Why MFA is becoming an essential requirement to receive Cyber Insurance

In today’s hyperconnected world, the need for comprehensive cyber insurance has never been greater. Since the introduction of cyber insurance in 1995, cyber insurance has evolved significantly to keep pace with the rapidly changing landscape of cyber-attacks and cybercrime.

With the exponential growth of technology, the costs associated with cybercrime have reached unimaginable heights, exceeding a staggering $6 trillion in 2022. As a result, many insurance providers have either pulled out of the cyber insurance market or have seen fit to increase their premiums accordingly, with some witnessing an alarming increase of up to 600% in recent years.

In an effort to combat these unprecedented challenges, insurance providers have insisted that companies actively seek ways to minimize the probability of successful cyber-attacks before they are eligible for cover. By implementing robust risk assessment measures, adopting proven security protocols, and partnering with cybersecurity experts, insurers are aiming to reduce the likelihood of a successful attack happening to the companies it insures and thus reduce the potential payouts they may have to make.

In the UK, many insurers are now demanding at a minimum that the company meet the Cyber Essentials plus standard for Passwords if they still use them but are more than likely suggesting that some form of MFA (Multi Factor Authentication) is required to gain any type of cyber insurance. Several of the larger US based Insurance companies are mandating that companies should look to implement for cryptographic phishing resistant MFA to gain any type of cyber cover.

Cyber Essentials suggests if you are using passwords to ensure a minimum password length of at least 12 characters, implement a deny list to enable automatic blocking of common passwords, encourage users to use 3 or more-word passphrases to increase password length. An example could be ‘HouseGreenAfrica’. Cyber Essentials also recommend tools like MyID PSM (Password Security Management), that compares passwords against the world’s largest database of known compromised credentials in real time and once a password is known to be breached enforces users to change their passwords.

Cyber Essentials recommends a rollout of MFA across the whole company. MFA is a security measure that provides an additional layer of protection when accessing a company’s online accounts and systems.

So, how does MFA work?

It’s quite simple. MFA utilizes the concept of “something you know, something you are, something you have” to verify your identity. This means that instead of just entering a password, you will be required to provide two factors to gain access to your accounts from:

• Something you know: This refers to the knowledge-based factor, like a password, passphrase or a PIN.
• Something you are: This refers to the biometric factor, such as a fingerprint or facial recognition.
• Something you have: This refers to the possession-based factor, like a physical smart card, USB token or a mobile device.

By incorporating MFA into your cybersecurity strategy, you significantly enhance your defence against unauthorized access and reduce the risk of falling victim to cyber-attacks and lowering your perceived risk to insurance companies. Even if a hacker manages to steal your knowledge factor, they will still need the additional authentication factor to gain access to your accounts.

However, some larger insurers are insisting that companies implement phishing resistant MFA following FIPS-201 Guidelines. Phishing resistant MFA is a highly secure authentication method designed to protect users from phishing attacks. It adds an extra layer of security to the login process by requiring users to provide multiple factors of authentication, making it extremely difficult for cybercriminals to gain unauthorized access.

Following FIPS 201 guidance and implementing Public Key Infrastructure (PKI) or FIDO (Fast Identity Online) protocols, which utilises digital  keys to verify the identity of users can significantly reduce the chance of falling victim to a cyber-attack. This reduced risk is very attractive to insurers and equates to much lower premiums for your organisation when searching for cyber insurance.

It is best to work with a company such as Intercede when choosing to comply with Cyber Essentials or for help to implement phishing resistant MFA. Intercede is the only company who can help you on your journey from Passwords to PKI. We are able to help you to rollout password compliance with our Password Security Manager, basic MFA all the way up to a phishing resistant PKI based MFA solution with YubiKeys or Smart Cards.

Get in touch today to arrange a demo of our MyID family of products and see how we can help you to meet the requirements being set out by Cybersecurity Insurance Providers and make sure you are not the next victim of a data breach.