Insights From Encore Fiduciary on Fiduciary Liability & Other Risk Exposures of Employee Benefit Plans


Insights From Encore Fiduciary on Fiduciary Liability & Other Risk Exposures of Employee Benefit Plans

Multi-factor Authentication is Now Required to Secure Cyber Insurance

multi-factor authentication

The bad news on cyberattacks is as unrelenting as the hackers behind them.  We now have daily headlines of companies hit with digital extortion attacks known as ransomware, including shockwaves from cyberattacks on the Colonial Pipeline, JBS meat production, and SolarWinds.  

This rapid rise in ransomware losses has insurance carriers making drastic changes.  For the last several years, most business sectors could secure quality cyber insurance with minimal application questions, and the premium has been very reasonable.  But that has changed abruptly.  Due to the increasing prevalence of cyberattacks, cyber insurers are now requiring applicants to demonstrate that they have taken steps to prevent cyber attacks.  For example, most cyber insurance carriers are now making two-factor authentication, commonly called 2FA or Multi-Factor Authentication (MFA), a condition for purchasing and renewing cyber insurance.

MFA Beefs Up Security

According to the Verizon 2020 Data Breach Investigation Report, 4-in-5 hacking-related breaches use stolen or weak passwords.  Such evidence underscores the immediate need for making multi-factor authentication essential to the cybersecurity strategies of employee benefit plan administrators.

All plans need a robust cybersecurity strategy to safeguard plan assets and participant data.  Implementing stronger security measures with passwords and additional authentication steps before allowing access to online accounts and resources increasingly is more often a cyber carrier’s requirement rather than a suggestion. Simply requiring one or more additional verification factors beyond username and password defeats most cyberattacks.  The reason?:  According to Microsoft, enabling MFA blocks 99.9% of identity-based attacks.

What is Multi-Factor Authentication? 

Multi-factor authentication is an upgraded security process for user account access.  After you fill in your username and password, an application will ask you for a numerical code (either from a text, email, or dedicated authentication app on your phone).  It requires users to verify their identity with two or more verification steps before granting access to their online accounts or an organization’s resources such as a VPN.  

Three options for additional MFA identify factor requirements are: 

  1. Knowledge – things one knows, such as security question answers, one-time passwords (OTPs), and PINs           
  2. Possession – things one has such as a badge, pass, or a unique bar or QR code
  3. Inherence – biometric data like fingerprints, face and voice recognition

By enabling MFA, each user will be notified if someone attempts to use their credentials to login to their account. No users will be able to access the data without the secondary authentication of a code or approval by the user. If an MFA user gets a notification but are not currently logging in, users need to contact their IT department immediately to update and change passwords and secure their data before an intrusion occurs.

The Euclid Perspective

Cyber Renewals Require MFA Policy Disclosures

Ready or not, MFA is no longer optional.  The cyber market is changing quickly, and MFA is now a requirement for most cyber insurance.  MFA is the first step every employee benefit plan must take to stop cyber crime.  Given the known weakness and heavy losses cyberattacks present, we nevertheless find it surprising how many employee benefit plans, including sophisticated multiemployer plans, do not employ MFA standards. The problem encompasses plan TPAs, and even the large, national fund administration firms. 

We realize there are cost and inconvenience drawbacks from instituting MFA security standards. But plans that are not implementing MFA for remote access to email and other systems and programs containing private or sensitive plan participant information are wide open for cyberattacks with the potential for disastrous results. These conditions must change, and carriers are insisting on it.

Many plans will find at their next cyber renewal that carriers have instituted a new requirement that the applicant disclose its MFA policies. Carrier data from ransomware attacks shows digital extortion claims are higher for entities without MFA requirements intact. As a result, many plans without an affirmative MFA requirement for access to all plan data will not be able to secure cyber insurance or renewal of their current cyber policy.

Disclaimer:  The Fid Guru Blog is intended to provide fiduciary thought leadership and advocacy for the plan sponsor community in areas of complex fiduciary litigation.   The views expressed on The Fid Guru Blog are exclusively those of the author, and all of the content has been created solely in the author’s individual capacity.  It is not affiliated with any other company, and is not intended to represent the views or positions of any policyholder of Encore Fiduciary, or any insurance company to which Encore Fiduciary is affiliated.  Quotations from this site should credit The Fid Guru Blog.  However, this site may not be quoted in any legal brief or any other document to be filed with any Court unless the author has given his written consent in advance.  This blog does not intend to provide legal advice.  You should consult your own attorney in connection with matters affecting your legal interests.

Subscribe To

The Fid Guru Blog

Keeping you up to date on trends, emerging exposures and other critical issues.

Encore Excessive Fees Litigation cover 1.8v7

Download the Euclid Fiduciary Excessive Fee White Paper

Encore Fiduciary Handbook Cover 1.8v5

Order your complimentary copy of our
Fiduciary Liability Insurance Handbook.


Talk to an Expert

An expert representative will contact you immediately.

Download Whitepaper

Download PDF of Handbook

Skip to content