The cybersecurity landscape is constantly shifting, and as technology evolves, so do the number of cyber attacks and attack vectors. In just 2021 alone, Symantec found that the number of supply chain attacks had increased by 100%.
A drastic increase in cyber threats has made cybersecurity insurance a risky business. To protect both themselves and their customers, insurance providers have had to increase the stringency of their requirements for coverage.
Multi-factor Authentication (MFA) is often a cybersecurity insurance requirement. But how does it help protect your organization, and what are some other common coverage requirements to be aware of?
What is MFA in Cybersecurity?
MFA stands for Multi-Factor Authentication. Historically, users accessing a protected resource would authenticate using a single factor: a password. Multi-factor authentication simply means using more than one factor to authenticate users.
These factors often fall into three categories:
- Something you have (like a smart card or token)
- Something you know (like a password)
- Something you are (Biometrics, such as a fingerprint or facial recognition)
You can use any combination of the above factors. In common 2FA (two-factor authentication), for instance, it’s popular to use both a password and a secure code that’s texted or emailed to the user whenever they log in.
It’s easy to see how requiring more than one authenticating factor increases the security of that authentication. On their own, passwords can be stolen or shared quite easily. The same cannot be said of a smart card or a fingerprint. Acquiring all these things at once illegitimately is even more challenging than gathering them individually.
Does Cybersecurity Insurance Require MFA?
Specific insurance requirements vary by provider, so if there’s a particular insurance provider you are working with, you’ll want to check their requirements first. You usually won’t even be able to get a quote until you meet these requirements. Generally speaking, however, multi-factor authentication is an increasingly common requirement across the board for cyber insurance coverage.
There are a handful of scenarios that cyber insurance providers look for when it comes to using MFA:
- Business email access
- Remote employees
- Administrative access
Many insurance companies will make it necessary to have MFA before you can even get a quote for their coverage. This is because insurance companies are companies just like any other – being profitable is necessary to their continued existence, and insuring against things that are guaranteed to happen for every single customer simply isn’t a sustainable business model.
Thus, for both your safety and theirs, cybersecurity insurance providers must add more to their coverage requirements as cyber threats multiply. MFA isn’t even the only common requirement you’ll come across.
Other Cybersecurity Insurance Requirements
As we mentioned above, additional cybersecurity insurance requirements can be different from provider to provider. However, here are a few examples of common requirements beyond MFA:
- Recent Security Risk Assessment (SRA) results
- Mandatory cybersecurity and infosec training for employees
- Data backups
- Use of a company firewall
- Antivirus software on company devices
- Network Access Control (NAC) of some kind
Keep in mind that individual insurance providers may have requirements beyond the scope of what we’ve listed above – these are just a few things you can expect to prove prior to receiving a quote. The more documented cybersecurity practices your organization employs, the better.
Meeting Cyber Insurance Requirements
Implementing MFA for remote employees, employees with administrative access, and for company email will go a long way toward easing the concerns of any insurance companies you’re negotiating with. However, there’s so much more you can do to enhance your own network security – not just to appeal to insurance providers, but to defend yourself from cyber threats (and reduce your deductible!).
SecureW2 has developed a suite of products and services designed to protect your organization’s network and resources. Each of our products in some way addresses common requirements posed by cyber insurers.
PKI for Cybersecurity Compliance
An important part of cybersecurity insurance requirements – and the wider concept of Zero Trust – is making sure that each user only has access to the resources they need. That way, if a single person is compromised, the hacker doesn’t necessarily gain access to everything on your network.
Digital certificates (as well as the PKIs needed to manage and issue them) can play an integral role in this regard. Certificates, which provide much more identity context around every network connection, give administrators the tools necessary to provide granular access to each user through custom access policies.
SecureW2’s PKI, in addition to enabling both role-based and attribute-based actress control, is simple to use. Certificate templates can be customized to reflect the information you need to identify users and devices and can even be leveraged directly from your existing IDP.
Network Access Control for Cyber Insurance – Cloud RADIUS
Using certificate-based authentication may make you more appealing for an insurance provider, but those certificates need to be authenticated by an authentication server. That’s where a RADIUS service like SecureW2’s Cloud RADIUS comes into play.
Designed to be vendor-neutral, Cloud RADIUS integrates with your IDP to apply network policies to your Wi-Fi and VPN authentication. With Identity Lookup, it can even communicate with your IDP in real-time during authentication, which means your most current policies are always applied completely accurately – including whether or not to prompt users for MFA.
Another insurance requirement fulfilled by Cloud RADIUS is that of keeping logs. Cloud RADIUS generates detailed and extremely searchable event logs that describe every authentication attempt on your network. These logs can even be exported to any SIEM you use so you can be instantly alerted whenever there’s a connectivity issue or suspicious activity.
JoinNow NetAuth for Cybersecurity Insurance
Not all devices can be equipped with digital certificates – some are simply too old and others lack the storage capacity. Common examples of such devices include gaming consoles and lower end IoTs. Furthermore, you may have guests visiting your organization that you don’t want to enroll for certificates.
However, these devices are often still present on your network, and that means you need some way to keep tabs on them. This is precisely what JoinNow NetAuth was created to do.
Guests or devices that can’t store certificates can be issued individual credentials to log in with. You can customize the length of the access, requiring these users to newly authenticate as often as necessary. Because they have individual credentials, you’re also able to identify these connections and keep track of each one for greater visibility.
Fulfill Your Cyber Insurer’s Checklist with SecureW2
MFA, while important, is still only a single thing that will likely be required by any insurance company. While more secure than just using passwords, it still doesn’t check all the items off a cybersecurity wishlist.
SecureW2 has a full suite of network access solutions designed to protect your organization’s resources – and simultaneously make your company more compliant to insurance companies’s requirements. Our PKI can be used to enroll individual devices and users for certificates, which makes it easier for them to be segmented into roles or groups and granted access accordingly. Cloud RADIUS is capable of applying network policies and communicating in real-time with your IDP. Additionally, detailed RADIUS event logs help you keep on top of who and what has access to your network.
We’d love the opportunity to show you how it all works in action. Reach out to us for a free demonstration of our capabilities.