The bad news on cyberattacks is as unrelenting as the hackers behind them. We now have daily headlines of companies hit with digital extortion attacks known as ransomware, including shockwaves from cyberattacks on the Colonial Pipeline, JBS meat production, and SolarWinds.
This rapid rise in ransomware losses has insurance carriers making drastic changes. For the last several years, most business sectors could secure quality cyber insurance with minimal application questions, and the premium has been very reasonable. But that has changed abruptly. Due to the increasing prevalence of cyberattacks, cyber insurers are now requiring applicants to demonstrate that they have taken steps to prevent cyber attacks. For example, most cyber insurance carriers are now making two-factor authentication, commonly called 2FA or Multi-Factor Authentication (MFA), a condition for purchasing and renewing cyber insurance.
MFA Beefs Up Security
According to the Verizon 2020 Data Breach Investigation Report, 4-in-5 hacking-related breaches use stolen or weak passwords. Such evidence underscores the immediate need for making multi-factor authentication essential to the cybersecurity strategies of employee benefit plan administrators.
All plans need a robust cybersecurity strategy to safeguard plan assets and participant data. Implementing stronger security measures with passwords and additional authentication steps before allowing access to online accounts and resources increasingly is more often a cyber carrier’s requirement rather than a suggestion. Simply requiring one or more additional verification factors beyond username and password defeats most cyberattacks. The reason?: According to Microsoft, enabling MFA blocks 99.9% of identity-based attacks.
What is Multi-Factor Authentication?
Multi-factor authentication is an upgraded security process for user account access. After you fill in your username and password, an application will ask you for a numerical code (either from a text, email, or dedicated authentication app on your phone). It requires users to verify their identity with two or more verification steps before granting access to their online accounts or an organization’s resources such as a VPN.
Three options for additional MFA identify factor requirements are:
- Knowledge – things one knows, such as security question answers, one-time passwords (OTPs), and PINs
- Possession – things one has such as a badge, pass, or a unique bar or QR code
- Inherence – biometric data like fingerprints, face and voice recognition
By enabling MFA, each user will be notified if someone attempts to use their credentials to login to their account. No users will be able to access the data without the secondary authentication of a code or approval by the user. If an MFA user gets a notification but are not currently logging in, users need to contact their IT department immediately to update and change passwords and secure their data before an intrusion occurs.
The Euclid Perspective
Cyber Renewals Require MFA Policy Disclosures
Ready or not, MFA is no longer optional. The cyber market is changing quickly, and MFA is now a requirement for most cyber insurance. MFA is the first step every employee benefit plan must take to stop cyber crime. Given the known weakness and heavy losses cyberattacks present, we nevertheless find it surprising how many employee benefit plans, including sophisticated multiemployer plans, do not employ MFA standards. The problem encompasses plan TPAs, and even the large, national fund administration firms.
We realize there are cost and inconvenience drawbacks from instituting MFA security standards. But plans that are not implementing MFA for remote access to email and other systems and programs containing private or sensitive plan participant information are wide open for cyberattacks with the potential for disastrous results. These conditions must change, and carriers are insisting on it.
Many plans will find at their next cyber renewal that carriers have instituted a new requirement that the applicant disclose its MFA policies. Carrier data from ransomware attacks shows digital extortion claims are higher for entities without MFA requirements intact. As a result, many plans without an affirmative MFA requirement for access to all plan data will not be able to secure cyber insurance or renewal of their current cyber policy.
