Canadian Underwriter

Why multi-factor authentication isn’t the cure-all for your client’s cyber woes

April 21, 2022   by Jason Contant

Computer security concept

Print this page Share

Staying one step ahead of cybercriminals seems to be a never-ending battle for insurers and insureds, cyber experts said during an industry event Wednesday.

“The problem is, as we increase our cyber hygiene and become better insureds, the criminals adapt and find new areas to gain access or new things to do in order to get in,” says Neal Jardine, global cyber risk intelligence & claims director with BOXX Insurance Inc. “It’s kind of like a game of Whack-a-Mole. You put MFA (multi-factor authentication) on and then they start designing their business email compromises around that.”

Cyber insurers are now often requiring businesses to implement MFA in order to obtain cyber insurance coverage. MFA adds a layer of protection to the sign-in process, requiring users to provide two or more verification factors to gain access to a resource such as an online account. For example, when accessing accounts or apps, users may also scan a fingerprint or enter a code received on a mobile device.

MFA is a secondary check to ensure “you’re the right person logged into your system,” Jardine says during Resetting Cyber Risk, a session at the 2022 virtual CIP Society Symposium.

“The beauty behind MFA is that if a hacker steals your credentials and tries to log into your system, you’re going to get a text message saying that someone’s trying to log in and then you’re like, ‘Wait a sec, that’s not me,’” Jardine says. “The downfall of MFA is hackers are aware of it.

CIP Society Symposium panel discussion on cyber

Neal Jardine (second, top row), global cyber risk intelligence & claims director with BOXX Insurance, speaking during a cyber panel discussion at the CIP Society Symposium.

“So, what they’re actually doing is sending social engineering emails out saying, ‘Hey, I’m with your bank. Please log in here and then give us a call so that we can verify your MFA code is correct,’” Jardine says. “And funny enough, we’re actually getting claims for that, which we’re seeing coming through. So as much as MFA is stopping a lot of [attacks], it’s also creating a new area.”

One webinar participant asked why, if a majority of clients are being forced to implement MFA to obtain insurance cyber, this isn’t reflected in premiums/deductibles once MFA is implemented.

The response? MFA is now really table stakes in the market.

The evolving landscape is also causing a shift in cyber underwriting, where the focus is increasingly on an insured’s cyber hygiene and what security controls they have in place. “We’re basically doing requirements like if you don’t patch your system every 15 or 30 days automatically, that’s going to affect our ability to provide you with proper coverage, because of the fact that you should have known or ought to have known or at least turned on automatic updates to prevent that,” Jardine says.

Looking ahead, the next requirement could be something like ensuring “the least amount of privilege given to the end user,” for example, Jardine says. “The idea behind it is, users only get access to data they need at the time. The moment they’re done using that data, that access is revoked, and that tries to stop [unauthorized access]. So, is that going to be the future in order to make it?”

A massive talent shortage in the security industry is also contributing to cyber risk, since fewer people are available to monitor and patch systems.

“Good hygiene [means] understanding what your environment is, how you interact with the world, and then constantly training your employees, shifting what you do, in order to try to stay ahead of that,” Jardine says. “This is going to be ever-evolving, ever-changing over time. You will need to keep up-to-date: What steps do you take in order to limit your cyber exposure? And really making sure you drill that down.”


Feature image by