Skip to main content
search

The Link Between Multi-Factor Authentication and Cyber Insurance

Client Portal - Business Man Using a Cell PhoneOver the past two years insurance companies who offer Cyber Liability insurance coverage have started requiring policyholders to use Multi-Factor Authentication (MFA) when logging remotely into a network or when accessing email remotely.

The purpose of MFA is to verify the user who is logging in is truly who they say they are.

When one logs into a remote computer, software, website, or remote email system, they use a unique user ID and password that is specific to that individual.  MFA adds a separate step to the process, where a unique code or other identifier is entered by the user, which verifies said user.

Why have this second step in the process?  Wouldn’t a complex password be sufficient?  In short, NO.  Passwords can be easily compromised.  Studies have shown that users often use simplified passwords like “Password1”, or repeat passwords on multiple sites, or use common characteristics that are repeatable.

Consider what a hacker can access via a Google account.  One Google User ID and password will grant a user access to the Google services that person uses, such as Gmail, Google Photographs, Google Docs, Google Drive, and their YouTube Account.  In addition to this, Google allows third party providers to use a Google ID and Password to access their services.  For example, Salesforce allows users to use their Google account to log into their services.  Google said  that hackers steal almost 250,000 user ID and passwords a week. 

Google’s own research has shown that a basic MFA program can help prevent or reduce a variety of different type of attacks such as bulk phishing attacks and targeted attacks.

MFA relies on two separate factors.  The first is a username and password, which became commonplace years ago.  The other factor could be:

Something a user has.  Such as a mobile phone, keycard, or USB device

Something a user is.  Biometric data like a face scan, fingerprint, or iris scan.

There are a variety of MFA methods a company can choose to use.

  1. Token Based. This is a small device that rotates unique numerical codes that are generated every 30 to 60 seconds.  The user must enter the current code.
  2. Push notifications to a phone or alternate email address. Some popular email services like Yahoo will send a text message each time a user logs into their Yahoo Email account.
  3. One-Time Password. These are unique passwords that are only valid for a single login session for a defined period of time.
  4. Biometric Data. The user will have to provide a physical fingerprint, facial recognition, or retina scan.
  5. Authenticator Applications. Such applications will be on a user’s mobile phone such as Duo, Microsoft Authenticator, or Google Authenticator. 
  6. Dongle Based. A USB style stick that one has to plug into the computer.  The website or server will send a signal to verify the user is who they say they are.

There are a variety of vendors one can choose from.  There are free versions and paid versions of MFA authenticators.  Even so, the right choice for a user is going to depend on their regulatory environment, IT infrastructure, staff, and budget.

If you are considering an MFA program, here are a few criteria to consider:

  1. Ease of Use – Probably the most important criteria on this list. Find an MFA service that can provide a variety of options which make it easier for your employees to use.  Consider that if you have a no BYOD (bring your own device) policy, employees might not be willing to add an MFA authenticator application to their mobile phones.  Having other options for employees to consider could prevent a Human Resources issue.
  2. Look for a single solution that can meet all your application needs. Some MFA providers are limited to the type of applications you can use.  Avoid having to think about which application(s) or service(s) you can or can’t protect.  Therefore, have a list of which applications and third party services (like Slack, Salesforce, or Microsoft 365) you need to protect, then look at what MFA providers will work with all those identified services.
  3. Find a system that is easy to deploy to your workforce. Implementation of MFA systems can be complex.  When evaluating systems, review examples of how the system can be deployed to your organization.  Obtain references to other companies in your industry, and talk to them about how the process worked for them.
  4. Determine how the MFA system can integrate with your company’s IT Security Policy and Procedures. Zero Trust is a principle of cybersecurity where a user’s access is not only continually verified, but also limited on a need to know/have basis depending on the user’s level of responsibility.  To that end, you want to ensure the MFA provider can allow you to configure its ability on the application level, at a user level, at a group level, or at a global level.  Therefore, the MFA provider’s product is supporting your IT Security Policy and Procedures, versus hindering or limiting them.
  5. Consider what kind of Reports and Analytics can be generated from the usage of the MFA system. Depending on your industry, you might have to show reports on your cybersecurity practices, and produce data backing up such practices.  For example, some GDPR regulation, US Government Departments like the Department of Defense, and PCI-DDS requirements might require that you have ongoing proof of working MFA systems.  This could be important after you have a breach and regulators are investigating to determine not only if you have MFA in place, but were actively monitoring its usage.  Also, reports should detail individual user activity to see how many times users were locked out, which could be a sign of a training problem or a security issue.

Here is a list of some of the more popular third party MFA brands in the marketplace.  You will see on their websites that they can incorporate most, if not all, the most popular applications and software services for a commercial business.

These are not the only paid MFA providers in the marketplace, but these are the more popular brands used by businesses both small and large.

https://duo.com/ a CISCO owned company as of 2018.

https://www.rsa.com/ – probably the most popular, longest running brand of MFA style security.  Used by many large Fortune 500 companies.

https://www.prove.com/

https://www.okta.com/

Free versions of MFA may not provide you with a complete list of features that are mentioned in this article.  Consider the regulatory environment you are operating in to determine if “Free is for me” is okay to use.  For example, a sole proprietor kitchen cabinet builder who takes cash only might find free MFA service from Microsoft to access Outlook email on a shop computer is adequate.  On the other hand, a retail store with over 1,000,000 credit card transactions a year should not rely on a free MFA service.

The majority of insurance companies that offer Cyber Liability Insurance will require an Applicant or Insured to have MFA implemented in its operations as a minimum requirement to obtain coverage. 

Carefully consider the options before selecting an MFA service and provider.  Most important, think of MFA as a way to protect your business’s critical assets.

Scott Harrigan

About Scott Harrigan

Scott started his career in insurance in 1988 and joined Rue Insurance in 2004 as a Marketing Specialist focusing on creating effective risk financing and risk transfer programs for companies and non-profit organizations. In addition to this he is a member of the Rue Insurance educational team that provides ongoing professional development in critical insurance concepts and programs to Rue employees. About Scott | More Posts by Scott

Close Menu
Skip to content