There’s a lot of variations of the following old saying, but my favorite is – if it happens once, it’s happenstance; if it happens twice, it’s a pattern; if it happens three times, it’s a trend. If that’s the case, we’re noticing a new trend regarding cyber-liability insurance.
We’ve received several inquiries from clients during their cyber-liability insurance application or renewal process. Carriers are now explicitly asking if Multi-Factor Authentication (MFA) is in place. We’ve been talking about the importance of MFA to clients for a while, including in this 2020 blog article where we discussed Microsoft’s claim that your account is more than 99.9% less likely to be compromised if you enabled MFA. Now it seems that failure to take this precaution not only leaves you less secure, but will hit you in the wallet as well as insurance rates will be higher if MFA is not in place.
The most common resistance to MFA we hear is a lack of convenience – that needing to verify a login attempt via an MFA platform simply slows the user down and is an inconvenience. However, a momentary inconvenience during login is infinitely less of a hassle than a cybersecurity event, and now insurance carriers are enforcing MFA usage as they are the ones bearing the brunt of the expense of paying for related recovery expenses. Choosing to avoid basic protections will require paying higher premiums.
At least, we hope that’s the outcome. Our fear is that some will opt to cancel renewals or applications rather than implement the recommended MFA solution. We’ve highlighted previously that cyber-liability insurance is a critical component of the Recovery Function of the NIST CyberSecurity Framework. Ask questions, accept answers, and implement controls to best protect your business.