Has Your Cyber Insurer Asked About MFA?

BizTUCSONJanuary 10, 2022

2 minutes read

By Cristie Street

Business advisors have preached the merits of cyber-liability insurance for several years now, but usually with a soft-sell, “don’t you want a safety net” approach, appealing to the more risk-averse, compliance-driven and technically savvy among us. Still, small businesses in the U.S. are behind – some suggest way behind – in data security investments and cyber insurance coverage.

Chances are in 2022, a supplier, client or insurer will mandate your business catch up by using multifactor authentication, also known as MFA, solutions to protect identity and access to your systems. You probably use similar technology for your online banking today: logging in requires both a password you know plus a second factor you physically have, like a one-time token, a fingerprint or a code sent to you via text. Not having MFA on at least your business email (think Google Workspace or Microsoft Office 365) and your remote access technologies (remote workers accessing files back at the office, I’m looking at you) means that other businesses may find your company too risky to be around.

Since the start of COVID-19, our managed IT services colleagues across the country have reported seeing this significant strategy shift in underwriting and in the last six months, we have seen the same scenarios play out in Southern Arizona as well. Previously, securing cyber insurance involved completing an underwriting questionnaire asking a few broad, even meaningless, IT questions. Then the applications got longer and asked better questions for more relevant underwriting. All in all, that was still a reasonable expectation given the maturation of the market and the ever-evolving data security threat landscape.

Then suddenly, facing huge ransomware-related losses and even larger forensic workloads, the insurance carriers began to mandate that minimum IT standards be in place before a business can be eligible for cyber insurance. The shift happened so quickly that one local law firm was caught in a vortex between the time it signed the binding policy agreement with a broker and the time it mailed in a check for the new cyber premium. The carrier thanked the firm for the payment, asked one additional question about its multifactor authentication strategy, and promptly canceled the policy, leaving it unexpectedly operating without a safety net and scrambling to institute additional MFA security technology to reinstate coverage.

The good news is MFA really works and the results will fortify the security posture and strengthen the business continuity plan of a significant sector of our economy. While the transition may be bumpy, as users sacrifice convenience in the name of security, it is good to see carriers championing the identity protection efforts of IT gurus everywhere in the same way that doctors and health insurers approach smoking risks.

Don’t delay your efforts to conquer this MFA requirement, even if your insurer has not brought it up yet. Selecting and implementing multifactor authentication depends on the system you are protecting but can be as simple as marking a checkbox or take a little more effort to find a solution that protects many systems at once. In all cases, the return on investment is well worth the effort. The business you save could be your own.

Five Cybersecurity Facts & Actions: