Get Compliant with Cyber Insurance Requirements
Adopt Phishing-Resistant MFA and Passwordless Authentication
Reduce Risk & Remove Friction
Traditional MFA Methods and Passwords are grounds for higher premiums and non-renewals
As 84% of breaches are credential-related, increasing attention has been paid to authentication, with traditional MFA being in the cross-hair as no longer being effective at thwarting attacks.
IT and security professionals are also aware of this MFA reckoning, as shown in a 2023 survey report.
Insurers are deciding that traditional MFA doesn’t reduce the risk exposure enough for them to offer favorable cyber insurance policies.
55% of security and identity experts are not confident that traditional MFA is enough to thwart attacks
Why Adopt Passwordless Authentication?
Strengthened security. More coverage. Fewer exclusion policies.
Exceed cyber insurance compliance with passwordless continuous authentication based on FIDO2 standards.
Nine of the Top 10 cyber insurance agencies have passwordless recommendations or requirements so they can provide their customers with:
- The strongest coverage,
- The lowest premiums, and
- No insurance coverage exclusions written into contracts
See example below of an insurance carrier protection package. Note that they consider passwordless authentication as baseline protection.
Arculix is able to meet minimum, baseline, and best protection requirements with its passwordless continuous authentication product.
“We deployed passwordless authentication technology to get a $100 million coverage package with no exclusionary policies. This was a huge for us as most plans include some sort of exclusionary clause.”
– Chief Compliance Officer, Healthcare Insurance Provider
- Email tagging
- Email content and delivery – sender policy framework (SPF) checks
- Office 365 add-ons and configuration
Backup and Recovery Policies
- Back up key systems and databases
- Deploy and maintain a well-configured and centrally managed antivirus solution
- Macros: limit use
- Patching cadence
- Well-defined and rehearsed incident response process
- Educate your users (phishing training, etc.)
- Manage access effectively (i.e., MFA, privileged access)
Backup and Recovery Policies
- Regular testing of backups
- Disconnect backups from organization’s network
- Separately stored, unique backup credentials
- Establish a secure baseline configuration
- Filter web browsing traffic
- Use of protective DNS
- End-point detection and response (EDR) tools
- Passwordless Authentication
Backup and Recovery Policies
- Encrypted backups
- Comprehensive centralized log monitoring
- Subscription to external threat intelligence services
- Network segregation (i.e., via access control or well-configured firewall)
Traditional versus Invisible MFA
Know the differences in MFA approaches
New approaches to authentication are available to future-proof your business for cyber insurance compliance and beyond. Before you roll-out any MFA initiative, be sure it’s powered by a risk-based, continuous authentication platform to gain full context on user behavior throughout their digital journey including post authorization. This is achieved with invisible MFA which is not only phishing-resistant, it provides frictionless user experience with a strong security posture.
In September 2023, our Federal Government, Energy and Financial Services customers are banned MFA methods like one-time passwords (OTPs), push to text, push to email, and personal identification numbers (PINs). The Reckoning is already a reality for these regulated industries.
“Not all forms of MFA are equally secure. Phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort.”
– CISA Fact Sheet on Implementing Phishing-Resistant MFA [October 2022]
- Provides user context throughout the digital journey
- Adds friction (i.e. prompts) only when risk appears
- Leverages advanced MFA methods like behavior and passwordless
- Provides only point-in-time context, no control before authentication or post authorization
- Adds an MFA prompt every time at authentication
- Uses methods that are easy to hack / bomb
(push to text / push to email)
“OTPs & PINs are easily exploitable with ‘MFA bombing,’ ‘man-in-the-middle,’ and other attacks. It is time for organizations to move beyond legacy forms of MFAs.”
Future-Proof Your Organization
MFA preparedness for cyber insurance
When applying for cyber insurance, applicants must fill out questionnaires about their existing security product stack. These questionnaires have grown lengthier and more technical over the last several years.
Here are some sample questions from underwriters, and some potential questions that could start cropping up as they require more robust forms of MFA. Will you be prepared?
MFA Questions Underwriters Are Asking Now
- Do you enforce MFA for all admin users on your network?
- Do you enforce MFA for ordinary users on your network?
- Do you permit users remote access to web-based email?
- If Yes, do you enforce MFA for access?
- Do you permit ordinary users local admin rights to their devices (laptops)?
- Do you provide your employees with password management software?
MFA Questions Underwriters May Soon Ask
- Can you specify the MFA methods that you utilize? Are you using push to text and other non-secure methods?
- Do you use real-time risk scoring to continually authenticate users and accounts?
- Can you secure users post authorization?
- Do you utilize device trust for a more comprehensive security approach?
- What is your MFA adoption rate? Are you getting push-back from users due to MFA fatigue (i.e. too many prompts)?
- Are you using MFA methods that bypass the use of passwords?
Why Choose Arculix for Cyber Insurance Compliance
Purpose-build for authentication security
To best stay ahead of the latest hacker attacks and exceed cyber compliance, you need a novel approach to MFA. One that is powered by a risk-based, continuous authentication platform that provides passwordless options, device, trust, and security controls throughout the digital journey including post authorization.
Authentication that goes beyond the binary
Get ultimate transparency on how risk is measured with our patented policy-based and AI/ML risk analyzers. The risk engine provides the most accurate, real-time risk scores (based on NIST standards).
The behavioral modeling approach allows you to:
- Determine when to increase user friction based on the DLOA (Dynamic Level of Assurance)
- Provide security even post authorization, as risk is continuously checked throughout the user journey
Mobile. Desktop. Laptop. Server.
Get data from all devices to provide a comprehensive risk view to:
- Streamline remote audit logs and control of user access.
- Stitch data together for an accurate trust chain and compliance processes.
- Detect threats across all endpoints.
- Consolidate authentication processes for Windows and macOS environments.
Delight users. Strengthen security.
Arculix is the only product that combines and analyzes data from your mobile devices, workstations, and browser fingerprint to truly determine identity. This is the underlying next-gen technology that powers our invisible MFA approach.
It allows you to:
- Eliminate MFA fatigue by reducing the number of prompts from all devices, apps, VDI, VPN and SSO.
- Strengthen security as fewer prompts result in fewer MFA bombing attacks.
- Increase MFA adoption as users will appreciate the frictionless experience
- Improve user experience by consolidating to a single passwordless solution
“We enabled 95% of our workforce with Arculix’s invisible MFA & device trust. Its risk-based authentication approach provides a massive decrease in breaches.”