Will Your Insurance Carrier Require Multi-Factor Authentication for Cyber Insurance?

Are you getting ready to renew your cyber liability insurance policy?  Maybe you’re looking to increase your limits due to the continued increase in attacks and the cost of those attacks.  Or maybe you’re finally getting around to applying for coverage for the first time. Regardless of your situation, you need to be prepared for a pretty hefty price increase, and a few more security hoops through which to jump.

According to Coalition’s H1 2021 Cyber Insurance Claims Report, the frequency of cyber incidents reported by organizations with fewer than 250 employees increased by 57%, year over year. Business Email Compromise (BEC) continues to lead the way in terms of the most common type of cyber incident, ransoms requested (and paid) continue to skyrocket, and the criminals at fault show no signs of slowing down or being limited in their actions.  These are just some of the reasons that cyber liability insurance carriers are making things more difficult for the buyer. They are becoming stricter with their underwriting guidelines, premiums are increasing, liability limits are decreasing, and more of the onus is being placed upon the insured.  And in many cases, they are requiring businesses to implement multi-factor authentication across the network.

Insurance carriers have realized that traditional security measures such as firewalls and endpoint protection just aren’t sufficient any longer. Multi-factor authentication (‘MFA’ or ‘2FA’) is becoming a standard requirement when considering cyber insurance for your business. As Casey Schrader of Oswald Companies put it, “Every carrier is heavily scrutinizing application submissions and the controls in place.  MFA has gone from a ‘nice to have’ to a ‘need to have’.” If you’re not interested in MFA for your business, there’s a good chance you won’t be able to find insurance.

 

MFA Significantly Reduces Your Risk

In the past week alone, the Ashton technical team has had multiple calls with clients and their insurance providers and/or attorneys. All of these calls have been predicated around the security measures Ashton has provided and how they stack up with mandates from the insurance, legal, and compliance sides of our clients’ business. Whereas ransomware used to be a primary concern (‘pay us our ransom and we’ll decrypt your data’) , ever-creative cyber criminals are now hitting unwitting businesses with double-, triple-, and quadruple extortion ransomware; they’ll hold you hostage for access to your email accounts and your data, while also offering to sell your data and credentials to the highest bidder.

Insurance carriers find that organizations with MFA or 2FA on all devices across the network are significantly less likely to be victimized by ransomware, BEC, or a data breach“, according to David Keller of Keller National Insurance. Whether renewing an existing cyber policy or applying for the first time, you should expect to be asked about MFA on your network, and you’ll need to attest to it’s presence and how it’s used.

Without Multi-Factor Authentication, You May Be Uninsurable

As you’re going through the process of applying for insurance (or upgrading your existing policy), you should plan to have your IT partner (outsourced or internal) with you during conversations with your broker. Questions that will be likely be asked of you on the application include;

  • Is MFA required for all employees to access company email?
  • Do employees use MFA to remotely access the network (e.g. when working from home)
  • Are network devices (firewalls, switches, etc.), endpoint devices (PCs/servers), and backup devices all secured with multifactor authentication?
  • Is your data encrypted?
  • Are you subject to the General Data Protection Regulation (GDPR)?

And the list goes on.  But it’s safe to say that if you answer ‘no’ to any of these questions, the best case scenario is that you’ll be sent back to the drawing board to add the necessary security measures.  Worst case, the carrier refuses to consider your application.  As Schrader stated “Two checked boxes out of five on the application will likely lead a carrier to avoid offering you insurance coverage.”

Many people view multifactor authentication as an unnecessary pain in the neck, thinking that it’s one extra step to take to gain access to your email account or your network. When the alternatives include leaving your network exposed to bad actors or not being able to insure the business that you’ve spent years growing, wouldn’t you rather spend that extra 10 seconds and a couple of bucks to make sure you’re safe? Multifactor authentication is a very low cost security measure that can defeat 99.9% of ransomware attempts, according to Microsoft.  And whether the average ransom payment requested is $170K (World Economic Forum),  $200K (National Security Institute, 2021), or $847K (Unit 42/Palo Alto Networks), the cost of MFA is minimal.   If you need multifactor authentication to comply with your insurance carrier’s underwriting guidelines, Ashton can help.

MFA Isn’t The Only Measure To Consider

As you get ready to meet with your insurance broker, there a few other items you’ll need to consider when trying to satisfy the underwriters;

  • removing local admin rights
  • securely controlling access to firewalls & switches
  • VPN controls for a remote workforce
  • modern endpoint security with managed threat response

Industry best practices would suggest that those items have already been attended to, cyber insurance or not.  If you’re concerned about the requirements for good cyber liability insurance, give Ashton a call at 216 397-4080 and we can make sure that you check ALL the boxes.