is crazy, and also the founder of a cyber insurance company called Bel Tex. Dustin, welcome to the show. Thanks.
[00:00:21] Dustin Bolander: I'm excited.
[00:00:23] Mikey Pruitt: So Dustin gave me permission to drop a hard question on him in the beginning. And the question is, why do MSPs hate lawyers?
[00:00:34] Dustin Bolander: With good reason. So I tell everybody is I don't know that I would say that the good lawyers are the best clients, but they generally pay on time. They don't want to talk to you, which I think is a good thing. Get it fixed, get off the phone. The QBR that's billable hours. Yeah, exactly. So they're very efficient, let's say that very efficient with our time as an MSP. But the other part where do MSPs hate it is the software's pretty bad. One of the only industries that I've seen that's worse on software is the insurance industry, which I'm sure we'll get to at some point.
But a lot of bad software. And then the bad law firms are the worst clients. Hands down, we have a pretty strict, no screaming, no yelling rule. And we have a lot of prospects that just self-select off of that, where they're just like, what do you mean I can't yell? I'm like, yeah, that's, sorry.
That's one strike. Strike one. Yeah, exactly. So the bad law firms where they really throw their weight around, they threaten to sue, they refuse to pay that kinda stuff. I've gotten really good at screening those over the years. So luckily, knock on wood. We've avoided that for the most part. But those are the guys that the MSPs really hate.
And rightfully like those are hands down the worst. I've my old Ms. P, we had, CPAs, construction, this, that, and the other. And we had some really bad law firms I've seen it, experienced it firsthand. I get why most people don't wanna work with law firms.
[00:01:48] Mikey Pruitt: So you brought it up.
I guess as a follow up question, do MSPs steer away from insurance as well?
[00:01:54] Dustin Bolander: I've seen a handful of MSPs that go towards it. The problem on insurance as a client base, the software is awful for the most part. Everything is either super out of date or is just outrageously expensive to where very few insurance companies are buying it.
It's highly regulated, which always makes it a little bit more complicated, but that's where everybody's Ooh, it's highly regulated. I can bring expertise, I can charge more. The other part of a lot of people don't realize is unless you're a carrier insurance is not super profitable.
So it's not people are like, oh my gosh, it's printing money. You gotta have a pretty big book to print money. Whenever you go into that typical 20 person insurance agency they're probably making less than your average MSP. If you look at your usual commission on insurance is gonna be 10 to 15%.
And then you gotta pay for all your systems. You gotta pay for your people. Salaries and insurance are high. They're usually paying their people more than MSPs. So I personally for MSPs, I don't think it's a good industry to go into.
[00:02:52] Mikey Pruitt: And with that being said, you did something that I don't see many MSPs doing.
I don't know, maybe, if there's others, but you really jumped in like head first with lawyers, law firms, and insurance. Like, why did you do that?
[00:03:05] Dustin Bolander: I don't, there's, so it's gonna take years of therapy to figure that out. So the the insurance part of it actually ended up being, I had a, a couple years ago, I had a big cybersecurity vendor hire me to do due diligence on an insurance company.
Ended up getting more and more into that. On the MSP side, we started using insurance to sell, and then from that we did we ended up setting up belt text, which is my other company right now. Was a, or is a we have our own proprietary cyber policy. So it's a cyber policy. We have a big carrier partner that is backing it.
It's on, their paperwork, that it's not Dustin's bank account that's covering the claims and stuff. But and then whenever the parent company recently sold as part of that transaction that me and my business partner were just like, Ooh, we'll take Tex. The new owners just wanted to sell other people's stuff.
It was a distribution play. That's how I ended up I don't wanna say accidentally owning an insurance company, but basically.
[00:04:00] Mikey Pruitt: Let's talk about accidentally for a minute. I think I've heard you say something along the lines of, MSP owners are pretty smart and crafty, and with enough time and Googling and possibly ai, now they could figure most things out.
Yeah. So I assumed this is what you did when you went into the insurance business, yep. You're that crappy, intelligent individual. You saw a need. But where do you think. MSPs should really direct that skillset, kinda like you did for insurance. Maybe it is insurance, maybe it's something else.
[00:04:32] Dustin Bolander: Yeah, so with all the acquisitions going on we're seeing that it's buy buy, and there's all these big, super giant nationwide MSPs, things like that. I think it's gonna become, you're gonna see the industry split into three buckets. And I am answering your question. I'm just taking the long way to get there.
Sorry. Yeah, I do. But you have the big, huge MSPs, so grow to a certain size, sell to the big guys, they're gonna service everybody and anybody. You're still gonna see a ton of the one man bands, the mom and pop shops that are made, three, four employees at the most. Those guys will always be around.
If you go look at any other industry you have lawyers, accountants, things like that. There's certain times where it's man, I just wanna, I wanna talk to the owner. I wanna work with the owner. So those guys will not go away. So what does that leave us though is we look at these MSPs that are, say, five to a hundred employees.
