No MFA? No Cyber Insurance!

February 7th, 2022 by admin

A close up of a red lock icon  over the top part of a a dollar bill, with browers and coding imagry interposed over parts of it to represent Cyber Insurance.

It seems insurers are tired of paying claims for ransomware attacks and data breaches and have toughened their requirements for coverage. And with good reason. Given that some of the biggest cyber incidents of the past decade resulted from a single password compromise, insurers are now putting a lot more effort into evaluating the security measures in place for protecting user access. If you’ve recently renewed your cyber policy, or applied for a new one, you’ve probably received a supplemental application dedicated solely to this area of your IT security.

As the number and severity of cyber-attacks has increased over the past 18-months, most cybersecurity insurance providers have now mandated the use of Multi-Factor Authentication (MFA) as a bare minimum requirement to receive cyber coverage. To reduce the number of ransomware and other cyberattacks, almost all are requiring that policyholders use MFA for both privileged and non-privileged accounts, regardless of whether users are working on the internal network or remotely. MFA has been cited across the IT industry as being effective in blocking over 99% of account compromise attacks. By requiring MFA, cyber insurers see a way to drastically cut their exposure.

Insurance carriers that once offered full policy limits with no questions asked, are now diving deeper and examining the security controls of their renewal and new applications to ensure they align to a higher standard. As growing financial losses harden the cyber insurance market, there’s also been significant tightening on the cost and availability of business interruption coverage which, although separate, is inter-dependent.

MFA reduces risk

A cybercriminal, who gains access to a user account with the right privileges, can open untold opportunities for inflicting extensive damage. This includes, but is not limited to: execution of fraudulent financial transactions, theft of products, exposure of customer and employee data, deletion of backups, and deployment of ransomware. The benefit of MFA is that it adds extra layers of security to the login process. Before being granted access to an IT system, MFA requires users to submit additional information to verify their identity. Creating more login proof points improves user verification and makes it harder for someone with just a stolen password to over-ride your defenses.

MFA protects a user account with factors from two or more categories:

  • Something you know: a “knowledge factor” like a password.
  • Something you have: a “possession factor” like a mobile phone or a security key.
  • Something you are: an “inherence factor” like biometrics.

If one factor is compromised or broken, an unauthorized user still has at least one more barrier to breach before successfully accessing an account. You can read more about MFA in a related post here.

The link between MFA and cyber attacks

While MFA is not a “silver bullet,” it is a vital defense against the threats associated with compromised passwords. Verizon’s 2021 Data Breach Investigation Report reveals the many variations of attack cases involving compromised credentials, and the high efficacy of each method. It also cited user credentials as being the number one type of stolen data — leading to 61% of all breaches.

Why are so many systems left vulnerable? Because other foundational security technology solutions you may have in place (antivirus, firewall) assume people accessing your network are who they say they are. So, an attacker using stolen (but valid) credentials will not typically set off a red flag alert. Given that 66% of people admit to always or mostly using the same password or a variation of it, the extra layer of security MFA provides is important to consider.

Impact on insurance

Given the growing security risks and threats associated with remote workforces, implementing MFA across your organization should be viewed as a key part of its overall cybersecurity health. But unlike having a sprinkler system or safe driving record, don’t expect that implementing MFA by itself is going to guarantee you a premium discount. Insurers rarely provide a substantial discount based on a single security control, preferring to assess the combination of controls a company deploys against cyber threats, in addition to the company’s industry, size, and specific risks.

However, deploying MFA will benefit your insurance program in three potential ways:

  • Being eligible for a cyber insurance quote from a major carrier,
  • Qualifying for quotes from multiple carriers, ensuring competition for your business that will produce favorable terms (e.g., sub-limits or exclusions on cyber-related events), and
  • Reducing your claims activity, which, over time, can significantly improve your insurance pricing.

The vital role of cyber insurance

Today, cyberattacks have become a fundamental organizational risk that has to be financially, as well as technically, managed. Ultimately, it’s not a question of whether it will happen, but when it will happen and how to most effectively respond. This makes having cybersecurity insurance one of several crucial elements of an overall cybersecurity strategy.

To frame it another way: even if you are an excellent driver with a top-of-the-line car, equipped with collision avoidance and all the other latest safety features, you still need auto insurance in case someone suddenly pulls out in front of you. The same is true with cybersecurity insurance and the risks of a cyberattack. Organizations get hit regardless of how much money they spend on technological countermeasures and human assets. Cyber insurance should be considered a vital backstop, helping reimburse the costs of an attack — from lost revenue and the cost of getting your organization back up and running to covering regulatory fines, PR, and legal expenses.

Get MFA without the cost and complexity

The good news is that you can easily reduce your cyber risk and get a high return on your security spend at the same time. Advanced Network Systems provides MFA solutions that protect each employee at a cost that’s less than the price of your morning Starbucks. Click here to talk MFA with a security team member and get more information.

Posted in: Security, Cyber Security, Business Tools, Small Businesses