Cyber Insurance Carriers Now Requiring Multi-Factor Authentication
Business leaders around the world have been asked about their views on the rising cyber threats since the COVID-19 pandemic. Many business leaders view phishing scams as one of their top security concerns. Before the COVID-19 pandemic, the security landscape in many organizations depended mainly on company-owned devices that were managed and monitored company-wide. Pre-pandemic, many organizations also relied on remote access in a limited capacity.
As a result of the fast-paced changes brought on by the COVID-19 pandemic, many organizations implemented Bring Your Own Device (BYOD) policies and began addressing the remote access needs of their employees. As a result, more organizations began to invest in Multi-factor authentication (MFA) to fill in security holes.
Over the past couple of years, cybercrime has steadily evolved, with cybercriminals going after as many organizations as possible. In May 2021, Colonial Pipeline became the most high-profile victim of a relatively new ransomware group known as DarkSide. The DarkSide group was able to access the Colonial Pipeline’s network using a compromised VPN password.
After the rise in cyberattacks, President Biden signed an Executive Order, Improving the Nation’s Cybersecurity. The Executive Order mandates that agencies must deploy Multi-factor authentication (MFA) and encryption. The order outlines timelines for the implementation of MFA and encryption, giving agencies 180 days to adopt MFA solutions. The Executive Order sent a strong message to cybersecurity insurance carriers that had yet to include MFA in their list of requirements for cyber insurance.
Multi-Factor Authentication Is Now a Requirement for Cyber Insurance
Cyber insurance covers financial losses that were a result of cyber incidents, and cyber insurance can provide recovery support that organizations will need after becoming a victim of a cyber attack. Cyber insurance carriers require policyholders to adopt preventative measures in return for more coverage. Cyber insurance requirements for one organization will not be the same requirements as another organization. Each cybersecurity insurance policy will have its own unique set of criteria.
If you have not implemented MFA on critical accounts and access, you will be a clear target for malicious actors. Multi-factor authentication has now become such an essential part of cybersecurity strategies that cyber insurance companies are requiring policyholders to implement MFA. Cyber insurance carriers are now requiring MFA. What does this mean moving forward? This means that MFA will be required to obtain cyber insurance.
Multi-factor authentication (MFA) and cyber insurance are a match for one another for several reasons, including the following:
- Multi-factor authentication could significantly reduce the cost of cyber insurance. In the same way that you do your best to drive safely and maintain a spotless driving record in Ohio to keep your auto insurance low, you can save on cyber insurance by doing your best to maintain a spotless record when it comes to cyber incidents. You can bolster your cyber safety with an MFA solution.
- Some cyber insurance policies cannot be renewed if there is no Multi-factor authentication (MFA) in place.
What is Multi-Factor Authentication?
Multi-factor authentication is an enhanced security process for user account access.  After the correct username and password are entered, users will be asked to enter a numerical code. The code will be sent in the form of a text, email, or authentication app on a mobile device. Multi-factor authentication requires all users to verify their identity with two or more verification steps before users can successfully gain access to an online account or access to servers, firewalls, VPN, switches, etc.
It is critical to know the types of authentication factors available, such as Knowledge, Possession, and Inherence. When MFA is enabled, every user will be instantly notified if another person attempts to use their credentials in an attempt to gain access to the account. When MFA is enabled, no one else will be able to access the data without the approval of the user or the generated code.
Why Are Cyber Insurance Carriers Requiring MFA?
In a 2019 blog post from Microsoft, Microsoft stated, “By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access. If organizations are only using passwords as a layer of protection, a cybercriminal can easily crack the passwords of your employees and gain immediate access to all your organization’s services.
However, with MFA, that same cybercriminal will not be able to access your services because the bad actor would need access to the MFA code, the specified mobile device, fingerprint, etc. to gain access to the service or account. MFA places multiple hurdles in the path of a malicious actor. When a cybercriminal’s attempt to gain access to your services and accounts are blocked, the cybercriminal will likely move on and search for an easier target.
What MFA Controls Are Required to Qualify for Cyber Insurance?
Most cyber insurance carriers will require policyholders to have these MFA controls in place:
- Multi-factor authentication for remote access
- Multi-factor authentication for internal and external administrative access to directory services like Active Directory and LDAP
- Multi-factor authentication for remote access to email
- MFA for internal and remote admin access to network backups provided to 3rd party providers
- MFA for internal and remote admin access to network infrastructure components like servers, firewalls, switches, routers, etc.
MFA for remote access will reduce the potential for a data breach or network security breach caused by a lost or cracked password. MFA for administrative access will limit a malicious actor’s ability to gain widespread access to a compromised network.
Using MFA should be a top security measure for any organization, regardless of size and industry – especially as more organizations are transitioning to a more remote workforce. MFA can also be one of the easiest ways to keep accounts and services secure.
Ready or not, MFA requirements are here. Many organizations will find that their cyber insurance carriers have already added a new requirement that the applicant discloses its MFA policies. We have incorporated these things into a Security Plus plan for those who do not currently meet these requirements. If you are faced with showing Multi-factor authentication (MFA) proof, we are qualified to evaluate your existing systems, implement new solutions, assist with the technical transition, and serve as your advocate.
Learn more about how Rea & Associates can help you with your cyber insurance by scheduling your free consultation.