Most cyber insurers now require organizations to adopt multi-factor authentication.
Despite increased spending on cybersecurity – nearly $134 billion last year – data breaches cost companies an average of $3.86 million per incident. The number skyrockets for those in heavily regulated industries and those dealing with sensitive personally identifiable information (PII).
Obtaining cyber liability insurance has emerged as a key strategy for businesses to mitigate their losses and costs from cyberattacks. Colonial Pipeline already filed a claim with its cyber insurance carrier for the $4.4 million dollar ransom it paid to its attackers in May. PwC estimates the cyber insurance market will grow to $7.5 billion in the next decade as more companies consider it a necessary cost of doing business today.
This brisk growth, however, has not necessarily translated into profit for carriers. The scope and damage of recent attacks, such as the SolarWinds hack, have led to massive hits for cyber insurers. As a consequence, companies taking out or renewing policies can expect steep premium increases – as much as 50% according to an Aon PLC report. They also can expect most policies to require MFA to qualify for coverage.
Cyber liability insurance, or just cyber insurance, covers a business’s liability in the event of a data breach or other cyber incident. These types of incidents are typically excluded from general liability and property policies so organizations looking to protect their data and assets require either supplemental cyber coverage or standalone cyber insurance.
Every cyber insurance policy is different, and some may differentiate coverage areas, but they commonly address costs associated with:
Multi-factor authentication (MFA) has long been recommended by cyber insurers as a critical security control given the inherent weakness of single factor (i.e., password) authentication methods. Organizations with plans to renew or purchase policies, however, are finding that recommendation has become a mandate.
MFA requires two or more verification methods for users to gain access to a system, device, or application. In its most basic form, this consists of the familiar password plus one of these additional verification methods:
MFA makes it much harder to hack an account as an attacker would need more than the username and password. They would also need to control the device used for authentication or impersonate the user’s biometrics – making an attack more resource-intensive for the bad actor.
Until recently, businesses could obtain cyber insurance policies without jumping through many hoops. The growing demand for cyber liability insurance, the increasing number of claims and a spike in claim severity have prompted underwriters to scrutinize an organization’s security controls more closely. Lack of adequate cybersecurity measures may result in higher premiums or outright rejection.
The MFA mandate is a smart move by carriers given that the U.S. cyber insurance market had an average combined loss ratio of 103% last year. And that was before the SolarWinds attack fallout. By requiring MFA, cyber insurers drastically cut their exposure. Verizon’s 2021 Data Breach Investigation Report found that credentials are the #1 data type stolen and that hacked credentials lead to 61% of all breaches.
Credentials like passwords and other shared secrets are also the top entry vector for ransomware, which accounted for nearly half of cyber insurance claims last year. MFA makes it much more challenging for attackers to gain access to a system and unleash ransomware or other types of malware.
Security experts have been banging the multi-factor authentication drum for years. Cyber insurance providers now require. So why haven’t more companies deployed MFA across their user base? Reasons include:
This is where new passwordless MFA technologies come in. Depending on the type of passwordless MFA solution deployed, there may not be hardware costs beyond the smartphones users already have and login is much easier and faster than even password-based authentication. More importantly, true passwordless technology – where neither the user or service provider possess a shared or shareable secret – is far less vulnerable to attack.
Simply put, passwordless authentication replaces the knowledge-based factor, the password, with something you possess or something you are. Passwordless MFA requires multiple such authentication factors, which aligns with the MFA security control required by cyber insurers.
However, passwordless MFA solutions can vary widely in their authentication approach and methods. Some still utilize some form of shared secret, making them prone to the same vulnerabilities as standard MFA technologies. Others still require hardware security tokens, whose aforementioned costs and other downsides hinder MFA adoption. True passwordless MFA follows authentication standards set by the FIDO Alliance. Authentication takes place using the biometric sensor on device or a decentralized PIN to unlock a public-private cryptographic key pair, which is generated on the mobile device using asymmetric encryption. Secrets remain secure and with the user. They are never transmitted or shared.
HYPR makes it easy to deploy True Passwordless™ MFA in your organization and, equally important, get your users on board with it. Patented user-initiated login and a powerful FIDO-certified architecture deliver simple, fast login while stopping PUSH attacks and other types of phishing, credential stuffing, brute force, MiTM, replay, and social engineering attacks.
To discover how HYPR helps you meet cyber insurance MFA requirements, talk to our experts.