In today’s rapidly evolving digital landscape, cybersecurity is no longer optional—it's a necessity. Yet, despite widespread recognition of the need for robust protections, businesses often face significant gaps between what’s promised in their cyber insurance policies and the actual security measures in place.
One such gap is the use of Multi-Factor Authentication (MFA), a critical safeguard that’s frequently cited as a requirement in cyber insurance Statement of Facts. However, while insurers may expect MFA to be a fully implemented solution, the reality can be more complex. In many cases, organisations declare compliance without fully realising—or without actually implementing—the protective measures MFA entails. This disconnect can lead to a false sense of security, leaving businesses vulnerable in the event of a breach.
The role of MFA in cyber coverage
MFA is a security method that requires users to provide two or more verification factors to gain access to a system, application, or network, rather than relying on a single password. MFA combines several types of authentication factors:
- Something the user knows: A password, PIN, or passphrase.
- Something the user has: A smartphone, security token, smart card, or a hardware device.
- Something the user is: Biometric identifiers, such as fingerprints, facial recognition, or iris scans.
By requiring multiple forms of authentication, MFA significantly enhances security, making it much harder for unauthorised individuals to gain access, even if they have stolen one factor (like a password). MFA is widely considered an essential practice for protecting sensitive data and reducing the risk of cyberattacks, such as:
- Phishing attacks: Where attackers trick users into revealing their login credentials.
- Password guessing: Attempts to crack weak or commonly used passwords.
- Credential stuffing: Using previously stolen username and password combinations to breach accounts.
This multi-layered approach to security is essential for safeguarding against increasingly sophisticated threats and ensuring that access to critical systems remains tightly controlled.
MFA is critically important for cyber insurers to understand because it directly impacts the level of risk associated with insuring a business. MFA significantly reduces the likelihood of unauthorised access to sensitive systems by providing an extra layer of protection beyond passwords. This makes it a key factor in preventing:
- Data breaches: Unauthorised access to sensitive or private information.
- Ransomware attacks: Cyberattacks where hackers encrypt a company’s data and demand a ransom for its release.
- Other cyber threats: Including phishing, account takeovers, and credential stuffing.
For insurers, knowing whether a company has MFA in place—and how effectively it is used—helps determine the level of risk they are assuming and ensures that policies are appropriately priced to reflect a company's actual security posture. Without this critical information, insurers may be unable to accurately assess potential liabilities, leading to gaps in coverage or increased exposure to claims.
Is MFA really in place?
Some businesses may answer "yes" to having MFA in their Statement of Facts when applying for cyber insurance, even if they have only partially implemented MFA or have plans to do so in the future. In some cases, organisations might believe they are fully compliant because they have started the process—by enabling MFA for some users or systems—but haven't rolled it out across their entire network or all critical applications. Others may have implemented MFA in a limited way, such as for high-risk accounts, but haven't extended it organisation-wide. This gap between declaration and reality creates a significant issue in the event of a cyber incident.
To validate the accuracy of the Statement of Facts and determine whether the business meets the necessary security standards for coverage, forensic investigators may be called upon to conduct a thorough assessment of the company's actual MFA practices during a breach investigation. This process involves reviewing system configurations, user authentication logs, and security protocols to verify whether MFA has been fully implemented as declared. If discrepancies are found, the insurer may adjust the policy coverage or deny claims, highlighting the critical importance of accurately representing cybersecurity measures in policy declarations.
The risk of oversimplification
The MFA question in a cyber insurance statement of fact can be considered as too broad, leading to inaccurate or misleading responses from businesses. Typically, insurers ask a simple yes-or-no question about whether a company uses multifactor authentication (MFA), but this binary approach does not account for the varying degrees of MFA implementation or other complementary security measures that may mitigate the need for MFA in certain contexts.
For instance, a company might answer "yes" because they use MFA for some applications, such as email, but fail to apply it across all systems, including critical databases or cloud services. Additionally, some businesses may rely on outdated or less secure forms of MFA, like SMS-based authentication, which is vulnerable to phishing and SIM-swapping attacks.
As a result, a broad, one-size-fits-all question about MFA fails to capture the nuances of how robust or comprehensive the company's MFA practices truly are. This lack of specificity can lead to misrepresentations on the insurance application, where the perceived security posture may not align with the actual level of protection in place.
The limits: just one layer of defence
While MFA is a powerful tool for enhancing cybersecurity, it is not a silver bullet. MFA significantly improves security by adding an additional layer of protection beyond passwords, but it cannot address all vulnerabilities. For example, MFA is still susceptible to attacks such as phishing, social engineering, and SIM-swapping, where attackers trick users into revealing authentication factors or intercepting authentication codes. Additionally, MFA doesn’t protect against internal threats, such as malicious insiders, or other types of cyberattacks like those targeting vulnerabilities in software or systems. Furthermore, MFA can be bypassed if it is not properly implemented—such as using outdated methods like SMS-based codes, which are more easily compromised.
Cybersecurity is a multi-layered challenge, and relying solely on MFA without addressing other critical areas leaves organisations vulnerable. Key security measures that complement or reduce the reliance on MFA include:
- Employee training: Educating staff about phishing, social engineering, and other common attack vectors to prevent exploitation, even if MFA is in place.
- Network segmentation: Isolating sensitive data and systems within the network to limit the impact of a potential breach and reduce the attack surface.
- Timely patching: Regularly updating and patching software to fix known vulnerabilities before they can be exploited by attackers.
- Endpoint protection: Using antivirus software, firewalls, and intrusion detection systems to protect devices from malware and unauthorized access attempts.
- Zero-trust architecture: Verifying access continuously based on the user’s behaviour, device health, and context, reducing the need for MFA on every transaction.
- Behavioural analytics: Monitoring user activity for unusual patterns that could signal a potential breach, allowing for real-time intervention without the need for traditional MFA.
- Data encryption: Encrypting data both in transit and at rest to protect sensitive information from being intercepted or stolen, even if an attacker gains unauthorised access.
In some cases, these measures can reduce the need for constant MFA prompts or provide security in situations where MFA may be bypassed. While MFA is an important component of a broader security strategy, it should never be viewed as a comprehensive solution to all cybersecurity risks. Organisations must adopt a holistic security approach, combining MFA with these other critical protections to effectively mitigate threats and protect their systems.
What can be done?
We help businesses assess their MFA compliance and M365 security by conducting thorough security audits and assessments tailored to their specific needs. Our process involves reviewing existing authentication practices to see if MFA is implemented across all critical systems and applications, including Microsoft 365 (M365). We evaluate the strength of MFA methods in use—such as verifying whether businesses are using more secure forms like app-based authentication or hardware tokens rather than relying on less secure methods like SMS. Additionally, we assess M365 security settings to identify gaps in configuration, such as insufficient access controls, lack of data loss prevention measures, or ineffective endpoint security.
Our team also provides actionable recommendations to improve compliance with best practices, advising on security policies align with both organisational needs and cyber insurance requirements. By identifying potential vulnerabilities and validating MFA implementation, we help businesses strengthen their security posture, mitigate risk, and meet the standards necessary for both compliance and effective protection against cyber threats.
For more information, contact Lauren Wills, lead incident response & cyber risk consultant, Casualty Specialist and International Risks via lauren.wills@crawco.co.uk