What is the use case, I guess is a good phrase for it, for those size. Those guys are not gonna be able to be generalists going forward. So I think for that niche to be able to have sustained success as a business, you're gonna have to have a specialty an expertise. We do really good Qs, we do good customer service.
We have automation, like that's not gonna be a niche. We do automation for HR and we can audit, fully automate your onboarding and offboarding of your employees because you're in construction and it's high turnover. Okay, that's a cool niche, right? Yeah. In our case, a couple years ago, we bought a company that does back office services for lawyers.
So whenever I go in, that's still only about 10, 15% of our business. Whenever we go in and we talk to these law firms and say, we can do your technology, and they're like, great, so and so big national company, can also, as I say, yeah, but we have actual, accounting HR specialists, ex firm admins that are sitting down the hallway from my help desk and we're able to talk to them and ask them questions.
And so I think that kind of thing, you're gonna see a lot more specialization verticals obviously is the most common use case for that. But then on the other side of it too is the. The automation piece I mentioned earlier, just general automation. No, but we know how to automate this really special part of the business.
Things like that. There's one guy that has an MSP that I like a lot that he does they know how to do the software side of it, so they sell to a lot of companies that have software development teams because they can assist with that as well. Like that. That's the kind of niche you're gonna have to have going forward to be that mid-size MSP.
[00:06:50] Mikey Pruitt: Yeah, that's interesting because that is like us at DNSFilter we've seen that firsthand, like m it's not all MSPs are suited to support a software development business. Yeah. But let me get these buckets. So you're talking about the kind of one man or few person band that's gonna be generalist.
You're talking to the owner, that's bucket one. Bucket two is these mid-size MSPs that need to specialize. And the third is just large conglomerate MSPs.
[00:07:18] Dustin Bolander: Yeah, your big ones where you have the economies of scale to be able to go in at, $150 a seat. You have really good contracts, you have really good lawyers, that kind of thing.
And you can, very good sales team. That kind of thing. It's, I don't know anything about bigger businesses like that, but generally that just seems to be, there's a formula that they can follow and it's, you got enough time and enough money that those seem to be successful.
[00:07:40] Mikey Pruitt: Yeah. So you've got your friendly neighborhood, MSP you've got your specialist, they specialize really highly in one thing. And then you've got your specialists in a large me mega corporation of things. Yep. So let's, but let's focus on that middle bucket 'cause that's probably where most MSPs will fall or
[00:07:57] Dustin Bolander: are right now.
I think that's where most of them want to go these days. Yeah.
[00:08:01] Mikey Pruitt: What do you think? There's that, finding that niche, like how do you do it and do you have any suggestions?
[00:08:09] Dustin Bolander: So the biggest one is either be really willing to learn. So one of the things with me is I always joke that I didn't go to law school, but I have an internet jd, like I love reading contracts and stuff, which is how I ended up in the insurance business.
'cause insurance is just like a ton of contracts and stuff like that. I like reading that stuff, breaking it down. So that was a natural, naturally attracted me. I know some guys that are like the manufacturing. I got a friend of mine up in Connecticut that used to be a machinist and he has an MSP now, so he absolutely loves, he has a shipyard in Florida that he does.
It's random. He's one guy, but they were just like, oh yeah, they had a bunch of weird challenges on that kind of stuff that he can speak about. So it's like we're, what are you good at? Then like, where's your passion? And I don't mean, what are you good at? I'm really good at computers.
That's not gonna work for that specialization, MSP, but oh, I absolutely love doing this. My parents did this, so I know a bunch about it. I can speak about it. I, my best friend does this, that sort of thing. The lawyer thing, my wife actually worked at a law firm. My best friend is a lawyer.
Half my friends went to law school. So that was a, the lawyers was not something I loved that was just a natural, I could speak the language, I knew enough about it to come in as that authority figure initially, and as we started realizing that we were closing a bunch of law firms, it was like, all right, let's dig in here.
So I think that's a good one, is like, what? Either, what are you good at? What do you love? If you're lucky enough that you can do both of those together, great. But don't. A lot of guys will follow the trend to healthcare is my favorite example on that, where they're just like, we're gonna be a healthcare MSP no, you gotta have a plan.
You gotta have something. What makes you a healthcare MSP besides work? Were you a
[00:09:44] Mikey Pruitt: doctor in a previous life? Yeah,
[00:09:46] Dustin Bolander: exactly. They just pick it because oh, that's a big, I can go sell HIPAA training into these guys. That's not a plan, that's not a strategy. Just on the specialization piece is, going more than surface level.
You see a ton of guys that are out there, oh, we do great qbr, we do, automation, that kind of thing. It's having something, not just speaking their language, but having something that go look at whenever I'm talking to folks and they're like, oh yeah, we're unique, like when I'm struggling is go look up your, who are your 10 competitors?
Go look at what they're saying. Are you actually saying anything different? Could you just switch those words around? You gotta have an actual unique proposition that can be delivered on that somebody else can't say, like in my case yeah, bragging, sorry. Is my competitors can't sit there and say, oh yeah, we can do your HR and accounting work as well.
