Over the past three years, a sharp increase in losses to cyber liability insurance carriers, with many of the losses attributable to ransomware attacks, has led to a sharp increase in insurance premiums. Due to these losses, cyber liability insurers are rapidly revising their underwriting criteria and in some cases are no longer willing to insure organizations that fail to meet these requirements.

Multi-Factor Authentication (MFA) is at the forefront of these new rules. Every organization in the financial services industry should review its cybersecurity program and confirm its use of MFA meets not only any statutory requirements but also the underwriting rules of its insurers.

Statutory MFA versus insurance MFA

An organization that meets statutory MFA may not meet the underwriting guidelines of its insurer.

For example, the new FTC Safeguards Rule requirement states financial institutions must implement MFA for anyone accessing customer information, requiring two of the three factors: a Knowledge Factor, meaning something the person knows such as a password, a Possession Factor, meaning something you have such as a token, and an Inherence Factor meaning something you are such as a fingerprint.

By contrast, although insurers will also expect the same factors to be present in MFA, cyber liability carriers will expect a greater degree of MFA protection around the organization. Business email access, MFA for remote employees, and MFA for administrator and elevated privilege access.

Common insurance requirements for MFA

Every independent cyber liability insurer will have different underwriting guidelines. There are, however, certain common requirements that more and more carriers are demanding prior to providing coverage.

As certain cybersecurity controls demonstrate greater effectiveness in preventing losses, underwriting guidelines are likely to become more standardized in the financial services industry. Some of the evolving underwriting rules include:

Frequency: MFA challenges should occur no less than every 24 hours.

Certificates: A user or device certificate (such as an electronic document embedded in a hardware device) will not be considered MFA by itself.

Remote Access: Remote access will always require MFA regardless of the job function or access rights of the user.

In addition, cyber liability insurers are frequently looking at particular services the organization uses and require MFA before agreeing to provide coverage. Most organizations should expect to be asked about MFA regarding these specific services:

Email and Office Software: MFA will be required for both email and word processing/spreadsheet software unless these services are provided by an on-premises server without internet access.

Remote Access: Remote access will likely include not just VPN for remote employees, but also desktop tools used to remote into systems for support.

Directory Access and Backup Systems: Domain administrators and management consoles for backups will be expected to have MFA.

Network Infrastructure: Management consoles of network equipment and local/domain-level administrator access rights will also require MFA.

Implementing MFA solutions

As an organization reviews its MFA program, the most important considerations are whether the MFA solution is compliant and meets insurance requirements. However, there are also significant other issues that need to be considered before deciding on an MFA solution.

The first consideration is the hard and soft costs of implementing MFA. Organizations should know both the cost of the license and how often will the MFA provider have the ability to raise fees. Credit unions and CUSOs should also evaluate the effort needed to train end users and support staff.  Furthermore, additional costs can be incurred if devices are required for MFA. For example, if the staff does not have or refuses to use cell phones for MFA, the organization will need to consider alternative methods such as tokens which may have their own costs to purchase.

The administration of the MFA solution is another key consideration. Because of the interruption of workflow, the end user experience with MFA will be inherently negative. There will be pressure from staff to limit the frequency of MFA interruptions. Furthermore, any enhancements and upgrades to the MFA solution will disrupt the organization and will need planning and rollback procedures. Credit unions and CUSO should prepare for these challenges and educate staff accordingly.

MFA vulnerabilities

Although MFA is effective, this solution is not bulletproof. Attackers have already figured out methods to defeat MFA. Credit unions and CUSOs should be aware of these attacks and ensure users and support staff are mindful of these issues as part of implementation and retraining.

“MFA fatigue” is rapidly evolving as a threat. Push-notification style authentication is very common with MFA solutions. After a user enters their user name and password, the user then receives a push notification asking them to confirm their second-factor authentication, such as control of a mobile phone. Malicious hackers bombard victims with MFA push notifications that appear to be legitimate so as to trick users into authenticating their login attempts. The victims approve similar notifications all the time, and due to the notification overload fail to spot the threat.

Session hijacking is another method that has been successfully used to defeat MFA. This attack tricks the user into visiting a malicious website. When the user provides credentials to a legitimate site, the session token needed to complete MFA is stolen by the attacker.

Attacks against MFA will almost certainly continue to evolve. Credit unions and CUSOs need to be up to speed on the latest threats to MFA and educate users and support staff accordingly.

Get started today or risk tomorrow

While the cyber insurance market appears to be stabilizing after years of steep premium increases, years of heavy losses have forced insurance carriers to tighten and reform their underwriting guidelines. MFA is the primary method by which insurers expect their insureds to limit cyber losses.

MFA may soon become as ubiquitous as encryption, driven by both legal challenges and the need to reduce losses as a result of ransomware. All financial service organizations should be prepared to review and implement MFA and ensure the solution meets not just statutory guidelines, but the underwriting requirements of its cyber liability insurers.