Cyber insurance has emerged as a crucial element of the risk management system, safeguarding against financial hardships resulting from cyberattacks.

Nevertheless, the surge in new digital threats has led to an increase in both the cost and accessibility challenges associated with these policies. As a method to mitigate their risk, underwriters are now imposing mandatory multifactor authentication (MFA) as a prerequisite for coverage.

The cyber insurance markets have become more volatile due to the changes in business brought on by the pandemic. As companies shift towards digital technologies, they enjoy numerous advantages, but this also increases the potential for attacks. Insurers have been severely affected by the significant rise in ransomware and other forms of cybercrime since 2020.

Analysis from Fitch Ratings shows that cyber insurance claims rose by about 100 percent in each of the past three years, while claims payments grew by 200 percent annually over the same period. Loss ratios (paid claims divided by premiums collected) increased to about 80 percent, according to a report in the Harvard Business Review.

Insurers Incentivize Stronger Protections

Faced with bigger losses and tighter margins, insurers have naturally responded by hiking prices. Cyber insurance premiums increased by 79 percent in 2022, according to Marsh’s Global Insurance Market Index. In addition, insurers are raising deductibles, reducing coverage limits and being more selective about who they will cover.

Most insurers now require those seeking coverage to demonstrate they have implemented MFA.

There’s a growing sense among insurers that businesses are too reliant on insurance for protection instead of investing in robust risk management strategies. According to ransomware research from Sophos, organizations with cyber insurance are more than twice as likely to pay ransoms as those without. To discourage payments and encourage policyholders to improve their security posture, most insurers now require those seeking coverage to demonstrate they have implemented MFA and other strong protections.

MFA solutions help prevent unauthorized access to applications, systems and services by reducing reliance on passwords and unsafe password practices. MFA requires a combination of verification factors, such as a password or PIN along with a security token, mobile app or biometric identifier.

While it is superior to traditional password-username verification processes, MFA isn’t foolproof. Secondary verification factors typically involve having a unique code sent to your mobile device or email. Because these techniques require human involvement, they are susceptible to account takeover attacks from phishing and man-in-the-middle attacks. Some experts contend that more than 90 percent of MFA solutions are “phishable.”

Get an Assist with Modernization

Some insurers are already requiring potential clients to implement a stronger form of authentication based on FIDO/WebAuthn authentication standards. Known as phishing-resistant MFA, it offers stronger protection by replacing passwords with hardware-based keys using cryptographic protocols. The Cybersecurity and Infrastructure Security Agency calls this the “gold standard for MFA.”

It works by essentially turning a user’s smartphone into a security key. When registering with a website or service, the passkey generates a unique cryptographic key pair consisting of a public key registered with the website or app being accessed and a private key stored on the user’s device. Even if hackers breach a site’s passkey server, they can’t access the user account without the private key.

The benefit of this approach is that it removes the human element — the device handles the entire authentication process. Users just have to sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face or typing in a device PIN.

GDS makes it easy for businesses to get started with phishing-resistant MFA with our fully managed solution based on Cisco Duo’s passwordless authentication architecture. Contact us to learn more.