Cyber Insurance Companies Requiring Multi-Factor Authentication
Have you recently completed a form or answered questions from your cyber insurance carrier? There was likely something in there about multi-factor authentication. And you probably agreed to ensure multi-factor authentication (MFA) is in place for certain types of users and network access.
So, what exactly did you agree to, and why does your insurance company care so much about MFA?
In this article, we'll walk through what multi-factor authentication is, why it's so important to your cyber insurance carrier, and what you need to do to stay current with your insurance policy's requirements.
Before we move on, let's be super transparent. Innovative sells and installs a multi-factor authentication solution (Duo). As a Duo reseller, of course, we believe in the power of MFA. But in all honesty, we weren't very successful at selling many MFA solutions until recently.
That doesn't mean we didn't believe in the solution until recently. Most of our clients hated the inconveniences of MFA so much that they were willing to take the security risk of not adopting it. Plus, at the time, there were other, higher priorities they were focused on. But those days are gone, and MFA is here to stay. Not because we say so, but because the entire insurance and tech industries are saying so.
Now that’s out of the way, let’s dive in.
What is Multi-Factor Authentication
Multi-factor authentication means more than one method of verifying your identity.
You've likely experienced MFA when you enter your username and password into something like your online banking portal. When you receive an SMS text message with a security code that the portal prompts you to enter, that is very basic multi-factor authentication.
You'll frequently see multi-factor authentication referred to as two-factor authentication (2FA). People often use the two terms interchangeably. The only difference is that 2FA is limited to just two methods of verification – your password and an SMS text code, for example. Multi-factor authentication could include more than two methods of identifying your identity.
There are three categories of multi-factor authentication methods:
- Something you know, like a password.
- Something you have, like your mobile device or physical security key.
- Something you are, like facial recognition or fingerprint.
Related article: Two-Factor Authentication: What is it and do I need it?
Microsoft Warned Us about Fraudulent Sign-Ons and MFA
In 2019, Microsoft shared that their cloud services experienced more than 300 million fraudulent sign-on attempts each day and advised that MFA can prevent 99.9% of all account compromise attacks.
You'd think everyone would have run out and adopted MFA solutions back then, right?
Nope – it took a pandemic plus the possibility of insurance non-renewal for them to do that two to three years later.
Microsoft recently surveyed business leaders around the world about their views on and approaches to cyber threats since the pandemic. The data showed that phishing scams are still a top security concern. Pre-pandemic, most companies' security depended heavily on nearly exclusive use of company-owned (i.e., controlled and monitored) devices, as well as minimal remote access. As a result of pandemic-related bring your own device and remote access needs, multi-factor authentication was the number one investment companies made during the pandemic to address security holes.
Read between the lines here on that statistic – if you haven't implemented MFA on key accounts and access, you're a sitting duck for attackers. Aside from that, multi-factor authentication is now such a bare minimum and essential part of every cybersecurity strategy that cyber risk insurance companies require most policyholders to implement MFA on at least key accounts and data access.
Cyber Insurance and MFA Requirements
Most cyber insurance policies now require some sort of MFA attestation or ransomware supplement application to secure or renew coverage. Even before the pandemic forced MFA to the top of cybersecurity priorities, cyber insurance companies were already heading toward more stringent requirements due to dramatic upticks in attacks and the cost of claims.
Cyber Insurance History
Cyber insurance was first offered in the late 1990s but didn't begin gaining popularity until the 2010s. Early cyber insurance underwriting (pre-2010) required a high personal touch, often including one-on-one interviews with IT leaders. At the time, only the most security-conscious companies were interested in cyber insurance policies, and claims were few and far between. It became an extremely lucrative product for carriers which attracted more and more carriers into the space. Through the 2010s, the supply of cyber insurance eventually outpaced demand resulting in carriers loosening underwriting requirements.
Until recently, most any company, no matter how minimal its security standards, that wanted a cyber insurance policy could get it. You were rewarded for more stringent security standards through lower deductibles and premiums, but no one (for the most part) was denied coverage.
Ransomware Surge and the Cyber Insurance Industry's Response
Cyber policies' profitability started to change in 2019 when the average ransom grew from $6,000 in 2018 to $84,000 by the end of the year. It was the most dramatic uptick in the cost of attacks ever seen.
That trend continued through 2020 and 2021, with average ransom demands among cyber insurance policyholders increasing 100% from 2019 to Q1 2020.
Due to the increased risk and decreased profitability, many carriers exited the cyber insurance space altogether. Others chose to limit or eliminate ransomware payment coverage from their policies. In May, France's largest general insurer AXA France announced it would no longer reimburse ransomware payments.