Because they literally can't. I have great customer service. The other guy can say that and there's not, you can't really prove or disprove on it,
[00:10:38] Mikey Pruitt: correct. That's why
[00:10:38] Dustin Bolander: I think for the mid-size MSPs, you're gonna have to see, a little bit more or a lot, bit more actually specialization as time goes on.
'cause otherwise you're getting hit from both sides of the one man band. The mom and pop shop is gonna be able to I have 23 employees on the MSP business. I can't sit there and interact and I have the insurance business also, but I can't sit there and interact with all the customers. They're always gonna beat you on that interaction side.
And then the bigger companies are gonna be, on the technical stuff. They probably have three exchange experts on staff. They have I was talking to somebody earlier today that there's a really large MSP has a team dedicated on email deliverability only. Which was crazy to me.
It hadn't occurred to me. But they have a multi-person team that just deals with email deliverability issues SPF, DMAR and all that fun stuff.
[00:11:25] Mikey Pruitt: Can't compete Yeah. As mid-size. That makes sense. And what's cool though is you're talking about like a dream scenario where the MSP like may be forced to specialize Yeah.
In the near future. And that will certainly differentiate your MSP from others. And when you're looking for what to specialize in, start with the things that you enjoy, perhaps hobbies, like maybe you love woodworking in your garage, or Yeah. Tinkering with, remote control cars or whatever.
It's, look for companies that do that, that would need your services. Then you can live the best, like I didn't get to be a tiny motor engineer or whatever it is. Yeah. But maybe I can do it, vicariously through my customers. Yeah,
[00:12:02] Dustin Bolander: exactly. That was something else that recently had come up too, was somebody was saying, okay, I looked at my largest customers and I'm gonna go be healthcare, whatever, I can't remember.
But it's no, look at your, who are your favorite customers? Which ones are you excited to go work with, to sit in on the meetings? That kind of stuff. 'Cause your largest ones might not. Again, if you're really lucky, it's the same, customers, but which ones do you legitimate enjoy? Are you gonna be passionate about?
Versus, oh, your largest customer is, a funeral home. Like I, there's, sorry, there's probably somebody out there that's passionate about it for funeral homes, that kind of thing where it's don't just go after what you think is the biggest, but something, the more passionate you are about a business.
You don't need to be, the Excel sheet driven CEO kind of thing. Small business as a like founder. Your passion is your big thing that nobody else has been able to match that passion. So leverage that. What are your favorite clients? What's your favorite industry? Ooh, we got, two C.
I love Excel. We have two CPAs. Let's go after CPAs, kind of thing. That's a better way to do it than looking at just the raw numbers.
[00:13:02] Mikey Pruitt: Yeah, good point. Let's pivot just to touch and talk about obtaining cyber insurance at as an MSP. My understanding is that at Belt Text there's like a kind of an onboarding approval process.
Is that right? Yeah, so there's to get qualified for the. The incident response.
[00:13:19] Dustin Bolander: Yeah. So we have on our own policy one of the things that I started really focusing on this last year was if you go out and you look, there's a bunch of insurance companies, agencies, functionally, that are in the MSB channel.
Not saying they're doing bad job or anything, but if you go to these different guys that it's the same 10 policies that they're getting everybody, right? They're gonna give 'em a coalition, a cowbell, and at bay, this, that, and the other. So it's just pick who do you like the most, who has the best memes, that sort of thing.
So my thing was like, okay, what can we bring that's unique to the industry? So with our policy is I realized it's really rare that you get to do like a win. But in this case, I think we did, because let's say we're going through a claim, right? As in my MSP, one of our clients gets breached insurance comes.
It's a ransomware attack, so we have to restore from backup at that point. The traditional insurance thing has been, we're gonna bring in this elite incident response team. We're gonna pay them $350 an hour or more to restore from backups. Like guys, we got a great MSP sitting right here that manages those backups, that knows how to restore stuff lightning fast and is gonna charge you a lot less than three 50 an hour.
So that was our pitch to our carrier partner, and they absolutely loved it. So now. That situation with a belt tax policy. The MSP it's a quick approval process. It's basically making sure you're, professional you don't have to pay for a certification, anything like that. But at that point, if that MSP is qualified and pre-approved for the incident response assistance.
During the claim, the attorneys will say, okay, Mr. MSP, Mikey, I need you guys to go in and do this, restore these services. So we're bringing the MSP in side by side with the other providers for an incident to help. It gets everybody back up quicker, saves the insurance company money, gets the client recovered, and also reduces their claims costs and the MSP gets paid.
[00:15:11] Mikey Pruitt: Yeah, it's really a brilliant strategy because like you said, the MSP is already familiar with everything for that specific business. Yeah, they're sitting right there. Yeah, I think the the problem is that the MSP is now tarnished in a way, in the eyes of maybe the customer, perhaps the insurance company.
Like they have failed in some sort of way. And it's not a question of like when your if a cyber breach happens, it's when, and, there are mitigations Yeah. And risk, risk mitigation. But in reality. The attacks are coming so furiously that it would be nearly impossible to never experience some type of breach event or at least an attack.
