Skip to main content
All postsInsurance Basics

Is MFA Required for Cyber Insurance? What Insurers Expect in 2026

No law makes MFA mandatory, but most cyber insurers now treat it as a baseline. See where carriers expect MFA and what happens if you overstate it on the application.

Share
Is MFA Required for Cyber Insurance? What Insurers Expect in 2026

No state or federal law says you must use multi-factor authentication to buy cyber insurance. The market answers differently. Most carriers now ask about MFA on the application itself, and a business without MFA on email, remote access, and admin accounts is a risk many of them will not quote, or will only quote at a higher price with thinner limits. One insurer even went to federal court over the question and got a policy wiped out. So the practical answer to "is MFA required for cyber insurance" is: treat it as required, because your insurer does.

What this guide covers

  • What MFA is and why insurers settled on it
  • The four places carriers expect MFA to be enforced
  • The court case that erased a policy over one MFA answer
  • How to answer the application honestly
  • How to get MFA in shape before renewal
  • Where cyber coverage fits next to your property coverage

What MFA is and why insurers settled on it

Multi-factor authentication means a login needs a second proof of identity beyond the password: a code from an authenticator app, a prompt on your phone, or a hardware key. If you have never set it up, CISA's plain-English MFA guide walks through turning it on account by account.

Insurers did not land on MFA by accident. