No MFA, No Cyber Insurance: What Insurers Now Demand

Cyber insurance used to be an optional add-on. Now it is closer to a requirement, and it has stopped being a simple transaction where you pay a premium and hand off your risk. Today the policy is a verification process. To get coverage and keep it, you have to meet real technical and operational standards. If your security falls below the baseline, you can be uninsurable no matter what premium you are willing to pay.

What a policy actually covers

Most policies are built on two kinds of coverage. First-party handles your direct losses, the income lost while systems are down and the labor to rebuild data and software the attack corrupted. Third-party handles your liability to others, the defense costs, settlements, and judgments when customers, vendors, or employees sue over mishandled data. With breach class actions now common and regulators active under rules like CCPA and GDPR, that second bucket is what often keeps a breach from ending the company.

The controls insurers now require

MFA everywhere. Multi-factor authentication is the baseline. If it is not on every email account, VPN, and admin portal, expect coverage to be denied. Insurers increasingly want it phishing-resistant with no legacy accounts left exposed.

Immutable backups. Your data has to live somewhere an attacker cannot alter, encrypt, or delete. Underwriters look for the 3-2-1-1 approach, three copies on two media types, one offsite, and one immutable or air-gapped.

EDR or XDR. Real-time endpoint detection that spots unusual behavior and isolates compromised devices is now expected, often with proof it is monitored around the clock.

A paper trail. You need documentation to prove all of the above, logs, configuration evidence, a written incident response plan, and results from tabletop exercises where leadership practices a breach.

The fine print that voids a claim

This is where businesses get burned. The failure-to-maintain clause is the big one. If you said MFA was enabled on the application and a breach comes through an account where it was switched off, the insurer can deny the whole claim. That makes security a continuous obligation, not a box you tick once at renewal. Watch for two more. AI-related losses may fall outside a standard policy and need a specific rider. And systemic events, a nation-state attack or a major cloud provider failure, often carry sub-limits or outright exclusions.

Cyber insurance is now a framework for how you run security, and insurers only share the risk if you can show the controls are real and maintained. Book a call and we will get you to the standard underwriters expect.