WatchGuard Blog

Without MFA organizations won’t get coverage

Recent cybersecurity incidents and ransomware attacks are driving companies to apply for cyber insurance. Meanwhile, over the last 12 months the rate of ransomware attacks has skyrocketed in both frequency and severity, driving significant changes in the cyber insurance marketplace. In years prior, cyber insurance submissions were simple and it was easy to obtain bindable quotes from multiple vendors. But times have changed and Since January 1, organizations applying for cyber insurance have had to show they are implementing a long list of cybersecurity technologies and practices including MFA and an incident response plan to get coverage.

Ransomware: the main reason for this rising trend in businesses 

Ransomware is increasingly common, is evolving, and to complicate matters, no longer only affects computers. This form of malware that thrives on encrypting data for a ransom paid in cryptocurrency also affects smartphones, TVs and any other connected device. 

As the price of ransoms soar (in some cases, it has already reached into the millions), it’s beginning to feel like insurance policies specifically designed for ransomware should be commonplace in a business’s security infrastructure. 

The rising trend of such policies has been a recurring theme in recent editions of international conferences. The situation was compared with that of actual kidnappings. If potential victims can have policies to pay ransoms for the safe return of a kidnapped person, with ransomware the solution could conceivably be the same. Not only would it protect victims from losing access to valuable data, but also it would give the insurance sector the chance to further diversify its offerings by expanding deeper into the cyber realm. 

While there is currently some insurance covering the costs of certain cyberattacks, the cyber side of policies still has a long way to go. Generally, cyber insurance covers damages caused to third parties (something really useful in the event that a cyberattack to our company affects our clients) and, in some cases, also covers the direct losses, among which would be the hostage data held by the ransomware. Depending on the coverage, cyber insurance covers the costs of a breach of security controls, such as restoring data, replacing hardware/software, hiring forensic investigators, external lawyers, and communications advisors. 

For the moment, most cyber insurance companies do not cover all the requested bailouts. Thus, policies of up to 10 million euros would only cover 500,000 euros in cases of cyber extortion, such as those occurring with ransomware. However, it is a rapidly developing sector and, in fact, most cyber insurers are hired virtually to first look at the main risks facing a company. 

Cyber insurance now requires MFA 

Companies looking into acquiring cyber insurance need to make sure they won’t be paying high premiums, or even have their applications denied.  

MFA should be used to protect remote network and email access, as well as administrative access. Such attacks often start with compromised passwords or login IDs. These credentials, which can be easily found in the dark web (just look at the recent three-billion credentials database made available), can be the weakest point of a company’s digital footprint because employees often use the same password for multiple systems, create passwords that are too simple, share credentials with others, or inadvertently give information to cybercriminals. 

MFA protects businesses by adding a layer of security that can block 99.9% of attacks stemming from compromised accounts. For example, a phishing attack may obtain a user’s credentials, but be unable to provide the fingerprint or a mobile pushed-based response required for authentication. 

Because every attack begins at an endpoint, companies should also be utilizing Endpoint Detection and Response (EDR), in collaboration with MFA, to maintain visibility into all endpoints. Employing MFA and EDR together will significantly minimize the threat of a breach, especially when combined with mature patching requirements, employee training, and increased awareness. 

As our colleague Corey Nachreiner predicted in this article a few years ago: “…insurance providers will start to implement guidelines that require companies to have strong security controls in place as a prerequisite. When combined with other layers of security, cyber insurance is a great addition to your cybersecurity strategy.” Well, the time has come.