IS Decisions logo

IS Decisions Blog

Save on cyber insurance with MFA and access management

Multi-factor authentication (MFA) with access management helps lower your risk profile and reduce cyber insurance premiums.

Published September 27, 2022
Save on cyber insurance with MFA and access management

If you’re looking to meet requirements and enjoy long-term savings on cyber insurance premiums, focus on lowering your risk profile with multi-factor authentication (MFA) and access management.

The cyber insurance landscape

The cyber insurance landscape is changing rapidly, and that's no secret. The average cost of a data breach is now a staggering $4.45 million. And, according to a 2021 report by Willis Towers Watson, the average settlement from insurers hovers around $4.88 million.

In response, we’ve seen cyber insurance premiums skyrocket. In 2021, Marsh Global Insurance Market Index reports that cyber insurance pricing spiked by over 100% in the U.S. and in the U.K. And while ransomware claims continued to increase, cyber insurance pricing has declined in 2023. A few of the main factors include increase insurer competition, and improved cybersecurity controls.

Higher risks and higher costs from subpar protection

Cost is a major factor in cyber insurance decisions, a recent survey by IT World Canada suggests. According to 57% of respondents, the current cost of premiums is a main reason why many firms have no cyber insurance coverage.

Why the rise in insurance costs over the past few years? In a word: subpar protection (the same reason cybersecurity claims are filed in the first place). There's been improvement, but organizations still don’t fully grasp the importance of cybersecurity across the enterprise.

Add to that how widespread remote or hybrid work is now. Related vulnerabilities, like misconfigured remote desktop software, insufficient access management requirements, and a lack of monitoring across different security tools, and it’s easy to see why insurance companies rapidly raised costs over the past few years to cover their (that is, your organization’s) increased risk.

The answer for lower cyber insurance premiums: Lower your risk profile

The risk profile of the policyholder will always be the largest factor to determine the cost of insurance coverage. The weaker the risk management program, the higher the risk to insurance providers – and the higher the cost.

Here’s what you can do to help lower your risk profile and lower your cyber insurance premiums.

1. Enable granular MFA across all users

Cyber insurance is driving a long-overdue improvement in user access security. As the cyber insurance market tightens, insurers screen for clients with security controls that more closely align to higher standards. For example, cyber insurers are increasingly requiring multi-factor authentication (MFA) – one way to dramatically reduce their exposure. MFA is quickly becoming a must for all accounts, privileged and non-privileged, to secure network, remote and cloud access.

This makes sense – after all, we’ve all known for a long time that passwords are too weak. MFA isn’t a panacea on its own, but it is a key defense against the threat of compromised credentials.

Adding a second factor (two-factor authentication) typically means either requiring “something that you have” or “something that you are” in addition to a password, “something that you know.” If one factor is compromised or broken, an unauthorized user still has at least one more barrier to breach before successfully breaking into a target system.

Where do cyber insurers want to see MFA implemented?

MFA was not a requirement in previous cyber insurance renewals. Now, cyber insurers demand organizations have MFA in place when subscribing to or renewing cyber insurance. And who can blame them? They’re tired of paying claims, and sometimes hefty fines, for data breaches. So they’re toughening their requirements for coverage.

New cyber insurance requirements ask organizations to answer yes to all of the following questions regarding MFA:

  1. Is MFA required for all employees when accessing email through a website or cloud based service?

  2. Is MFA required for all remote access to the network provided to employees, contractors, and third-party service providers?

  3. In addition to remote access, is MFA required for the following, including such access provided to 3rd party service providers:

    1. All internal and remote admin access to directory services (Active Directory, LDAP, etc.)

    2. All internal and remote admin access to network backups

    3. All internal and remote admin access to network infrastructure components (switches, routers, firewalls)

    4. All internal and remote admin access to the organization’s endpoints/servers

Enacting MFA will benefit your cyber insurance program in two ways. First, by reducing your claims activity, which over the long term can significantly improve your insurance pricing. Second, it will qualify your company for cyber insurance quotes from multiple insurance companies, ensuring competition for your business that can work in your favor.

2. Deploy MFA with access management

Insurers rarely discount cyber insurance premiums based on a single security measure. Instead they holistically evaluate a combination of security controls, in light of the organization’s industry, size and specific risks.

Insurers want to mitigate their losses. The more controls and safeguards a company has to protect against threats, the better. Access management complements this risk-averse mindset. It supports the zero trust model of “never trust, always verify” offering improved control and oversight of access, based on user role.

Access management also targets the key ways attacks happen. Rather than standard indicators of compromise, it looks closely at reducing the risk of unauthorized and unwanted access.

1. Automate controls that prevent attacks

Restrict logons with contextual access policies to reduce the risk of inappropriate access. Truly granular access restrictions allow IT to restrict logons based on time, machine, location and session type allowed.

2. Monitor access and attribute actions to particular users

Monitor all access for all accounts, privileged and non-privileged, with real-time visibility for each and every identity. Evidence of a strong, “always on” monitoring program can prove your organization has a strong cybersecurity culture with a focus on continuous improvement. It’s a key way to prove reduced risk during a risk assessment.

3. React and respond to access events

By allowing IT to track and receive alerts of logon and logoff activity in real-time this increases security since they can react instantly to remotely block, log off or restart any user session. Automate as much as possible to ensure efficiency and efficacy throughout the entire process.

Save on cyber insurance premiums with strong MFA and access management capabilities

There are as many ways to lower risks as there are risks themselves. Nothing on its own ensures a discount in cyber insurance premiums for your organization. But by strategically implementing MFA with Access Management, you can significantly reduce your risks and demonstrate your low risk profile during a risk assessment. And with a more robust security profile, you’re more likely to be able to negotiate lower cyber insurance premiums – bringing long-term savings.

How UserLock can help

UserLock is an access management solution for on-premise and hybrid AD environments. It protects on-premise Active Directory identities with MFA, Single Sign-On (SSO), contextual access controls and session management to secure employee access to both corporate networks and cloud applications, no matter where they work.

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial