Meeting Cyber Insurance Requirements — Is MFA Enough?
Last year, HYPR reported that many cyber insurers now require organizations to adopt multi-factor authentication. The growing demand for cyber liability insurance, the increasing number of claims and a spike in claim severity have prompted underwriters to scrutinize an organization’s security controls more closely. Since then, and as cyberattacks continued to flourish over the last year, the cyber insurance requirements for strong internal security measures have intensified.
Companies going to take out or renew policies are finding that most cyber insurance carriers have instituted even stricter multi-factor authentication requirements in order to reduce premiums or obtain coverage. Security experts and cyber insurers have been recommending multi-factor authentication for years. So why haven’t more companies already deployed it when the market and the attack landscape are making its need overwhelmingly clear?
Obstacles to Meeting Cyber Insurance Requirements for MFA
In a recent survey, 49% of IT and security experts named poor user experience as a primary challenge in deploying traditional MFA solutions and 48% said they are difficult to integrate with current systems. Workers and customers often resist MFA adoption as it requires multiple steps to authenticate.
The productivity hit that comes from traditional MFA also makes many organizations hesitate. Requiring employees to use an additional factor means it takes longer for them to get into the applications and systems they need to do their work. In the event of access issues, there is downtime and help desk drain until it can be resolved.
Of course cost also plays a role. Besides the deployment, management and help desk costs, there may also be hard costs, such as security keys. In the face of these business and cost ramifications, many organizations find themselves simply unable to meet cyber insurance requirements.
Traditional MFA Is Breachable
Perhaps the biggest blocker though comes down to the fact that traditional MFA just does not reduce risk enough. Security analysts have shown that 90% of MFA can be bypassed by phishing and other techniques.
This is where phishing-resistant passwordless MFA technologies come in. Many cyber insurance requirements specify phishing-resistant MFA as defined by NIST and the OMB.
Login is fast and easy and, depending on the type of passwordless solution deployed, there may not be hardware costs beyond the smartphones your users already own. Most importantly, truly passwordless technology — where neither the user or service provider possess a shared or shareable secret — is far less vulnerable to attack.
That last point is important. Many solutions call themselves passwordless but they may simply hide a password, for example using biometrics to unlock a password. Or they may store credentials in a central database, which means they can be breached and stolen. Many cyber insurers specifically require phishing-resistant MFA as defined by NIST and the OMB.
Many cyber insurance requirements also specifically call for multi-factor authentication when logging into desktops. The majority of MFA solutions — both traditional and passwordless — cover application login only or limited desktop use cases.
Meet Cyber Insurance Requirements With HYPR PMFA
HYPR’s True Passwordless™ MFA (PMFA) platform delivers uncompromising security coupled with a seamless user experience that will make your security department, end-users and your insurance carrier all happy.
HYPR partners with cyber insurance carriers in order to offer their customers a PMFA solution that meets and exceeds cyber insurance requirements for secure authentication. We also work with organizations directly to quickly and easily deploy passwordless MFA that helps them realize many additional benefits including reducing breach risk, improving user satisfaction, lowering IAM-related costs and meeting regulatory requirements for cybersecurity and data privacy.
To learn more about cyber insurance and how HYPR can help you meet underwriting security requirements, download our Cyber Insurance Guide.
*** This is a Security Bloggers Network syndicated blog from HYPR Blog authored by Sarah Reilly, Senior Product Marketing Manager, HYPR. Read the original post at: https://blog.hypr.com/meeting-cyber-insurance-requirements-is-mfa-enough
