Multi-Factor Authentication: A Requirement for Cyber Insurance
Cybercrimes have become a serious issue. In 2022, the average cost of a ransomware breach is $4.26 million, and depending on the industry, this number may be higher (healthcare and finance in particular). Because of this, companies today are facing a more rigorous cyber insurance underwriting process, with a high level of scrutiny on security controls and internal processes and procedures around cyber risk.
To qualify for cyber insurance coverage now, many insurance agencies are requiring multi-factor authentication. Because MFA can prevent 90% of cyberattacks, it becomes clear why it is a requirement today.
PortalGuard is a great choice for MFA that fulfills cyber insurance requirements. It offers flexible authentication options and consolidates your current solutions under a single set of policies for your remote and on-premises users.
What is Cyber Insurance?
Today, no company is immune to cybercrime, no matter the size nor industry. Companies need to implement strategies that prevent cyberattacks while also mitigating the losses and damages from attacks, which leads to the discussion of cyber insurance.
Cyber insurance helps companies mitigate losses from a variety of cyber incidents, like data breaches with personal information to network damage. However, cyber insurance does not protect against cyberattack, but instead helps before, during, and after the event. Cyber insurers help organizations with the financial fallout of these attacks, so when it happens, organizations do not have to worry about the high cost.
The Cyber Insurance Landscape
How do cyber insurers determine how much risk an organization has? Well, cyber insurers analyze data and cybersecurity risk, but this process has become more complicated. With employees working remotely, ransomware attacks continue to escalate in frequency and severity, affecting all industries, especially health care, manufacturing, educational institutions, and public entities. This has ultimately led to a boom in the cyber insurance market, increasing the demand for cyber re/insurance coverage due to heightened awareness of cyber risks. In fact, we have already seen cyber insurance prices increase by 35% in 2021 — the largest increase since 2015. The cyber insurance market is rapidly evolving, and companies are now facing higher premiums, regulatory changes, and new difficulties in the renewal process.
Similar to health insurance, cyber insurance is only provided based on qualification requirements, like how health insurance providers may revoke health insurances based on pre-existing conditions. With how quickly the cybersecurity dynamic has changed, there are stricter qualification requirements. For example, implementing stronger solutions like multi-factor authentication (MFA) and Identity-Bound Biometrics (IBB) can greatly reduce cyber risk, qualifying those organizations for cyber insurance.
Insurers realize that organizations that don’t use security controls like MFA and IBB are at a substantially increased risk of attacks. Now, insurers are requiring customers to implement those security solutions, and are increasing premiums for those who don’t implement those solutions.
Why Invest in Cyber Insurance?
Cyber insurance is becoming as important to businesses as health insurance is as important to individuals. Some businesses, specifically smaller ones, are reluctant to commit to invest in cyber insurance and improve their security protocols. Even if you think your company is too small, no business can afford to not have cyber insurance today.
When a cyberattack takes place, your company will be faced with the decision to pay the ransom to decrypt your files or not to pay. If your company is not insured, you most likely will not be able to pay the ransom. If you can, the amount will be astronomical, having long-term financial impact.
It’s no longer safe for companies to pass on cyber insurance – even if there’s a strong recovery plan in place. Having cyber insurance can help your chances of recovering critical data and protect your organization’s reputation.
What Do You Need to Be Covered by Cyber Insurance?
Every company is at risk of being a victim of cybercrime, but the risk for each company differs. Some are at a higher level than others. Some organizations may have MFA or zero trust deployed in their organization while others are still relying on the basic username and password. Additionally, your industry plays a large role in the chance of being a victim. Evaluate your risk of being a victim of a cyber-attack.
The changes in the cyber insurance market, however, are not limited to just price increases and coverage restrictions. Cyber liability underwriting requirements have become more stringent and insurers have now started requesting additional information on security and process controls they expect companies to have implemented to protect themselves from a cyberattack. Here’s an example from Woodruff Sawyer (see the table below).
Here are other notes to keep in mind.
You should check your organization’s policies and pay attention to what happens in a ransomware attack. When you are renewing cyber insurance, you should look at the requirements the insurer has. Companies that had insurance prior or during the pandemic need to see if they are currently complying with the suggested security protocols. Companies may get a warning to change their protocols by the following year.
However, these updates and protocol changes are not quick, overnight changes. Organizations need to have a project plan to make these changes.
Companies should review the details of potential policies and make sure the terms and requirements meet their needs. Pay special attention to the recovery response requirements and data backup requirements, as well as the requirements for receiving payment on claims when a breach occurs. Collecting insurance after a breach can be challenging and organizations have to prove the impact of a breach meets the requirements around expected security controls. Again, it’s like health insurance where patients have to prove they meet the qualifications for treatment and if they can’t, they have to pay out of pocket.
Cyber insurers demand proof that the incident falls under their policies and it’s something that can be covered.
Don’t Stop at Cyber Insurance – It’s Only One Piece of the Puzzle.
Once organizations understand their risks, they can implement effective security measures like MFA. Organizations tend to stop at cyber insurance, thinking it’s the end all, be all strategy. However, organizations should implement stronger security solutions now before insurers require them to implement the protocols. What if your organization faces a cyberattack before signing up for cyber insurance? Companies need to be proactive to reduce their chances of being attacked.
- Multi-factor Authentication
- Contextual (Adaptive) Authentication
- Education, specifically training employees on cyber risks.
MFA enhances security by requiring that users authenticate themselves by more than a simple username and password. As part of any comprehensive MFA strategy, Identity-Bound Biometrics should also be included as the only way to positively identify an individual, not just a token, device, or phone. Identity-Bound Biometrics are connected to a person’s digital identity, rather than authenticating the presence of their device which can be easily compromised and open to unauthorized access. It leverages biometric authentication methods, such as fingerprint, palm, or facial recognition to go beyond traditional forms of MFA and confirm only authorized users are the ones gaining access.
In addition to MFA, companies should also consider contextual authentication to strengthen security while improving the login experience for users. Contextual authentication takes factors surrounding a user’s login (location, time, IP address, etc.) into consideration to assess the level of risk associated with the login request. A login request can be completely blocked if it is too risky, while at the same time removing additional authentication requirements if the user’s context is low risk.
When it comes to security and protecting the organization, people are often the weakest link and seen by attackers as the greatest vulnerability of a company, making for an easy target. Many times, security controls that are implemented are not adopted by users, who work hard to circumvent controls. It is imperative to not only enhance security but also train employees on best practices and the “why” behind any security controls. Teaching your staff the basics of cyber risk can prevent security breaches.
Today, cyberattacks are becoming inevitable. If companies do not assess their risk, invest in cyber insurance, and implement stronger security measures, they will face major ramifications when an attack occurs. Companies should be proactive in addressing their cybersecurity risk, doing due diligence in checking cyber insurance policies and requirements and updating their security protocols before they are required to. Well-prepared organizations take action both to prevent attacks and to mitigate the damage when attacks inevitably occur.