Skip to content

Multi-Factor Authentication - Required vs. Recommended?

By Josh Goodman

The required use of multi-factor authentication (“MFA”) for businesses to qualify for or maintain cyber insurance is a common topic these days. While MFA is always recommended, depending on how system access is setup will in most cases dictate if it is required. The following will provide some brief information that should provide clarity around when cyber insurance carriers require MFA to access company systems versus just recommending MFA.

What is multi-factor authentication?

For those unfamiliar with multi-factor authentication, it adds a layer of security that allows companies to protect against compromised access credentials. Through this method users must confirm their identity by providing extra information (unique security code) when attempting to access corporate applications, networks, and servers.

Remote Desktop vs. Cloud Computing

There are two primary methods for businesses to operate in a hybrid work environment to access their information and systems remotely. Remote Desktop access was the only solution for many years, but the developments in cloud computing have changed how everyone manages access. Both have vulnerabilities that businesses need to be aware of and insurance professionals should be discussing potential cyber risks with their customers.

Remote Desktop

Remote desktop essentially means that any employee or independent contractor given access credentials will be able to utilize a Virtual Private Network (“VPN”) to access an organization’s server that stores all their files. In this instance MFA is required by almost all cyber insurance carriers and recommended by cyber security experts when logging into the organization’s network. If any individual’s remote login credentials were to become compromised, so too would all the information stored on that network. Also, a business’s IT team should layer additional security as cyber insurance underwriters will scan public networks for open ports for remote desktops. Remote Desktop ports must be closed and not available on public networks for 60 days or more to be eligible for most cyber insurance policies.

Cloud Computing

Cloud computing provides employees access to specific software programs or specific files rather to the entire network. Information is securely stored via a 3rd party offsite server that manages security and sets access permissions to the information. In the event of a cyber incident or compromised login it may be easier to contain the breach, as the bad actor may only have access to a certain data set and not the entire network. In this instance MFA is not required but it is still recommended by cyber insurance providers and cyber security professionals.  We hope this provides greater understanding of when MFA is required versus simply recommended when discussing cyber exposures and coverage with your customers.

VPN-Graphic3
Cloud-Graphic3

2024 Annual Convention Recap

By vgardner@kaia.com | February 14, 2024

Client Claims:  How to Avoid Client Claims Turning into E&O Claims 

By vgardner@kaia.com | February 20, 2023

2023 Annual Convention Recap

By vgardner@kaia.com | February 14, 2023

Can I Charge My Clients a Fee?

By vgardner@kaia.com | February 14, 2023

Lobbying to Lower Kansas Surplus Lines Tax Rate

By vgardner@kaia.com | January 10, 2023

KAIA Young Agents Help Raise Funds for ALS

By karlyn@kaia.com | November 3, 2022

Musgrove Insurance Services Merges With Iron Insurance Partners

By vgardner@kaia.com | September 8, 2022

Ryan Insurance Acquires the Schroeder Agency and Fox Insurance Agency

By karlyn@kaia.com | August 15, 2022

Wood-Dulohery Insurance, Inc. to Merge with ICI Insurance to Become Wood Insurance Center, LLC

By karlyn@kaia.com | July 19, 2022

KAIA Members Encouraged to Attend Mid America Insurance Conference

By karlyn@kaia.com | July 19, 2022
Scroll To Top