Meeting the Cyber Insurance MFA Mandate
Ryan Rowcliffe, Field CTO, HYPR
6 Min. Read | July 29, 2021
Most cyber insurers now require organizations to adopt multi-factor authentication. Here’s what you need to know about meeting cyber insurance MFA mandates.
Despite increased spending on cybersecurity — nearly $134 billion last year — data breaches cost companies an average of $4.45 million per incident, according to the Ponemon/IBM Security Cost of a Data Breach Report 2023. The number skyrockets for those in heavily regulated industries and those dealing with sensitive personally identifiable information (PII).
Obtaining cyber liability insurance has emerged as a key strategy for businesses to mitigate their losses and costs from cyberattacks. Colonial Pipeline already filed a claim with its cyber insurance carrier for the $4.4 million dollar ransom it paid to its attackers in May. PwC estimates the cyber insurance market will grow to $7.5 billion in the next decade as more companies consider it a necessary cost of doing business today.
This brisk growth, however, has not necessarily translated into profit for carriers. The scope and damage of recent attacks, such as the SolarWinds hack, have led to massive hits for cyber insurers. As a consequence, companies taking out or renewing policies can expect steep premium increases — as much as 50% according to an Aon PLC report. They also can expect most carriers to include a cyber insurance MFA requirement. Meeting this MFA insurance requirement isn’t just a “nice to have,” either — in most cases, it’s mandatory in order to qualify for or renew coverage.
What is Cyber Liability Insurance?
Cyber liability insurance, or just cyber insurance, covers a business’s liability in the event of a data breach or other cyber incident. These types of incidents are typically excluded from general liability and property policies so organizations looking to protect their data and assets require either supplemental cyber coverage or standalone cyber insurance.
Every cyber insurance policy is different, and some may differentiate coverage areas, but they commonly address costs associated with:
- Operational disruption
- Data loss or destruction
- Incident response and investigation
- Crisis management
- Ransomware payments or other extortion demands
- Legal expenses and defense
Some may also cover fines and penalties associated with GDPR, HIPAA, the NYDFS Cybersecurity Requirements, and other data privacy and security regulations. As previously mentioned, it’s not uncommon for cyber insurance policies to include MFA insurance requirements that new and existing policy holders must meet.
Understanding the Cyber Insurance MFA Requirement
Multi-factor authentication (MFA) has long been recommended by cyber insurers as a critical security control given the inherent weakness of single factor (i.e., password) authentication methods. Organizations with plans to renew or purchase policies, however, are finding that recommendation has become a mandate. It’s important to note that although MFA insurance provisions weren't demanded by providers just a few years ago, most cyber insurers now have an MFA insurance requirement in place and, a few years from now, all will likely require multi-factor authentication.
MFA requires two or more verification methods for users to gain access to a system, device, or application. In its most basic form, this consists of the familiar password plus one of these additional verification methods:
- Knowledge — Something you know, such as the answer to a security question, a PIN, or a one-time password.
- Possession — Something you have like a smartphone or hardware OTP token.
- Inherence — Something you are, which is biometric data like a fingerprint, face or voice.
MFA makes it much harder to hack an account as an attacker would need more than the username and password. They would also need to control the device used for authentication or impersonate the user’s biometrics — making an attack more resource-intensive for the bad actor.
Why an MFA Insurance Requirement Now?
Until recently, businesses could obtain cyber insurance policies without jumping through many hoops. The growing demand for cyber liability insurance, the increasing number of claims and a spike in claim severity have prompted underwriters to scrutinize an organization’s security controls more closely. Lack of adequate cybersecurity measures may result in higher premiums or outright rejection.
The MFA insurance mandate is a smart move by carriers given that the U.S. cyber insurance market had an average combined loss ratio of 103% last year. And that was before the SolarWinds attack fallout. By requiring MFA, cyber insurers drastically cut their exposure. Verizon’s 2021 Data Breach Investigation Report found that credentials are the #1 data type stolen and that hacked credentials lead to 61% of all breaches.
Credentials like passwords and other shared secrets are also the top entry vector for ransomware, which accounted for nearly half of cyber insurance claims last year. Multi-factor authentication makes it much more challenging for attackers to gain access to a system and unleash ransomware or other types of malware, hence the MFA insurance mandate.
What Stops Companies From Deploying MFA?
Security experts have been banging the multi-factor authentication drum for years. Cyber insurance providers now require it. So why haven’t more companies deployed MFA across their user base? Reasons include:
- Cost — This includes any hardware costs such as security keys as well as their rollout and ongoing management, including IT helpdesk costs when users get locked out or have other access issues.
- Productivity loss — Requiring employees to use an additional factor means it takes longer for them to get into the applications and systems they need to do their work. In the event of access issues, there is downtime and helpdesk drain until it can be resolved.
- Poor user experience — Workers and customers resist MFA adoption as it requires multiple steps to authenticate.
- The risk reduction is insufficient — MFA is not a silver bullet. Many MFA methods can be circumvented by clever phishing attacks, SIM-swapping, man-in-the-middle (MitM) attacks and other sophisticated bypass techniques.
This is where new passwordless MFA technologies come in. Depending on the type of passwordless MFA solution deployed, there may not be hardware costs beyond the smartphones users already have and login is much easier and faster than even password-based authentication. More importantly, true passwordless technology — where neither the user or service provider possess a shared or shareable secret — is far less vulnerable to attack.
Does Passwordless Authentication Meet Cyber Insurance MFA Obligations?
Simply put, passwordless authentication replaces the knowledge-based factor, the password, with something you possess or something you are. Passwordless MFA requires multiple such authentication factors, which aligns with MFA insurance mandates.
However, passwordless MFA solutions can vary widely in their authentication approach and methods. Some still utilize some form of shared secret, making them prone to the same vulnerabilities as standard MFA technologies. Others still require hardware security tokens, whose aforementioned costs and other downsides hinder MFA adoption. True passwordless MFA follows authentication standards set by the FIDO Alliance. Authentication takes place using the biometric sensor on device or a decentralized PIN to unlock a public-private cryptographic key pair, which is generated on the mobile device using asymmetric encryption. Secrets remain secure and with the user. They are never transmitted or shared.
Meet Cyber Insurance MFA Mandates Painlessly
HYPR makes it easy to deploy True Passwordless™ MFA in your organization and, equally important, get your users on board with it. Patented user-initiated login and a powerful FIDO-certified architecture deliver simple, fast login while stopping PUSH attacks and other types of phishing, credential stuffing, brute force, MitM, replay, and social engineering attacks.
To discover how HYPR helps you meet cyber insurance MFA requirements, talk to our experts.
Field CTO, HYPR
Ryan Rowcliffe is a technologist with over 20 years in the information technology industry. He has spent the last 7 focused on Identity Access Management, Multi-Factor Authentication and Passwordless MFA solutions. Ryan loves solving business problems with modern innovation mixed with known solutions.