Why insurers are requiring MFA for cyber insurance
Taking a look at cyber security insurance requirements and why insurers are now asking for MFA
We are currently seeing a trend in the marketplace for insurance providers to require multi-factor authentication (MFA) for cyber insurance coverage. Whilst cyber insurance has been around since the 1990s, the market is growing and changing to meet the demands of more and more data privacy regulations that need to be adhered to and the increase in cyber threats. The largest disclosed ransomware payout to date has been reported by Bloomberg to have been $40m in March 2021 by CNA Financial Corp.
In the last two years, there has been an increase in phishing and ransomware and cyber insurance companies understand that all businesses (both large and small) are targets for cybercriminals. It is no longer a case of IF your business will be targeted, but WHEN. With the increased threat, insurance vendors need to limit their own risk and reduce the amount of pay-outs to policy holders. As a result, the need to put MFA in place is becoming one of the standard cyber security insurance requirements.
Cybersecurity Ventures predicts global cybercrime costs will grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.
What does cyber insurance cover?
Cyber insurance protects businesses from risks relating to the information technology infrastructure, which are normally excluded from traditional commercial insurance policies, and typically covers data breaches, extortion via ransomware, theft, malicious hacking and denial of service attacks. Most policies cover the business for costs of investigating a cybercrime, recovering data lost in a security breach, reputation management, etc., and can also cover third-party damages and settlements and legal costs involved in defending claims in the case of a breach of regulations, such as GDPR.
Why are insurers requiring MFA for cyber insurance?
For any business that sends or stores electronic data, cyber insurance does offer financial support in the case of a data breach. However,“cyber insurance will not instantly solve all of your cyber security issues, and it will not prevent a cyber breach/attack” (UK NCSC). Just like any home owner is expected to have adequate security in place to protect the contents of the home, cyber security insurers expect organisations to have some security in place to reduce the potential risk of a data breach. With the increasing numbers of phishing and ransomware attacks over the last couple of years and the increasing costs of resolving a data breach, cyber insurers are asking for a minimum of multi-factor authentication (MFA) as part of their cyber security insurance requirements.
“By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. Knowing or cracking the password won’t be enough to gain access.” Microsoft
What is MFA?
‘Authentication’ in technology terms is the act of verifying that a user is who they say they are. Typically, the user identity is verified by using a username and password.
The key problem with the use of passwords for identification is that they can be cracked easily, and once cracked, they can be made available to cyber criminals. If a password is the only form of defence, hackers are able to use your password to gain immediate access to your business applications and services in a matter of seconds or minutes. MFA (multi-factor authentication) provides additional layers of security, by way of different factors, which can be put in place to protect access to your systems and data.
What are MFA factors?
Multi-factor authentication is usually made up of at least two factors that are needed to gain access to your IT systems:
Factor 1 – Something you know (a Password/Pin/Security Question)
Factor 2 – Something you have (Hardware Token/One-time authentication code/SMS)
Factor 3 – Something you are (Biometrics – Fingerprint/Retina/Voice/Face)
Factor 4 – Somewhere you are – a known location (Home/Office).
In addition to the first two factors, you can also chose to use biometrics to identify the user, or limit access based on the location of the user logging in.
According to Google, even one of the weakest forms of two-factor authentication—two-step verification through SMS text messages—can stop 100% of all automated attacks, 96% of bulk phishing attacks, and three-quarters of targeted attacks.
Read more about:
What MFA controls need to be put in place for cyber insurance?
Many cyber insurance policies require the following specific MFA controls to be in place:
- MFA for remote networks – this reduces the potential for a network security breach caused by a compromised password. With the massive increase in remote-working due to Covid-19, this has gained particular prominence, and insurers are looking to make sure cloud access is secured.
- MFA for administrator access – given that your business solution admins hold the keys to your business, this aspect is of particular importance. MFA for administrator access limits an attacker’s ability to access a compromised network.
- MFA for remote email access – with so much information held in emails and distributed around your organisation, it is incredibly important to make sure that this access is protected.
MFA is a must-have with or without cyber insurance
The cyber-attack statistics speak for themselves – costs of cyber-attacks to businesses are growing, attacks are increasing (even for smaller companies) and platforms such as ransomware-as-a-service are making it ever easier for cyber criminals to launch an attack. In addition to business disruption, the increase in cyberattacks and data breaches can lead to regulatory fines, as well as reputational damage and loss of customers. Even if MFA were not a requirement from a cyber insurance perspective, it is still a must have if you are looking to protect your data and your business.
Category: Industry Research