For cyber insurance, it's MFA or the highway

If there is one acronym that agents and brokers selling cyber insurance need to familiarize themselves with right now, it is multi-factor authorization or MFA.

This security tool requires a user to provide at least two verification methods to gain access to an online account or a remote network or application.

As of this writing, nearly all insurers are requiring, or will soon be requiring, MFA to be in place for remote access to all sensitive information in order to qualify for a cyber insurance policy,  new or renewal.

Ransomware protection

While this represents a change in requirements from insurers and could mean an additional burden of process and cost to thousands of insureds, the path to implementing MFA is not as complicated or expensive as many would think.

In fact, in many cases, the software platforms currently in use by insureds already have an MFA component available for no extra cost.

For those that do not, it is possible to implement MFA for costs as low as $3 per employee per month. To put this into context, the average small- or midsize-business insured could drastically improve their ability to thwart ransomware attacks on their business by implementing MFA for less than the cost of the deductible on their cyber insurance policy. Additional set-up and management costs may be involved if insureds engage a third party for assistance, but these costs pale in comparison to the risks of not taking this important risk management step.

While no single IT security process, patch or software acts as a silver bullet for preventing 100% of cyberattacks, insurers have identified MFA as being among the most effective risk management tools for preventing ransomware attacks.  Research from both Microsoft and Google suggests that MFA can block over 99% of account compromise attacks. Thus, we are seeing this requirement from virtually every insurer.

Insurers that do not require MFA are utilizing scanning technologies and in-depth underwriting to determine if insureds have compensatory controls in place to make them insurable in today’s environment. They are also looking for additional foundations of cyber hygiene, such as Endpoint Detection and Response (EDR), solid backup procedures, and employee training that involves phishing simulations.

The challenge among us: Reports suggest that only 57% of global businesses are currently using MFA. The bottom line is that in order to make cyber insurance available, insurers need to know that insureds are taking deliberate, meaningful steps to protect their systems.

Today, MFA is to cyber insurance what sprinkler systems are to commercial property insurance: a must-have.

Changing carrier appetites

Public Entity and Education are still among the most difficult classes for cyber coverage placement.  If MFA is not in place, these renewals are generally not finding coverage.

The well-documented increase in frequency and severity of ransomware attacks is also leading to significant pull-backs on dependent business interruption coverage. Carriers that were once offering full policy limits with no questions asked are now diving deeper — both with respect to dependent providers that provide IT services, as well as dependent providers representing other parts of the supply chain.

There was a marked change in the cyber market after the May 2021 Colonial Pipeline attack. Underwriters are now seeking a better understanding of an insured’s exposure to single-source supply chain providers. This insurer trepidation was further exacerbated with the Kaseya Ransomware attack that took place in the first week of July. That new mode of attack is of particular concern because hackers were able to use a managed service provider as a means of delivering ransomware to its customers instead of protecting them.

Supplemental applications dedicated to this aggregate risk exposure are now being distributed on renewals, and it is not uncommon to see dependent business interruption excluded or significantly sub-limited when the exposure is deemed too great. In light of recent events, this will only increase.

Your clients’ next cyber insurance renewal won’t be anything like last year. As mentioned previously, your clients will need MFA in place for remote access to their systems.

And MFA is only the start.

Another interesting development on the horizon is the increased integration of specific cyber defense software as a requirement to qualify for insurance.  This goes beyond simply requiring MFA. It is more like: “Download our cyber software suite if you want coverage from us.”

Many insurtechs that have entered the market over the last five years have moved the ball forward with respect to cyber intelligence and more sophisticated underwriting. But integration of specific cyber defense software will take things to the next level — moving beyond underwriting questions and scans into fully integrated software and insurance bundles.  This has the potential to bring great promise, or great risk, if not done correctly.

It will be an interesting yet difficult journey.

Steve Robinson (steven_robinson@rpsins.com) is national cyber practice leader at Risk Placement Services.

Also by this contributor: How to keep your insurance agency’s data secure