Infosec experts say CISOs must add multifactor authentication for logins to better protect their organizations against credentials theft.
But there’s also another reason. As of Jan. 1, many North American cyber insurers have a new rule: Without MFA organizations won’t get coverage.
That was one of the messages that came out of a panel on cyber insurance and cyber law at the Vancouver International Privacy and Cybersecurity Summit, which started Wednesday.
Derek May, a Vancouver-based account executive and cyber specialist at HUB International Insurance Brokers, said insurers are tired of paying claims for data breaches and have toughened their requirements for coverage.
At the end of last year, cyber insurers realized they had a loss ratio in cyber of 500 per cent, he said. That meant for every $1 in premiums they lost $5.
Since Jan. 1, organizations applying for cyber insurance have to show they are implementing a long list of cybersecurity technologies and practices including MFA and have an incident response plan to get coverage, May said.
Within minutes of his comments, another broker texted him, noting a firm he knows nearly had its cyber insurance cancelled because management was unwilling to implement MFA.
“I’m working with two or three organizations in that exact same position,” May said. “One of the large insurance companies that everyone knows has come out and said it will not insure a company anymore unless it has MFA. They are sending out non-renewal notices right now, saying, ‘If you can’t check yes on these three questions we’re cancelling the policy.’
“Very few insurers are not asking for some of these things.”
Meanwhile, May said, cyber insurance premiums and deductibles are going up. Municipalities, increasingly targeted by hackers, are finding it hard now to get coverage, he added.
Cyber insurance is now a “hand-in-hand partnership between the IT department, the company and the insurer.’
Depending on the coverage, cyber insurance covers costs of a breach of security controls, such as restoring data, replacing hardware/software, hiring forensic investigators, external lawyers, external and communications advisors.
It may not cover regulatory fines. That’s particularly important, said panellist Ruth Promislow, a Toronto-based partner at the Bennett Jones law firm, in light of the federal government’s proposed Canadian Privacy Protection Act (CPPA – Bill C-11, still in second reading). It would give a new Data Protection Tribunal the ability to levy multi-million dollar fines.
Promislow, who focuses on privacy law and cybersecurity is often called in by clients after a data breach. Asked if she finds common problems, she replied, “I’m amazed at how often I get engaged and told there isn’t multifactor authentication– and they have insurance … Or they have it and the CEO didn’t like it and the CEO’s email was compromised.”
Another common problem discovered after a breach is the amount of data unnecessarily held by the organization that is old and should have been deleted.
The conference ends today.