[00:15:51] Dustin Bolander: Yeah. Yeah. And the right now we have an open claim. I'm 99% sure that it ended up being, there's a big FortiGate zero day out right now. 99% sure that's what happened. Somebody in the comment's gonna say LOL shouldn't have used FortiGate, but. Happens to all the firewall vendors, but whenever that happens, the other defenses worked.
So it's something that there wasn't even any substantial downtime. This is like a, I think the policy holder's like a 70 person company. The breaches happen. But everybody was prepared. The MSP did a great job on it, so you still had a good outcome. It is an insurance claim, but that's the whole reason you have it there, right?
The forensics team came in, the lawyers came in, all that good stuff. They'll put a bow on it and say, okay, you're clean, you're good to go. That kind of thing. But from that standpoint. There's gonna be certain cases where it's, the MSP hired some guy drunk off the street and he opened remote desktop to the internet.
Yeah, that's, those guys probably shouldn't be doing security. But in a lot of cases, like you said, it's a question of when not if stuff comes up, we reduce the blast radius, that kind of thing. I don't think the SP should be tarnished, and that was part of the reason that, I started pushing so hard on this.
Is a lot of these cases I'm not even gonna try to make up a number on it, but a substantial amount of 'em where it's this is just the unfortunate reality of it these days. The MSP did a good job. They, aren't gonna stop a hundred percent of the tax. Nobody is. And that drives me nuts on a lot of these insurance companies now that are providing security services.
It's guys, you can't sit there and say, MSPs don't do a great job, then you're selling the same MDR services that the MSPs are using. It's a little bit predatory. So I wanted to find something that worked for kind of a win-win for all parties involved. Which is where we ended up pitching
[00:17:31] Mikey Pruitt: that think.
I think you've definitely found that sweet spot. So kudos to you. I think that's a new strategy that other insurance companies hopefully will
[00:17:39] Dustin Bolander: adopt. Yeah, there's, right now I tell you it's us and a tech rug is one of our competitors, but they have a pretty similar program set up like that as well.
Unfortunately, the one thing you just said, you think or hope other insurance companies will adopt. Unfortunately what we seem to be seeing is that most of them are trying to build security services or insurance companies too are buying mssp. So that's gonna be an interesting interesting battle this year.
[00:18:03] Mikey Pruitt: Yeah, I have a family member that works at an insurance company and she asked me questions like this a lot. And last year they the software they used got ransomware, so they couldn't not now not log into, they're probably terrible business software that they use. You already mentioned that twice, like most of them are terrible.
That software got breached ransomware. They were probably down for about three weeks or they couldn't work 'cause they couldn't log in 'cause their system was out of service. And I was asking her like, so when you're providing cyber insurance to someone, do you tell, like, how do you factor that in that you guys lost, lost the game.
And basically she's we really don't. Yeah. It's because we do, we're. Pricing things on risk and our risk footprint, whatever, like we can't factor that in. I'm like, yeah, but it happened to you, so you have to assume that it's going to happen to them.
[00:18:57] Dustin Bolander: Yep.
[00:18:58] Mikey Pruitt: Yeah, basically I was pleading with her to be bit, a bit more kind.
Yeah.
[00:19:02] Dustin Bolander: No, and that's a it's a weird, the strangest dynamic to me was that if you go and you look that a insurance carrier, their customer is not necessarily the policy holder, and a lot of cases, their customer ends up being the insurance agent. So what you're seeing is Yeah. Sell through them.
Yeah. 'cause and so they have to balance on, so my biggest gripe is on our policy we mandate 24 by seven managed detection and response. It's proven statistically, like nobody pushes back. It is a great defense. So I'm like, why IST insurance requiring it? I scream that from the roofs for two years.
And what I've learned the answer is because that makes it more difficult to sell insurance. Now, again, you go down the street to the, mom and pop restaurant that wants a cyber policy. Okay, you need MDR. Mikey, what's MDR? Like, how do I get this MDR? That kind of thing. So there's a balance on it, what seems like common sense to people in security like you and I.
On the insurance side, like they have to walk a fine line of not making it too difficult to get because the small business doesn't understand what's being asked, and then the agent doesn't understand what's being asked. So while you could have a lot better controls. Realistically nobody would be able to buy insurance 'cause nobody would know what was being asked or how to explain it.
[00:20:17] Mikey Pruitt: Yeah. Or they just start doing Ms p like services themselves. Yeah. Yep. Which is, which you're seeing also. Yeah. So you were let's say a customer comes to you and they have an MSP and you need to vet this MSP, how does, how do you go through the, that step to qualify them as being. Capable of managing your customer's insur, yeah.
[00:20:39] Dustin Bolander: Your insurance policy. We're looking for a couple different pieces. The first one is we're insurance. Whatever you wanna say that, as insurance is, insurance does kind of thing. We wanna see that they have a good insurance policy for the Ms. P. That gives us a great baseline to say.
It's that in the same sense, do you have multifactor turned on? If somebody's no, I don't use multifactor right away you're just like, oh my gosh, these guys are dumpster fire.
[00:21:01] Mikey Pruitt: That's like step one. Like step 1.5. Yeah. It's like password manager, MFA, like bare bit of money. Yep.
[00:21:07] Dustin Bolander: So from that standpoint, if an M MSP doesn't have insurance, then okay.
Huge red flag. Like we don't even want to talk to you. And then past that, we're looking for some technical staff. Some basic security controls, but then one of the big ones that we need for them to be a partner is that during a claim during, any kind of incident really is having a decision maker available.
So you'll see these MSPs to where, it's the owner and then 14 staff with no decision making ability. We can't be working with those guys because we gotta have somebody that's on deck. I need to go look at the form. I believe we actually require that somebody's available 24 by seven during the claim.
At 2:00 AM if the forensics people are doing something, they need to talk to somebody at the MSP to make a decision that they have a direct line to a person to be able to call them. So that was one of the pieces as we put this together. And this was probably about 18 months of work. It was not, nothing in insurance moves quickly, but that was actually one of the biggest pieces.
So we, sat down, worked with several of the incident response firms that insurance uses. I went to all sorts of fun insurance conferences, stuff like that. That was one of the biggest pieces was just the, some of the MSPs, whenever a claim is they're trying to be involved, but then it's, a tier one help desk person who has no authority and also honestly shouldn't even be involved in the first place at that level.
So we wanna make sure that there's a good senior resource available that has the ability to sign off on changes. So that's one of the big pieces. And we actually see a lot of MSBs that are just like, oh the owner Eric can do that. We're like, all right, great. Who else besides Eric though?
We need somebody, you gotta have some designated contacts for. Again, when not if this happens.
[00:22:44] Mikey Pruitt: Yeah. Plus you would need, someone who can make decisions and someone with the technical capability to access certain systems. And that's not always the same person. Yep.
Hopefully not person. Yeah. Hopefully not.
[00:22:54] Dustin Bolander: So yeah, we're looking for some stuff like that. And then the other part is they do need to be on for the, so we do have to have that relationship between the MSP and the customer still, right? They do have to be under an active managed services contract.
We're not gonna let the MSP participate if it's an hourly agreement where the Ms P hasn't even touched the company in four months. That doesn't help anybody. So we do require an active, monthly managed services agreement to be in place for that MSB to assist.
[00:23:21] Mikey Pruitt: Yeah, that's actually really good though.
You're encouraging best practices for the MSP through other customers, and that was my
[00:23:27] Dustin Bolander: thing. Do you guys have to if we get, 1% of the market, I'll be perfectly happy with that. This isn't a mass market play. We're not trying to, solve the problem for everybody. We wanna work with just those security conscious MSPs and then the kind of more security mature small businesses.
[00:23:42] Mikey Pruitt: Do you guys have to get into like the tooling recommendation space through your insurance company?
[00:23:46] Dustin Bolander: Little bit. I didn't want to, one of the biggest complaints that I see is let's go back. We talked to MDR right? To where, okay, you go down the dropdown and you're like, oh, it's Alien Vault and CrowdStrike, and, Cylance, and you're like, I'm an MSP.
It's like a pick list. Yeah. Where's the Black point that Lumens the TRE is? So we're vendor neutral for the most part. There's a couple of 'em to where it's oh, that's not really an MDR. We can't accept that. I'm not gonna publicly go into the blacklist of those, but no, for the most part it's pretty open-ended because we did not wanna be sitting there dictating the technologies in use.
And I get on some of these with the insurance, if they're wanting to go we're gonna sell $200 million of policies. You gotta be a little bit more. Curated on that side. Our argument and what has been borne out so far in our statistics has been that, we're gonna set a much higher baseline than anybody else.
So that will naturally going in, seeing that you need to have email encryption, you have to have 24 by seven MDR, so on and so forth, right? You're not gonna see very many folks that come in with half baked solutions, half implemented solutions just to be able to check all those boxes to even qualify that they're.
Generally, not everybody, but most of them. It's like, all right, these guys are pretty solid.
[00:25:01] Mikey Pruitt: Yeah. So I'm sure your MSP background and your tech background help a significant amount for you to vet the tools that you see that are in play at people you're trying to
[00:25:11] Dustin Bolander: ensure. Yeah. At my business partners professionals, CTO, ciso on the cybersecurity side of software side of things.
So we're I, I. To brag on that, that, we're the only insurance group in the channel that's actual practitioners that's not coming from the insurance world. So yeah, I feel like we have a pretty good grip on it.
[00:25:31] Mikey Pruitt: I've heard you talk about standalone cyber insurance policies and it seemed like you had a very IES.
Yes. Standalone cyber warranties. Can you tell me first of all, start with the difference? 'cause this was a new term for me.
[00:25:44] Dustin Bolander: Yeah. It's, this is definitely, this is the spicy part of our interview. So the warranties, you got two different kinds that there's the embedded, which is something like Sentinel One is my favorite example.
