The Alarming Reality: Cyber Insurance Will Increasingly be Unavailable for Organizations Using Legacy MFA

Cybercriminals pose a serious problem for all kinds of organizations today. Though the word may conjure images of shadowy figures behind keyboards, cybercrime is conducted by large, sophisticated criminal enterprises, often with sponsorship by state governments. Worse yet, these enterprises continue to expand their efforts. In 2023, ransomware attacks doubled again, and phishing emerged as the number one way in which threat actors attack organizations.

Ransomware, business email compromise (BEC), and attacks on cloud environments are now priority threats for businesses. These threats, bolstered by a growing market for Initial Access Brokers and Ransomware-as-a-Service, resulted in a staggering $20 billion in global cybercrime costs in 2021 — a 57x increase since 2015.

In this threat landscape, cyber insurance is an important investment that helps protect organizations with both threat preparedness and incident response. The challenge today is that as risk to organizations rises, the standards for qualifying for a cyber insurance policy rise as well. Organizations dependent on legacy MFA solutions for security may find themselves unable to secure a policy.

Why is cyber insurance essential for large enterprises and small and medium businesses (SMBs) using legacy MFA?

John Horn, Director of Cybersecurity at leading analyst firm Datos Insights, stated, “As cyber risk continues to elevate, legacy MFA solutions are being defeated regularly by sophisticated phishing attacks. Many enterprises are left with heightened business risk and interruption, needing to move to phishing-resistant MFA solutions.”

A single attack can be devastating for SMBs. Some experts even state that over 60% of attacked SMBs go out of business within six months of being attacked. Large companies can also suffer many adverse consequences of a cyberattack, including financial losses, reputational injury, damaged customer relationships, and regulatory fines. Cyber insurance can help to mitigate these risks for both types of firms.

Organizations looking for the most advanced protection against cybercrime must move away from legacy solutions and adopt next-generation tools that remove the human element from the login process. Enterprises that rely on legacy MFA are more likely to experience a breach and more likely to need cyber insurance to recover.

What is the cost of cyber insurance?

Like any insurance product, there is no one-size-fits-all cyber insurance, and therefore no fixed cost for such policies. The cost of a policy largely depends on the insured company’s cyber risk profile and what kind of coverage they need.

For example, a large enterprise that is vulnerable to many cyber threats can expect to pay a higher premium than an SMB that is vulnerable to only a few threats. Similarly, a financial services firm that processes large volumes of customer financial information (e.g., credit card numbers) will likely pay more than a small family-owned business.

Furthermore, whether an organization purchases only first-party coverage or both first-party and third-party coverage will also have a significant impact on the cost of the policy.

• First-party coverage refers to losses that may result from data breaches, theft, extortion, or destruction and directly impact the attacked organization. It usually covers costs related to data recovery or replacement, cyber extortion, forensic investigations, and lost income due to business disruption. Costs incurred from notifying affected customers, managing public relations, legal fees, and regulatory fines are also included.
  
  
• Third-party coverage protects an organization from financial liabilities in the event that a third party suffers losses due to a data breach targeting the organization. This third party may bring claims against the attacked organization, and third-party coverage can help minimize the financial impact.

Much like other insurance policies, the rate for your cyber insurance policy is impacted by your organization’s security history and other criteria that indicate how likely the organization is to experience a breach. Due to the global escalation in ransomware attacks, rates are already increasing 50 – 100% without factoring in your organization’s security posture. Additionally, 79% of insured organizations reported that their insurance rate increased upon application or renewal, and half of respondents were required to enhance their IAM and MFA tools to qualify.

Given that dynamic, utilizing next generation MFA is crucial for securing the best policy — both by preventing breaches and addressing the weak point of human error. Like a bad driver with a DUI will find acquiring car insurance difficult, organizations that suffer a breach may be unable to find a policy, and 83% of organizations suffered two or more breaches last year. Implementing next generation MFA from Token Ring delivers the only passwordless, FIDO-2 compliant biometric wearable authenticator that stops phishing and social engineering attacks that result in data breaches.

