I recently stumbled upon an article titled “Travelers Wants Out of Contract With Insured That Allegedly Misrepresented MFA Use” and I was immediately intrigued. Since I work at an organization that solves MFA problems for organizations my first thought was, why would this happen?
I’m not going to call out the organization in question here, you can read the article for yourself to learn more about that. But let’s uncover what happened:
- The cyber policy application signed by the CEO and “a person responsible for the applicant’s network and information security” that the company used MFA for administrative or privileged access.
- However, following the May ransomware event, the insurer first learned during an investigation that the insured was not using the security control to protect its server and “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”
- The organization was the victim of a ransomware attack in December 2020 when hackers gained access using the username and password of an administrator, the organization told the insurer of the attack during the application process and said it improved the company’s cybersecurity.
Let’s quickly discuss cyber insurance:
I’m sure you all have a policy, even if you’re not sure. Cyber insurance (also referred to as cyber liability insurance or data breach insurance) provides insurance coverage for events including data breaches, downtimes, and cyberattacks. Cyberattacks may include malware, ransomware, phishing, DDoS, hacking, insider threats, and more. Offerings and coverage will vary depending on the policy issuer.
So while the organization did have MFA in place, they did not fully commit to using it even after they experienced a previous breach. To me there are a couple of issues:
- If an organization puts an MFA solution in place why not use it?
- In this case, it feels like the organization brought in MFA just to meet a requirement, not for actual security needs.
When organizations focus on checkbox compliance, they get into trouble, case in point. It’s important for organizations to build a culture of security, not one based on checkbox compliance. I know I’m stating the obvious, but breaches are real and will happen to you if you’re not prepared. An insurance policy should not be the fallback.
We all have insurance policies in our personal lives. I’m pretty confident that very few people leave their keys in the car and unlocked and when the car was stolen, then be surprised if the insurance company did not pay the claim. There is a level of responsibility required of the policyholder to do what they can to prevent an incident that would lead to a claim. Unfortunately for Travelers, it looks as though their client did not take any responsibility to protect their environment.
One of our core values here at 1Kosmos is to make authentication easy AND secure for end users. So for organizations that may not have the best security practices, they can at least implement a technology that improves security and is very easy to use. That usability will go a long way toward protecting the environment because users will be more inclined to use it, making the environment more secure. Make your insurance your MFA, and leave the policy for when things happen beyond your control.