Skip to content

Business Guidance

MFA Required for Cyber Insurance Eligibility

By Steve Frew, JD, CIPP/US | Johnson Financial Group

3 minute read time

Cybercrime is a growing threat for businesses as new cyber threats emerge every day. With the rising number of cyber-attacks, virtually all cyber insurance companies are now requiring companies to have MFA in place to renew their cyber insurance.

What is MFA and why is it important?

Multifactor Authentication (MFA) is an extra layer of security that requires users to enter a single-use code upon login to verify their identity. Users are given a short period of time to enter the code, reducing the chances that a cybercriminal can steal the code. Other forms of MFA include swipe cards, biometric authentication such as fingerprints, code-generating fobs and other identifiers.

Why is MFA so important that many insurance carriers will refuse to write insurance for those who don’t have it? The answer from insurers is short and direct – MFA would have prevented more than 90% of the successful cyber-attacks businesses have suffered.

What is being required?

Not all insurance carriers use the same MFA certification on their new and renewal applications. Some have detailed lists and others have an “adequate security” requirement, but they all are looking for the same assurances that a company has covered its cyber exposures with MFA:

  1. EMAIL ACCESS. All your employees who access their company email through their own personal devices (phone or tablet), a website, or cloud-based service (such as Office 365 or other internet service providers and hosts) must have MFA confirmation to access company email accounts.
  2. REMOTE EXTERNAL ACCESS. All officers, employees, contractors, and third parties (such as IT and security vendors) and others with remote access to your network must pass through MFA to gain access, including those who use a virtual privacy network (VPN).
  3.  ADMINISTRATIVE ACCESS. Anyone with internal or remote access to the network (privileged users), including outside service providers, must pass through MFA systems to access directory services (such as active directory, LDAP, etc.), network backup areas, network infrastructure (such as firewalls, routers, and switches, etc.) and endpoints and servers. Some companies specifically mention protecting access to Remote Desktop Protocol (RDP) and Virtual Desktop Instances (VDI) with MFA.

Get started now, if you haven't started already

Implementing MFA may take substantial time, so businesses renewing cyber insurance this year or applying for new policies should be prepared to answer ‘yes’ to the questions about MFA on the insurance application to prevent gaps in coverage or denial of insurance.

Your in-house IT department will need time to identify options, obtain services and equipment, implement the MFA solutions, and test the systems on your network. If you use an outside service provider, they may be able to simply flip a switch to give you MFA on all the required functions. On the other hand, they may need time to implement their own MFA installation. If they are unable to respond with the required MFA in a timely fashion, you may have to find a new service provider. Keep in mind very few carriers will grant you extra time to complete this process.

If you have questions, now is the time to seek answers. Please contact your Johnson Financial Group advisor for further information or our cyber risk consultant, Steve Frew, at 608-658-5035.


Steve Frew, JD, CIPP/US

Steve Frew, JD, CIPP/US

Vice President, Risk Consultant | Johnson Financial Group

As Vice President, Risk Consultant, Stephen provides risk assessment services to clients to help identify potential exposures that threaten the company directly or create an unfavorable risk profile that may drive up insurance costs. As a former commercial and litigation attorney, Stephen is experienced in professional standards, litigation, and regulations that affect professional practices and businesses for risk management purposes.