The Multi-Factor Authentication (MFA) controls described below are now the minimum controls required by more and more cyber insurance carriers as policies come up for renewal. MFA is expected to become the cyber insurance underwriting standard before long.
What is Multi-Factor Authentication?
Multi-factor authentication refers to the use of two or more means of identification and access control—sometimes referred to as “something you know, something you have, or something you are.” A username and password, for example, is something you know. Requiring a code sent via text message (SMS) establishes “something you have,” i.e., a mobile phone belonging to you. Biometric authentication, through a fingerprint or retina scan, establishes “something you are.” Multi-factor authentication is successfully enabled when at least two of these categories of identification are required in order to successfully verify a user’s identity when accessing systems.
Why require Multi-Factor Authentication for Remote Network Access?
Requiring multi-factor authentication for remote network access is an important security control that can help reduce the potential for a network compromise caused by lost or stolen passwords. Without this control an intruder can gain access to an insured’s network in a similar manner to an authorized user.
How Multi-Factor Authentication for Administrative Access Works?
Requiring multi-factor authentication for both remote and internal access to administrative accounts helps to prevent intruders that have compromised an internal system from elevating privileges and obtaining broader access to a compromised network. The existence of this control can prevent an intruder from gaining the level of access necessary to successfully deploy ransomware across the network.
How Multi-Factor Authentication for Remote Access to Email Helps
Requiring multi-factor authentication for remote access to email can help reduce the potential for a compromise to corporate email accounts caused by lost or stolen passwords. Without this control an intruder can easily gain access to a user’s corporate email account. Threat actors often use this access to perpetrate various cyber crime schemes against the impacted organization and its clients and customers.
Confirmation that these minimum controls are in place is now required by most insurance carriers for an organization to be eligible for a Cyber Risk policy.
The following attestation is to be completed with the assistance of the person(s) in charge of network security. If network security is outsourced to a managed security provider or other 3rd party, the attestation questions below should be completed with their assistance.
MULTI-FACTOR AUTHENTICATION ATTESTATION
|
1. |
Multi-Factor authentication is required for all employees when accessing e-mail through a website or cloud based service. |
☐ Yes ☐ No ☐ Email is not web based |
|
2. |
Multi-factor authentication is required for all remote access to the network provided to employees, contractors, and 3rd party service providers. |
☐ Yes ☐ No |
|
3. |
In addition to remote access, multi-factor authentication is required for the following, including such access provided to 3rd party service providers: |
|
|
|
All internal & remote admin access to directory services (active directory, LDAP, etc.). |
☐ Yes ☐ No |
|
|
All internal & remote admin access to network backup environments. |
☐ Yes ☐ No |
|
|
All internal & remote admin access to network infrastructure (firewalls, routers, switches, etc.). |
☐ Yes ☐ No |
|
|
All internal & remote admin access to the organization’s endpoints/servers. |
☐ Yes ☐ No |
|
4. |
The signer of this form has done so with the assistance of the person in charge of IT security. |
☐ Yes ☐ No |
The attestation must be signed and dated by an Executive Officer of the organization applying for coverages..
If you are uninsured for Cyber Risk, this is the year to purchase Cyber insurance and stay secure from a breach in your system or loss of information. Your VANTREO team brings the Cyber and Privacy expertise needed to help protect both your organization and its people. We’re here to help. If you’d like more info, just let us know. Reply here. We look forward to the conversation.