Multi-Factor Authentication: A Key to Cyber Risk Insurance Coverage

Cyber-attacks are becoming more sophisticated and devastating, especially for small and medium enterprises (SMEs). With ransom demands rising and the cost of data breaches soaring, businesses are investing heavily in building their cyber defenses. However, cybersecurity is not bullet-proof. Buying a cyber risk insurance program can help outsource residual risk, and deploying multi-factor authentication is a prerequisite not only for getting coverage but also for lowering premiums.

Cyber-attacks are becoming an existential problem

Throughout 2021, public and private organizations felt the significant impacts of the ever-changing cyber threat landscape. Ransomware dominated the threat landscape in 2021. The targeted nature of attacks coupled with the growing sophistication of cybercriminals resulted in extensive losses for organizations worldwide. The threat will increase with ransomware-as-a-service expanding its scope and reach.

In the first six months of 2021, the U.S. Treasury Department’s Financial Crimes Enforcement Network reported that the value of ransomware-related suspicious activities was $590 million compared to $421 million for the entire of 2020. Meanwhile, the United Kingdom’s National Cyber Security Centre (NCSC) reported that in just the first four months of 2021, it handled the same number of ransomware incidents as it did in all of 2020 — which was triple the number the NCSC faced in 2019.

According to the IBM 2021 Cost of Data Breach Report, the average cost of a ransomware breach has increased to $4.62 million, while the total cost of a data breach has increased by 10% from 2020 to 2021. Costs are related to four groups of activities associated with data breaches: detection and escalation, notification, lost business, and post-breach response. Lost business represents the largest share of breach costs (38%).

As cyber criminals mature and advance their tactics, small and medium businesses become the most vulnerable because they lack the capacity – staff, technology, budget – to build strong cyber defenses. SMEs can quickly become the low-hanging fruit for criminals wishing to target larger enterprises through complex supply chains. If you add the expanding regulatory landscape with extensive security and privacy requirements, you can understand why cyber insurance coverage is an existential issue for small and medium enterprises.

Why should you get cyber insurance coverage?

As businesses become more and more digitized, they are exposed to greater cyber risks. Cyber insurance could mitigate the resulting business impact if the technology became unavailable because of a cyber incident. Even if investing in building cybersecurity controls is essential, these controls are not impenetrable. Cyber-attacks are a question of when and not if, so cyber insurance becomes crucial for ensuring business continuity.

Compliance is another critical reason for getting cyber insurance. Highly regulated industries such as healthcare and finance are no longer the only industries facing the risk of penalties for cyber security and privacy compliance failures. All companies are subject to state-specific data breach laws for collecting, processing, and storing personal data. Cyber insurance can help cover costs to comply with state, federal, and international laws, as well as cover regulatory fines and penalties.

Overall, having cyber insurance coverage is a demonstration of due diligence. With cybersecurity being a top priority for many executives, cyber risk insurance is top-of-mind for a diligent board.

What are the critical security requirements for securing cyber insurance?

When you contact a cyber insurer to discuss the potential of getting insurance coverage, they will first assess your current cybersecurity posture. If your posture is considered too risky, you will probably be denied getting insured. Insurers want to help you mitigate the residual risk, but they also want to secure their investment.

During their assessments, they look for four critical security requirements, the lack of which are a no-go for further discussions, says Nikos Georgopoulos, Cyber & Information Privacy Risks Insurance Advisor at Cromar. These four critical prerequisites are:

1. Regularly back up critical data to an “offline” location that would be unaffected by a security incident in your business environment. Test to ensure those backups are recoverable.
2. Use multi-factor authentication (MFA) for all your services and applications – cloud-based and on-premises – and for all your employees, not only the privileged accounts.
3. Do not allow remote access to a corporate network without a virtual private network (VPN).
4. Provide regularly and at least annually cybersecurity awareness training, including anti-phishing, to all individuals who have access to your organization’s network or confidential/personal data.

The importance of multi-factor authentication

“MFA is one of the most important cybersecurity practices to reduce the risk of intrusions—according to industry research, users who enable MFA are up to 99 percent less likely to have an account compromised,” reads a joint CISA – FBI advisory.

In fact, multi-factor authentication is recommended or required by several regulations, including:

• President Biden Executive Order on Improving the Nation’s Cybersecurity
• Office of Management and Budget (OMB) Memorandum on Moving the U.S Government Toward Zero Trust Cybersecurity Principles
• ENISA guidelines on Boosting your Organization’s Cyber Resilience

It is, therefore, no surprise that MFA is a prerequisite for getting cyber insurance. Even if a business has met all other requirements, it will have difficulty obtaining insurance if they haven’t deployed MFA. “No MFA, no cyber insurance,” notes Nikos Georgopoulos.

Cyber insurance is the tool that can help small and medium enterprises become cyber resilient. However, before even starting discussions with an insurer, it is important that businesses do their part and invest in basic cyber hygiene controls, including multi-factor authentication.