Published: Saturday, 16 July 2022
A critical cyber control
Why MFA is now a 'must-have' in your cyber arsenal
Cyber claims are multiplying
Over the last twelve to eighteen months the cyber insurance market has seen the cyber risk landscape evolve, with many new threats emerging. This has bought a significant number of new claims both in terms of frequency, and severity, and as a consequence of this insurers have reviewed their underwriting criteria in order for this specialist insurance to remain sustainable in the long term.
As with any type of insurance, an underwriter will look for evidence of robust risk management with effective processes and procedures being in place. Cyber insurance is certainly no exception to this and is perhaps even more relevant as businesses now have a huge dependency on technology. Should this online activity be impacted in any way, it will have considerable implications on the running of the business and the servicing of its clients.
The cyber insurance market has recently identified a number of areas where they are seeing recurring claims appear, due to certain processes and procedures not being in place. One of these is the absence of Multifactor Authentication (MFA) and this is now considered to be one of the key controls in managing cyber risk, particularly in the prevention of ransomware attacks.
What is MFA and when should it be used?
MFA represents an additional layer of security for individuals who log onto a computer network and is the use of at least two or more authentication factors (e.g. password, passphrase or access code). Upon verification of the user’s identity, access is then granted to the computer system. There are three principle areas of access that insurers will look to see evidence of where MFA should be in place:
- MFA for Remote Network Access
- MFA for Administrative Access
- MFA for Remote Access to E-Mail
Without MFA being in place a hacker could gain access to a computer system and also have the same privileges as a recognised user. The hacker could then move through the network with the intention of exploiting software vulnerabilities, which could lead to a cyber extortion event or the stealing of sensitive data.
Lack of MFA may affect your cyber renewal
If MFA is not yet in place yet it is important that this is implemented as soon as possible otherwise it may not be possible to renew your cyber insurance policy. We would recommend that this in carried out at least 60 days in advance of your renewal date as this will provide insurers with notice of this being in place and time to raise any questions or request clarification on usage of MFA.
We are also seeing insurers request other mandatory controls to be put in place relating to the security of back-ups, e-mail filtering and endpoint detection & response. We do expect that these requests from insurers will become increasingly widespread in the coming months. As part of an IT security programme, it would be beneficial to also see these in place to bolster cyber resilience and reduce the likelihood of cyber attacks impacting your business.
Cyber Insurance Consultant, Ntegrity