This article was produced in partnership with Amwins.
Bethan Moorcraft, of Insurance Business, sat down with Megan North, EVP, and Dave Lewison, EVP, at Amwins, to discuss multi-factor authentication, a critical cybersecurity tool.
Multi-factor authentication (MFA) has become standard practice for organizations looking to secure their corporate networks and minimize the risk of cyberattacks. Over the past two-years, as cyber insurers have grappled with significant increases in frequency and severity of losses, mostly related to ransomware, MFA has quickly become a minimum standard requirement for companies to be considered for cyber insurance coverage.
MFA requires the user to provide two or more verification methods to gain access to a resource such as an application, an online account, a corporate network, or a VPN. Standard authentication combinations include a password and a fingerprint, or a password and a verification code that is sent to the user’s cell phone.
“It has been proven time and time again that it’s very difficult for threat actors to commandeer both access tools. That’s why insurance carriers lean so heavily on MFA as a precaution, because it has proven to drastically reduce the risk of infiltration into an insured’s network,” said Megan North (pictured), executive vice president at Amwins.
MFA is generally inexpensive – often free – to implement. Most email providers, for example, make MFA available at no additional cost; businesses simply have to know and be willing to enable it. Also, many cyber insurers are now partnering with vendors and providing discounted or value-added resources with policies to help insureds of all sizes with the implementation of MFA. This risk mitigation work is happening pre- and post-bind, depending on the individual carriers and their cyber insurance strategies.
“One thing that we’re seeing is that insurance carriers, network security providers, the whole cyber community is recognizing that a collaborative approach is probably best for all,” North told Insurance Business. “The stronger we can make those entities with weaker cybersecurity, the more resilient we are as a whole. So, we are seeing a lot more collaboration across the supply chain from insurance carriers to security vendors, brokers, and insureds. It’s a more holistic effort, and we’re all benefiting from it.”
While MFA is now considered a core security control, it does come with its challenges. Many businesses in the United States are still operating on piecemeal tech stacks after rapid SaaS adoption during the COVID-19 pandemic. Remote work has increased the number of endpoints (connected devices like desktops, laptops, and smartphones) for threat actors to infiltrate and exploit, and this environment has exacerbated the complexity and the cost of MFA implementation.
Not all companies get it right. A large US insurer recently took an electronics manufacturing services company to court for allegedly misrepresenting its use of MFA, which the insurer required to provide cyber coverage. The insured fell victim to a ransomware attack, and upon investigation, the insurer found that the company was not using MFA to the extent promised in their cyber policy application, which was signed by the CEO and head of IT security. As a result, the insurer tried to rescind coverage and any responsibility for paying losses, costs, or claims.
This relates to some shortfalls in the cyber application process, and a lack of clarity in the early days around what underwriters wanted to know about prospective insureds’ use of MFA, according to Dave Lewison (pictured below), executive vice president and national professional lines practice leader at Amwins. For example, if an insured had MFA enabled for one aspect of their business, such as email, they could respond ‘Yes’ to the underwriter question ‘Do you have MFA?’ even if the rest of their operations were unprotected.
“There’s also a potential issue around whether the person filling out and signing the cyber policy application actually knows how to answer that question – ‘Do you have MFA?’ – correctly. Insurers will typically ask for an executive officer of the insured to warrant that everything in the application is true to the best of their knowledge, but there have been situations where people knowingly or unknowingly misrepresent their use of MFA,” Lewison explained.
As a result, some cyber insurers have introduced stricter warranty language, forcing executives to do their due diligence internally to ensure that the application they’re signing is true and accurate. But that also brings to light the issue of timing, said North, and the fact that a warranty statement in a cyber policy application is “simply a snapshot in time” in what is a very fluid and ever-changing cyber risk landscape.
“The warranty statement represents where the client stands at that one point in time, but we all know that cyber risk is constantly evolving, and many companies have been forced to adapt quickly to remote work and new cyber threats,” said North. “Those two words – quick and secure – don’t typically go well together. You could have a situation where the application was true and accurate at the time of signing, but then the company grows mid policy-term, or they make an acquisition and they need some time to get their acquired company up to speed on their cybersecurity.”
In this complex landscape, both North and Lewison encourage retail agents to work with cyber specialists who can provide technical consultation, market access, expert advice, resources, and partnership. North said specialist brokers can help retailers with their messaging around cyber risk and the market’s posture, they can provide assistance with cyber risk mitigation, and they can present companies as a more palatable risk in the challenging marketplace. Lewison summarized: “Working with a specialist is critical. People shouldn’t feel helpless. If they raise their hands, there are cyber specialists ready and willing to help.”