'cause you can go look it up. It's fully transparent online. By using Sentinel One, you get access to this warranty. It'll pay out like a thousand dollars per endpoint if there is a breach and you had it configured correctly. I see it's a cherry on top, maybe it helps cover part of your insurance deductible, things like that.
The other one though is the standalone warranties. So this is a type of insurance. It's interesting because a lot of times their marketing that they talk about how they have reinsurance behind it. It's not insurance, but it does have reinsurance. Guys, come on, it's your call is spade.
But it's a a micro policy in a lot of cases. Typically lighter underwriting but also substantially less coverage. So there's one out there that you can get where it's oh, we provide instant payout. It's a $5,000 Visa gift card. So not nothing, but it's, that's a big difference versus, a million dollar policy.
One of my favorite examples, this isn't one of our policies, but it's almost like a competitor, but coalition you've probably heard of. They're huge. A lot of their policy languages pay on behalf of, so it's not the warranty guys will talk like, oh, insurance. You're cutting these huge checks on a coalition policy.
The majority, if not all of it, during a claim is paid by coalition. And at the end of it, they're just like, Hey Mikey, your deductible is 10,000 bucks. Here you go. So real world. That's the whole cyber warranty thing of we pay out instantly. That's not actually something in most insurance claims to even be a problem.
So that's where my, my, I don't know, whatever you wanna call it, conflict. My distaste of it is like the reality versus what they're saying is not necessarily accurate. But then the benefits piece of it, I mentioned earlier, the coverages aren't as much, so you're seeing a lot more narrow of on business interruption.
There's limits, there's smaller limits on certain things that are in the fine print. Insurance is too, but it's at least a little more standardized on that versus the cyber warranties, anybody can sit down, put some money behind it. It's less regulated. I think there's still a good use case for it.
The example I always bring up is, say you're doing retail, you got a five person retail location, like that's probably a good one for a cyber warranty because they don't need, they have two point of sale terminals, they have email on their phones. There's not a lot there to, have a full compromise from a standard policy.
But as soon as you start going up to where, there's you're pan. I think $5,000 for like a half million dollar warranty. Our average price on our belt tax policy is under $4,000 for a full million dollars in coverage. So there's just not a lot of good use cases for these warranties. And then putting my MSP hat back on, I tell every MSP that wants to sell these, call up your insurance carrier, ask them what will happen if one of these warranties fails and your client comes after you because you sold it to 'em. You can't just sell somebody and say, yeah, I'm hands off. And all the carriers that we've talked to have said you would need either financial services coverage or the one that made me laugh would be they say you need insurance agency coverage for us to be able to handle that.
So it's just putting the MSP at risk for, it's a cool marketing thing, but to me that's pretty much all it's a cool marketing thing, real world. It's not good for your customer. It's not good for you. The MSP, it's probably not gonna pay out. As much as people make fun of insurance for not paying out the warranties are 10 times worse.
One of the big companies bragged about that their warranty had never been paid out. They were trying to talk about like how great their security was, but I was like, terrible.
[00:29:23] Mikey Pruitt: Sounds like you just have a good legal team. Yeah. And actually that did that, the phrase reminds me of product warranties.
Yeah. Which are notoriously difficult to actually collect on. Yep. Like I've had relatively expensive tech gear that just dies and it's like within the warranty, and then I try to get it replaced or, refurbished somehow. And it is. A huge pain. And it sounds like this, cyber warranty style of insurance is very minimal and likely hard to collect on.
[00:29:53] Dustin Bolander: Yeah. Yeah. And that's a good way to think of it is, as hard as those product warranties are to collect on my favorite thing is so there's a couple of situations where they've used for marketing. Car insurance and car warranty, are two different things.
Mike, have you ever talked to anybody that's tried to collect on one of those aftermarket car warranties? That's a guys that you probably shouldn't be marketing that way? 'cause that's a bad example. Like you're making the association, but it's accurate in those cases. So they, they have their place, but it's again, extremely minimal.
[00:30:22] Mikey Pruitt: Yeah. Do you think there's like a tipping point where MSP needs to start looking for cyber insurance to cover themselves? Or is it just as soon
[00:30:30] Dustin Bolander: as you have enough of a business that you couldn't go and shut it down and start a new one? If that makes sense. So stuff's gonna happen. Even if it wasn't your fault, you're gonna have a client get ticked off.
God forbid you have one of those huge like the buffalo jump where the RMM vendor got hit back in, I think it's 2018. Things like, that's really bad. But if you're a, say you're a one person shop, that's just taking, contract jobs. If you had something happen, you could probably shut down the business and just go start a new LLC tomorrow.
Okay, I could see the argument there, but if you got two or three people. And the other thing is a lot of people don't realize that insurance isn't that expensive. So I'll tell you on IMSP, we just finished renewal for it. We're a little bit over 4 million a year in revenue. We had a really solid policy for about $9,000.
For $2 million in coverage. And granted, I'm, I have a little bit of an insider knowledge on it, right? So I probably did a better job on it than your average MSP would get. But there are the, if you're overpaying where you're just like, ah, this is outrageous. We had another MSP, not mine that we helped recently.
They were paying $28,000 a year. And so it ended up, the carrier they were with is really good, reputable, but they have an in-house soc. They have in-house security people, that carrier hates that risk. We switched to another carrier and it went down to $8,000. So you can get good coverage at a reasonable price.
You just gotta play the game a little bit. It's like one of those things, if every year I'm sitting there going, Mikey, here's your renewal, here's your renewal. You're probably not getting the best price or the best coverage that you could.
[00:32:02] Mikey Pruitt: So yeah. And it gets slightly higher every year.
[00:32:04] Dustin Bolander: Yeah. It's gonna, yeah.
And it's gonna keep going up, but, to the, your point about, when should you get it? Like it's not as expensive as the floor that I say is $2,000 a year. You're looking at, if you're an MSP, that's half a million dollars. We've done this for several of them, so this is speaking from actual data.
About $2,000 a year. We'll get you a solid MSP policy that's gonna cover your cyber and then also your services delivered, right? Your backups fail for one of your clients and they come after you. That would be covered under that policy also.
[00:32:34] Mikey Pruitt: So you mentioned in there, the, that large insurance company didn't like that specific client because they had an in-house sock.
Why? Why is that?
[00:32:42] Dustin Bolander: That is one of the highest risk things you can do from insurance's eyes, because oh, you're gonna miss a security, you're gonna miss an intrusion. It turns into a bigger attack, things like that. That's one of the most,
[00:32:53] Mikey Pruitt: it's like there's a paper trail that you Yeah.
Neglected
[00:32:56] Dustin Bolander: something. Yep. You are the full stop, right? Like on my MSP we use huntress. The, it's oh, we got hunts, we're great. But whenever you have the sock yourself, it's like, it's you. The buck stops here. So that adds a lot of, from the underwriter standpoint, that adds a ton of liability.
[00:33:12] Mikey Pruitt: Let's put your your legal hat back on. Not that you're a lawyer. You're not a lawyer. My internet JD. Yeah, internet lawyer love it. The MSP is going, typically dealing with a lot of contracts monthly recurring revenue. Do you have any. Tips on, 'cause you've been on both sides of this coin.
Yeah. Like dealing with a lot of lawyers and MSP yourself and even, on the insurance side, you have a lot of knowledge. What are some of the best ways to structure a contract to where you're not li as liable? Like you're not as on the hook or protected.
[00:33:45] Dustin Bolander: Yeah,
[00:33:46] Mikey Pruitt: in the best way. Do you have any suggestions on that?
[00:33:48] Dustin Bolander: Yeah limitational liability is obviously a huge one, right? Wanting to restrict how much, even if something does go south, how much you can be damaged for. That's one of the biggest pieces. One other one that's come up frequently. Relatively speaking, you don't see as many claims on this stuff as you would, everybody talks about.
But when they do happen. From like a neglect standpoint. There is, so Eric TILs is a attorney that does a lot of MSP work. He has an awesome presentation. I'm gonna shamelessly steal from him, as he said. Belts and suspenders. And suspenders. So he's talking about be explicit on what you do.
Then be explicit on what you don't do. Then be a little bit more explicit on top of that. That there's stuff where it's oh, I thought Mikey, I thought you guys were doing that for us. Where it's nope. We don't, we provide these tools that your team has to, use them is a good example.
That's language that I see in contracts. That's a good thing. We're going to provide these this multi-factor stuff, but you're Mikey, you have to roll your device. You have to, accept and deny the prompts. We can't control that officer of the company. That you're not representing you as MSP, you're not representing as an officer of the company.
Don't sign stuff for your client. That's a huge one. Everybody talks about, on the insurance apps, filling 'em out. The filling 'em out part isn't that much of a danger to me. Talking It's the signing. Yeah, it's the signing. No, please never sign anything for your client, on their behalf.
Like at that point. Yeah. That's where it gets super messy. So those two pieces are pretty good ones. And then also setting expectations if there's certain things that they need to be doing testing, backups. Good example. Are you the M ms P testing it, or, personally I love, I can't remember who to give credit for on this, but I say is the client needs to be making requests on testing the backups like that, you're, you get some other good advantages like real time, how does your team respond If it's a test, as an MSP, you're so busy, you're not gonna give a true priority.
But then also that, put some liability back on the client that they need to be putting these requests out. They need to be working with you to. Test and verify, the backup stuff like that. Just having those solid one page contracts. Doesn't like backups Always
[00:35:51] Mikey Pruitt: work. What do you mean backups are?
[00:35:54] Dustin Bolander: Yeah.
[00:35:56] Mikey Pruitt: So yeah, no, it's like backups always work. What do you mean? Yeah, exactly.
[00:35:59] Dustin Bolander: So having that kind of stuff in there, setting expectations. And then those limitations, liability, just being really black and white on, who does what or doesn't do it too. Spell that out in there.