Enter Multi-Factor Authentication Requirements
Today, underwriters willing to offer coverages, especially when they include ransomware reimbursement, expect basic security controls. Multi-factor authentication is at the top of the list as the number one tool used to keep attackers out of the network.
Underwriters also expect you to use other tools necessary for detecting intrusions and mitigating attacks.
- Endpoint Detection and Response (EDR)
- Network segmentation/segregation
- Good backup practices with business continuity and a defined recovery time objective (RTO)
How Insurance Companies Guarantee MFA
(and how they get off the hook of paying claims when you bypass it)
Expect more and more paperwork, premium increases, and possibly even reductions in allowed coverage each time you renew your cyber insurance policy.
Carriers are very specific with their questions on applications, renewal forms, supplemental forms, and attestations. Make sure you and your IT team thoroughly understand each question asked on all these forms. You must know exactly what you're signing, and more importantly, your IT team must understand exactly what you signed.
You are guaranteeing safeguards are in place, not just at the time of signature but for the life of your policy. When you do file a claim, your carrier will investigate. And they will deny your claim (or even drop your coverage) if they find a tool like multi-factor authentication is not active at the time of the loss.
These forms and questions are pretty standard across all major carriers. In June, seven leading cyber insurers announced that they formed a new entity to pool data and collectively "enhance cyber risk mitigation efforts across the insurance industry." So, you can expect to see even more standardization from one company to another.
CyberRisk Forms and Applications
For an example of the types of questions you'll have to answer when you apply for or renew your cyber insurance policy, let's look at Travelers, the fourth leading cyber insurance company in the world.
Travelers' CyberRisk applications and forms are publicly available and are excellent references for the types of questions you should prepare to answer.
Innovative's strategy consultants and technicians work together to assist clients in accurately completing these types of forms. If you're not an Innovative client, make sure you and your IT team are extremely familiar with precisely what you've committed to when you sign these forms so that nothing gets overlooked that could impact your ability to collect a claim. If you are an Innovative client, please do not sign anything without including us in the conversation.
Multi-Factor Authentication Attestation
The first form on Travelers' list is the Multi-Factor Authentication Attestation form. They advise that you complete the form with the assistance of your IT security leader. If you outsource IT security, they advise you to complete the form with your managed security provider or other 3rd parties. Innovative clients – that means you need to call us before signing this!
Travelers' Definition of MFA
First, they define what MFA is and state that, "Multi-factor authentication is successfully enabled when at least two of these categories [something you know, something you have, something you are] of identification is required to successfully verify a user's identity when accessing systems."
This means that a password followed by a security question (e.g., your mother's maiden name) is NOT considered multi-factor authentication. In that case, both authentication methods come from the "something you know" category. To meet Travelers' requirements, users need to enter something from something they have (e.g., mobile device or security key) or something they are (e.g., facial recognition or fingerprint) after entering a password.
Required Multi-Factor Authentication
After Travelers defines the categories of MFA you must use, they define how you must use it.
They state that the following MFA controls are minimum eligibility requirements for a cyber policy.
Next, they define three areas where you must require MFA.
- Remote network access – you have no way of knowing who is actually requesting access to your network from outside the security of your walls.
- Administrative access – the quantity and nature of the access administrators have make it a good idea to make extra sure they are who they say they are, even when they're signing in from within your network.
- Remote access to email – gaining access to email can severely damage the vendors and customers who trust you when an attacker uses your users' legitimate email addresses to distribute malicious links or files.
Don't Forget About Vendors
In addition to attesting that you have these authentication requirements in place, Travelers also asks you to verify specifics about your MFA access. You must confirm that not only do your employees use MFA but that any 3rd party vendors with remote or admin access also use it as well. This includes vendors like Innovative and potentially other vendors who support things like cloud services, security cameras, or networked copiers.
Cyber Risk Insurance: Not an Option Without Sound Security
Cyber risk insurance is still an excellent part of your overall insurance plan and information security strategy. However, it is not a replacement for sound cybersecurity practices. Today, cyber insurance is an option only for companies already implementing good security strategies. It offers an added layer of financial security to lessen the blow in the event of a new threat or unique attack that your security solutions couldn't have prevented or predicted.
Ensure your IT team clearly understands your policy requirements and that you involve them when completing any forms or answering any questions for your cyber insurance carrier.
Need an IT team on your side that can help you navigate things like insurance questions and forms? Let's talk about how Innovative can help.