Imfa-nuanced-security-concernst’s a Thursday afternoon and you’re now living a nightmare. There’s been a breach and the damage is immense.  But wait!  You have cyber insurance, so everything’s okay, right?

Well, how’s your MFA?

Cyber insurance is shifting dramatically, with a rising focus on the validity of clients' security measures, particularly multifactor authentication (MFA). Did you hear about the Travelers Property Casualty Company of America’s lawsuit?  It’s a dramatic reminder that you can’t be vague, you can’t guess, and you can’t take a shortcut.

The only way to a solid cyber insurance claim is accurate self-attestation and addressing the increasing skepticism of insurance underwriters with facts.

The Case: A Crucial Precedent

Travelers Property Casualty Company of America’s lawsuit against International Control Services Inc. (ICS) opened a can of worms in the cyber insurance world. ICS claimed they had MFA in place when they were hit by a ransomware attack, but investigations found otherwise. Instead of a simple denial of the claim, Travelers took the unprecedented step of dragging the issue to court, arguing that the misrepresentation influenced their risk acceptance.

This case draws attention to an alarming statistic: in network analyses, 1 in 4 systems reportedly equipped with MFA do not genuinely have it. This discrepancy can put companies at grave risk, especially when it comes to cyber insurance claims.

Rising Skepticism In MFA Set Up

Insurers have been progressively bolder in rescinding coverage, a step up from merely declining claims. As cyber threats escalate, insurance carriers are becoming more stringent, focusing on their bottom lines, and exploring every avenue to avoid payouts.

Insurers are bound to become even more meticulous, scrutinizing each claim to safeguard their interests. This shift is understandable, considering the adversarial nature of the industry, especially after a cyberattack. Companies with subpar cybersecurity shouldn't expect payouts.

The Implications for Self-Attestation

While the Travelers case zoomed in on MFA, the ripple effects might be far-reaching. Jess Burn from Forrester Research believes that this could influence underwriters to demand third-party verification rather than relying solely on self-attestation. This change could mitigate misunderstandings and ensure that all security measures are genuinely in place before a policy is issued.

Cyber Insurance’s Evolution

Cyber insurance is a constantly evolving domain, as highlighted by Marc Schein from Marsh McLennan Agency. Unlike traditional insurance sectors backed by extensive statistical data, cyber insurance is relatively young and currently still very reliant on self-attestation. Consequently, underwriters are refining their methods to evaluate risks better.

As insurance carriers struggle to mature, they’re becoming less transparent and more challenging in their processes. Rather than aiding in claim settlements, some seem more eager to find reasons to rescind coverage. For example, when a discrepancy arises more insurers are raising the alarm regarding whether a company deliberately hid issues or made an innocent mistake when a discrepancy arises.

Some Conclusions…

MFA is a pivotal aspect of cybersecurity, and its accurate implementation is crucial. With the ever-increasing threats in the digital world, it's essential to have robust and verifiable security measures in place. Insurance companies are tightening their belts, and businesses need to ensure that their security postures, especially concerning MFA, stand up to scrutiny.

The key takeaway? If you're not filling out your Security Assessment Questionnaires (SAQs) properly, you might be opening yourself up to significant liabilities.