Why MFA has Become Mandatory for Cyber Liability Coverage
Two is often better than one – and that’s definitely the case when it comes to authentication methods. Although multi-factor authentication (MFA) – sometimes known as two-factor authentication (2FA) – isn’t a new concept, it’s made headlines in recent months as cyber insurers have begun requiring prospective clients to implement MFA to receive coverage.
Businesses used to be able to obtain cyber liability insurance without having to answer many questions about their security practices, but increasingly severe cyberattacks and ballooning costs associated with ransomware attacks have inspired insurers to more carefully scrutinize the solutions and strategies prospective clients have in place to prevent security incidents, according to the Euclid Specialty blog post “Multi-factor Authentication is Now Required to Secure Cyber Insurance.”
If you don’t already have MFA in place, here’s what you should know about the solution and why it’s become a prerequisite for cyber liability coverage.
How Multi-Factor Authentication Works
MFA necessitates two or more kinds of credentials to verify someone’s identity and grant access to an account, according to the National Institute of Standards and Technology (NIST). Generally, the authentication methods must come from at least two different categories out of these three to maximize security:
- Information you know (e.g., a password)
- An inherent/biological trait (e.g., your fingerprint)
- Something you possess (e.g., a card you can scan)
For instance, an application with MFA might require you to input a numeric code generated by an authentication app on your smartphone after inputting your password. This provides an extra layer of security and makes it so cybercriminals need to do more than simply steal your credentials to hack your account.
Why Insurance Providers Have Started Requiring Multi-Factor Authentication and Other Security Solutions
Passwords alone aren’t enough to prevent breaches and protect sensitive data. Even if you craft strong passwords, cybercriminals have plenty of strategies – such as phishing, extortion, and keystroke logging – for stealing your login info, according to the Microsoft Tech Community post “Your Pa$$word doesn’t matter” by Alex Weinert, the director of Identity Security at Microsoft.
“Your password doesn’t matter, but MFA does!” Weinert wrote in the post. “Based on our studies, your account is more than 99.9 percent less likely to be compromised if you use MFA.”
Verizon’s 2021 Data Breach Investigations Report confirms the precarity of passwords as a security measure: Credentials are one of the most commonly compromised types of information and are involved in 61 percent of data breaches. Since password theft is relatively common, it makes sense to implement additional authentication methods to make it harder to hack into your accounts.
Research shows that MFA is incredibly effective at combating cyberattacks. Two-step verification involving an SMS code sent to a phone number stopped 76 percent of targeted attacks, 96 percent of bulk phishing attacks, and 100 percent of automated bots, according to the Google Security Blog entry “New research: How effective is basic account hygiene at preventing hijacking.” 2FA in the form of on-device prompts performed even better, blocking 90 percent of targeted attacks, 99 percent of bulk phishing attempts, and 100 percent of automated bots.
Cyber liability insurance providers have decided to make this highly effective security measure mandatory as the financial damages associated with data breaches and cyberattacks become increasingly severe. The average total cost of a data breach worldwide grew from $3.86 million in 2020 to $4.24 million this year, according to IBM’s 2021 Cost of a Data Breach Report.
At the same time, bad actors have launched ransomware attacks at high rates: Average weekly ransomware activity was 10.7 times higher in June 2021 than it was one year prior, according to the August 2021 Global Threat Landscape Report from Fortinet. The average ransom payment also reached $220,298 in the first quarter of 2021, up 43 percent from the fourth quarter of 2020, according to Coveware.
As a result, before taking on clients, it’s now standard for insurers to ask numerous questions about cybersecurity measures. Our clients have come to us for assistance with cyber liability insurance applications that not only ask about MFA but also other factors like encryption, vulnerability management, and employee security awareness training. It seems safe to say that they’ll continue to raise their standards as cybercrime continues to advance and the associated costs keep climbing.