IS Decisions logo

IS Decisions Blog

MFA and cyber liability insurance: Understand the MFA insurance requirement

Multi-factor authentication (MFA) is fast becoming a cyber insurance requirement for all accounts. Learn more about meeting the MFA insurance requirement.

Published August 20, 2021
Cyber liability insurance MFA

Cyber liability insurance (also known as cyber insurance) is driving a long-overdue improvement in user access security. Multi-factor authentication (MFA) is now a cyber insurance requirement for all accounts, privileged and non-privileged, to protect on-site and remote access. Here’s a quick guide to understanding the MFA insurance mandate.

The MFA requirement for cyber insurance

Although not a requirement in previous cyber insurance subscriptions or renewals, cybersecurity insurance providers now demand MFA. Without it, most insurance agencies won't qualify your organization for coverage.

It seems insurers are tired of paying claims for data breaches and so have toughened up their list of requirements. And, as the cyber insurance market tightens, insurers are scrutinizing their portfolios and looking for clients with security controls that meet a higher standard. Why? By requiring MFA, cyber liability insurers drastically cut their exposure.

What are the benefits of MFA?

MFA is no silver bullet, but it is a key defense to the threat of compromised passwords. Throughout the Verizon Data Breach Investigation Report (DBIR), we see the many variations and attack use-cases for compromised credentials, and the high efficacy of each method. The report found that 49% of all breaches by external actors involved use of stolen credentials.

Secure the logon, stop the attack

Quite simply, when an attacker uses valid (that is, stolen but valid) credentials, why would your antivirus, firewall, and other technologies flag anything unusual? Your security tools assume people accessing your network are who they say they are.

This is where MFA comes in. Adding a second factor (two-factor authentication, or 2FA) typically means either requiring “something that you have” or “something that you are” in addition to a password, “something that you know”. If one factor is compromised or broken, an unauthorized user still has at least one more barrier to breach before successfully breaking into the target system.

Cyber insurance requirements checklist

Insurers view MFA as a best practice. When placing or renewing cyber insurance, you can expect to see several questions about MFA. If organizations are unable to demonstrate that MFA is in place, cyber insurance providers are saying no.

For example, here's a sample checklist for cyber insurance coverage. An organization must answer yes to all of the following questions about MFA.

  1. Is multi-factor authentication required for all employees when accessing email through a website or cloud based service?

  2. Is multi-factor authentication required for all remote access to the network provided to employees, contractors, and third-party service providers?

  3. In addition to remote access, is multi-factor authentication required for the following, including such access provided to third-party service providers:

    1. All internal and remote administrator access to directory services (Active Directory, LDAP, etc.)

    2. All internal and remote administrator access to network backups

    3. All internal and remote administrator access to network infrastructure components (switches, routers, firewalls)

    4. All internal and remote administrator access to the organization’s endpoints/servers

That’s not to say that enacting MFA cybersecurity across your organization guarantees a premium discount. According to Dan Burke, senior vice president and national cyber practice leader at Woodruff Sawyer, one of the largest insurance brokerage and consulting firms in the U.S.:

“Insurers rarely provide a substantial discount based on a single security control, preferring to assess the combination of controls a company deploys against cyber threats in addition to the company’s industry, size, and specific risks. Rather, enacting MFA will benefit your insurance program in two potential ways: Reducing your claims activity, which over the long term can significantly improve your insurance pricing; and, qualify your company for cyber insurance quotes from multiple carriers, ensuring competition for your business that will produce favorable terms.”

What stops companies from deploying MFA?

The threat of compromised credentials is well known. Yet, despite the push from cyber insurers, some organizations are still reluctant to adopt MFA. We believe this reluctance is driven by the 4 myths of MFA.

  • MFA is not just for large enterprises. The data to protect is as sensitive and the disruption as serious in any company, regardless of size.

  • MFA is not just for privileged users. Most “non-privileged” employees also have access to sensitive; not forgetting that cybercriminals usually don’t start with a privileged account, but take advantage of any account to then move laterally within the network.

  • MFA is not perfect, but it’s a huge step forward. No security measure is perfect. But, as the FBI affirms, MFA is effective and one of the simplest steps an organization can take to improve security.

  • MFA doesn’t have to disrupt users’ productivity. Administrators can avoid prompting users for MFA each time they log in. MFA should be customized according to each company’s needs.

Get easy, effective MFA for cyber insurance with UserLoc

Applying MFA is a key security measure for any company, regardless of size. This is especially true as a remote workforce becomes the new norm. Whether you need MFA for insurance requirements or not, it can be one of the easiest ways to keep your accounts secure.
UserLock makes it easy to enable MFA for Windows logon, RDP, RD Gateway, VPN, IIS, SSO and cloud applications. Verify the identity of all Active Directory accounts and secure their access to the network and cloud resources.

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial