At Trusona, one of the first questions we ask an organization is why they are here to talk with us about multi-factor authentication (MFA). It’s always valuable to hear directly from businesses rather than to assume or infer.
What’s interesting is that over the last few months, we’ve been getting an answer that we’ve never heard before — namely, “so we can reduce our cybersecurity insurance premiums.”
Cybersecurity insurance (or cyber liability insurance) is a relatively new, but increasingly popular form of insurance. And because of the extremely complex nature of cyber breaches and their impact, it’s also very much evolving.
Not surprisingly, the costs of cyber losses are now well into the hundreds of billions of dollars every year, and growing. According to IBM in their annual Cost of a Data Breach Report, the average total cost of a data breach increased by nearly 10% in 2021 — the largest single year cost increase in the last seven years — to around $4M.
At its root, cybersecurity insurance covers the aftermath of a security incident such as a cyberattack, hack or breach, including:
- Remediation costs such as forensics and cybersecurity consultants
- Losses due to theft of money or other tangibles
- Loss of data such as credit cards, social security numbers, etc.
- Ransomware payments
- Damage to reputation
- Legal fees
In order to formulate the various packages for the insurance liabilities, deductibles and premiums, the insurance companies require the business to complete a security assessment of their existing controls and measures. Obviously, the better a business fares here, the better their rates will be.
This is somewhat analogous to car insurance where anti-theft systems such as a car alarm or handbrake lock will provide better rates. Naturally, the security posture of a business is far more complex, and the insurer will consider a much wider range of properties from network security, data encryption, access controls, system monitoring, awareness training, and much more. And similarly, there is first-party insurance that covers the costs to the insured as well as third-party insurance which can also cover the costs to customers or partners as a result of the incident.
A company that adopts MFA solutions across their various devices, systems and applications clearly demonstrates to the insurance company that active measures are being taken to mitigate their cyber threat risk. The problem is that most of today’s MFA solutions still use static credentials (username/password) as the first factor.
According to the 2020 Verizon Data Breach Investigations Report, 81% of the total number of breaches leveraged stolen or weak passwords. Hackers have also become much more sophisticated with their attack tools, now being able to bypass the second factors of authentication too such as an SMS message with a one-time passcode (OTP).
And let’s not forget that the extreme friction and inconvenience of the total user experience as a result of these layers of security, and it’s no wonder many users reject them altogether.
At Trusona, our primary purpose is to remove passwords from the authentication process since these are by far the weakest link in the security chain. Not only is the security posture significantly increased as a result of our passwordless MFA solutions, but so too is the user experience.
So, as the cybersecurity insurance market evolves, it’ll be interesting to see if the insurance companies give further incentives to those companies who have adopted and deployed passwordless MFA solutions over the standard MFA solutions due to their significantly enhanced security benefits. After all, insurance companies are about determining risk, and with passwords out of the equation, the security risk levels are significantly lower.
No doubt, the primary reason to adopt MFA solutions are first and foremost preventative in nature. But if, or when, that rainy day comes, a company using passwordless MFA would have the benefit of more favorable terms for their insurance coverage.