One other piece too. Talking on that also. Dustin, what? Oops. Oh, go ahead. I was gonna say don't commit to stuff that you can't really do because you know the client. As long as the client doesn't notice, as long as nothing fails, it's not a problem. But the fact that you as an MSP were completely unqualified to be delivering a service, whenever that comes out in court I had one guy that this was a couple years ago that was delivering SOC services paid.
I was like, that's awesome, John. Like, how are you doing that? I thought you guys had a pretty small team. And he is yeah, we got two SOC analysts. And. It's what? So what happens whenever they leave at six, I assume. He is yeah. And he is but they're on call. They get, and it's like, what happens?
If they sleep through it or like, how do you do the hackers go home at six? And it was like a kid finding out there was no Santa Claus. You could just see it drain from his face and he is just oh. Just stuff like that where it's like you're not, and that's okay. That's the other thing is like there's not set your ego aside, that sort of thing.
It's like you're not qualified to be delivering that. That's fine. There are a lot of partnerships out there and stuff to do it the right way because again, as long as the clients don't get breached, nobody's gonna catch onto your eight by five soc. The minute that goes to court, that stuff comes out and that's where you get, really in trouble.
[00:37:20] Mikey Pruitt: Yeah, I can see that playing out in court, like in a bad TV drama. Scary. Yeah. Dustin what do you think you're gonna, we're gonna see next in the MSP space? Cybersecurity is only getting worse, I guess is the best way to say it. MSPs seem to be in a pivoting point, like they're not sure what to do.
We even talked about that middle bucket of, specialization. What do you think is gonna happen in the near future?
[00:37:45] Dustin Bolander: Yeah. One piece that I can talk about just 'cause it's from my weird intersection of MSP and insurance this is already going, is you're seeing a lot of hybrid companies.
I did a article with, I forget what website it was, but I was joking about, it's the worst new acronym is M-I-S-S-B managed Insurance and Security Services provider. I hope that never gets, never catches on, but you're seeing insurance companies buy MSPs. There's a big one. Acrisure has their name on the Pittsburgh Steeler Stadium, I believe.
And they've bought several, this is all public out in the open. They bought several MSPs at this point. And their average customer is 50 seats and under. So we all, as MSPs want to be the trusted advisor, but it's hard to, whenever you're sitting there, your three trusted advisors for most business owners are gonna be your lawyer, your CPA, and then your insurance agent, like the Ms.
P. Sometimes you get in there, sometimes you don't. Depends on the company, depends on the SP. But that insurance agent coming in and saying, I can do better cybersecurity than these guys that's gonna increasingly become a problem for MSPs. That's one thing that we're starting to see the more formal partnerships but especially almost the call, the attack from the insurance side of the things where they're getting into MSPs, you remember like we saw in the last 10 years where the CPAs started buying MSPs, right?
Yeah. And offering the services, that kind of thing. Maybe it's like that. I feel like that never really hit a mass critical momentum on that. But we are starting to see the insurance companies push into that side of it. So I think that's one almost defensive thing that we're gonna have to deal with as MSPs this year.
[00:39:21] Mikey Pruitt: So would you say, just piggybacking on that, would you say it's wise to try as an Ms. P to partner with CPAs or insurance companies or try to. Do that in-house, be specialized, like you are, but you have two separate companies.
[00:39:37] Dustin Bolander: Yeah.
[00:39:38] Mikey Pruitt: No. How do you win in that scenario?
[00:39:39] Dustin Bolander: Yeah, because insurance, the problem is all the licensing and stuff.
It's a if anybody wants to talk about it, I'm happy to I've done it twice now I got it embedded in my brain, but partnering. Yeah, absolutely. The bigger piece though, is I say is make sure at least you're having those conversations right, to where it's crossed the client. 'cause what you want to have happen whenever that insurance agent starts talking about that.
Mikey's sitting there, he goes, oh yeah, Dustin told me about this. Let me get him on the phone. Or we'll set up a meeting with three of us that you prime them, that conversation is gonna happen already. So just getting ahead of it that'll get you 90% of the way there. And speaking as an MSP owner, I can tell you that we've done that in ours.
That's absolutely worked out. There's been a couple cases where we got pulled in. It was obvious somebody was trying to wedge us out using that, but we'd had that conversation with the client, partnership is ideal, but at a minimum, just be talking to your clients about that. So when it happens that they're like, oh yeah, I need to call Mikey.
I need to call Dustin to talk about this.
[00:40:34] Mikey Pruitt: Yeah, good advice. Dustin, where can people find you on the interwebs?
[00:40:38] Dustin Bolander: LinkedIn is gonna be, I actually don't post much, but I scroll incessantly and I direct message with people. So Dustin Boer. And then the insurance company website, bell Text, B-E-L-T-E-X INS like insurance dot com. beltexins.com
[00:40:55] Mikey Pruitt: Very cool. Dustin, thanks for joining me today. That was a blast. I don't think I've ever had so much fun talking about insurance, and now I get to go argue with my sister for much longer. Thank you. There you go. Have fun.