Which risks does a cyber insurance policy typically cover?

A comprehensive cyber insurance policy includes coverage for losses or expenses resulting from a cyberattack. These may include losses due to:

• Destruction of digital assets
• System repairs or replacements
• Business interruptions
• Data retrieval and recovery
• Forensic investigations
• Breach response and remediation
• Ransom payments
• Lost revenues

Many policies also cover expenses related to:

• Litigating and hiring legal counsel
• Crisis management
• Notifying customers about a breach
• Recovering the personal identities of affected customers

Which risks does a cyber insurance policy not cover?

Like insurance products, most cyber insurance policies also contain “exclusions”. It’s well-known that home insurance buyers cannot file a claim for damages that occurred before purchasing the policy. Similarly, an organization affected by a breach cannot file a claim to recover costs if the breach occurred before the cyber insurance policy was purchased. Breaches due to poor security practices or due to human error are also usually excluded from payout. Insurers also rarely entertain claims for attacks resulting from preexisting and/or known vulnerabilities.

Furthermore, 38% of cyber insurance policies are now excluding coverage for “human error” which typically includes phishing attacks and social engineering. This is all the more reason to invest in an MFA solution proven to stop such threats.

Link between cyber insurance and solid cyber defenses

Insurers are well-aware of the ever-widening threat landscape and therefore require organizations to meet certain cybersecurity standards in order to qualify for coverage. Organizations may be asked to strengthen their security posture and prevent attacks by implementing:

• Strong identity and access management controls
• Data encryption
• Incident response plans
• Regular vulnerability assessments and penetration tests
• Security awareness training

Implementing these measures can make a business more “insurable” and therefore more likely to be accepted by an insurer for protection. Also, if the organization can prove its assets are reliably secure and safe from unauthorized or malicious activities, it may result in lower premiums or more suitable terms.

Many carriers also insist on multi-factor authentication (MFA), because businesses that lack MFA are more likely to suffer significant damages if they are ever attacked. Carriers often consider these organizations uninsurable, leaving them doubly vulnerable to many kinds of security threats.

Businesses can leverage many types of MFA solutions to mitigate the risks of unauthorized, and potentially malicious, access to online systems and accounts. The most popular solutions are those that provide SMS-based or email-based authentication with a one-time password, however these legacy MFA solutions are not effective at keeping threat actors out.

In fact, attacks on legacy MFA technologies, usually via social engineering techniques like phishing and MFA bombing (also known as MFA spamming), have become very common in recent years. The best way for organizations to stop hackers and get favorable terms with cyber insurers is to invest in next-generation MFA technologies like wearable MFA from Token Ring.

Token Ring is a next-gen MFA system that uses biometrics to eliminate the vulnerabilities associated with legacy MFA, such as stolen OTPs and compromised authentication devices. Since it responds only to the authorized user that it has been configured for, no one else can use it. It thus provides strong authentication, easy passwordless access for authorized users, and robust protection from phishing, account takeovers, and ransomware attacks.

Conclusion

In an expanding risk landscape, the continuity and longevity of a business depends on its ability to withstand cyber threats. Cybersecurity measures and cyber insurance are both essential to this effort.

Reliance on legacy solutions hinges on the unrealistic expectation that users will somehow recognize and overcome every new and sophisticated hacking attack they receive via emails, text messages, and malicious webpages. This unfulfilled promise of legacy MFA solutions is reflected in the soaring costs of the average data breach, now $9.4 million for U.S. companies. Enterprises and SMBs that invest in cyber insurance and strong defenses like Token Ring’s biometric MFA can protect themselves from devastating financial losses. Confronted with these rising costs, it is clear why cyber insurance is not just a nice-to-have for modern organizations, but a need-to-have.