As cyber threat actors continue to innovate and find new ways to increase their odds of success, panelists at the 2022 Advisen Cyber Risk Insights Conference urged underwriters to raise the stakes when assessing insureds’ cyber exposure. One specific area of cybersecurity that has taken the spotlight with underwriters recently is multi-factor authentication, or MFA. But experts said most underwriters aren’t asking the right questions.
“When we ask people, ‘Hey, how’s your MFA?’ we also ask about exceptions. [We ask], ‘Who is exempt from this?’” said Eric Skinner, vice president of market strategy at TrendMicro. “And you may not be surprised to hear that frequently it’s executives who say, ‘Oh, I don’t want the inconvenience.’ Of course, they’re the ones who probably need it the most. So, with these broad questions in the insurance questionnaires asking, ‘Do you have MFA? Yes or no?’ we found there was a whole big gray area in between the yeses and the nos.”
MFA means that a technology user needs to have two methods of verifying their identity before gaining access to a system—it could be a password, a biometric scan, a code texted to another device or something else. Although MFA has been touted more and more as a No. 1 security recommendation that insureds should enable for Internet accessible accounts, many are not implementing it correctly, said Preston Miller, director of Unit 42 at Palo Alto Networks.
“What I often see from a responder perspective is that they have it turned on, but it’s not fully configured,” he said. “Or they allow alternative methods of authenticating for accounts that don’t support multi-factor authentication, so you’re giving threat actors another avenue to access your data and bypassing the security control you’re hoping to implement in the first place.”
Part of the problem could be a lack of understanding, particularly in the small and medium-sized enterprise space, as a Global Small Business Multi-Factor Authentication Study released by the Cyber Readiness Institute in July found that 55 percent of SMEs reported not being “very aware” of MFA and its security benefits. Another 54 percent of survey respondents said they do not use it for their business. Of those businesses that have not implemented MFA, 47 percent noted they either didn’t understand it or didn’t see its value. In addition, nearly 60 percent of small and medium-sized business owners reported that they have not discussed MFA with their employees.
“So, yes, multi-factor is important, but it’s also equally important how it’s implemented,” Miller went on to explain. “It’s great if you have all the latest and greatest technology in your environment, but it’s only as good as the people you have who are configuring it and monitoring it.”
That said, John Merchant, executive vice president of cyber and technology E&O at Falcon Risk Services, said that underwriters have some challenges when trying to dive deeper into assessing their clients’ MFA use.
“If you are writing at volume, you do have to have a bit of a cutoff, and sometimes that cutoff is as blunt as, ‘Do you have this in place? Is it implemented? Yes.’ That’s kind of, unfortunately, as far as you can go oftentimes,” he said. “So, we are stuck with the reality of this situation, which is if you don’t have MFA in place, you either don’t get insurance or you do. Or you don’t have MFA in place, but we continually monitor, and then if you improve next year, we’ll revisit it. That’s where I see this evolving.”
If insurers are increasingly paying continuous attention to how insureds evolve their cybersecurity efforts in order to grant more coverage, that means insureds have to do continuous work, too, Merchant said.
“It’s no different than if you stay healthy, and you agree with your health insurer to wear some sort of monitor that keeps track of you all the time, and the incentive is to get better premiums next year,” he said.
The problem is that smaller businesses in particular don’t always have that bandwidth, he said.
“Not everybody listens,” he said. “I know, in reality, they’re running their own business. So, we do have to look at it from a kind of stepped-back situation. Maybe there’s this company that makes widgets, and that’s what they’re focused on all the time, and insurance is something that, to them, is sold once a year. Then they move on.”
So, how can insurers get their insureds to care about managing their cybersecurity more than once a year when their policy renews? Emma Werth Fekkas, regional vice president of underwriting for the East region at Cowbell Cyber, said it means insurers will have to do some work to educate policyholders.
“A lot of times, [smaller] companies don’t have a large budget. They don’t have the wherewithal to get the knowledge,” she said. “We have our own risk engineering team that will get on calls with our insureds throughout the policy period and kind of educate them. They’ll let them know with their budget what they can do, what they should put first, and put an implementation plan together for them. That’s become a really critical piece for us.”
She said that in working to educate insureds, she sees risk evaluation throughout the policy year becoming a critical change for cyber insurance culture.
“This isn’t something we look at once a year. This is something we’re monitoring throughout the year to make sure that risk is continuously improving and that [insureds] are doing their part,” she said. “That’s something that we have to get insureds to really think about—don’t just put this in place, send it to bed, walk away. It’s something you’re constantly looking at, constantly working with.”
As insureds work to improve their cybersecurity and make sure they’re using systems like MFA correctly, it’s important for them to also make sure that IT staff has a seat at the table with leadership, Werth Fekkas said.
“I think that’s something that we’ve seen change in the past couple of years as the cyber insurance market hardened. You saw more and more conversation about IT—budgets going up, more questions on our side about cyber governance and how far up does that trickle with what software you have in place, what offices do you have, what controls, what risk management,” she said. “I think we’re going to see more of that. I think we’re going to see more partnership between vendors and the carriers on the insurance side as well.”
Panelists cautioned that as long as cyber risks are constantly evolving, insureds and insurers alike will need to evolve with them.
“It becomes education and diligence,” Werth Fekkas said. “You know, we help them educate, we become a partner, and then we and the insured both become more diligent. Those are kind of the two key pieces for us: education and diligence.”
“Cybersecurity is constantly evolving, so you as defenders or organizations can’t just sit and say, ‘Yes, I have a solution I deployed. I configured it well. We’re good to go there,’” he said. “You have to continually revisit it and make sure that it’s still meeting your needs and hasn’t devolved. [Otherwise], you’re not protecting yourself.”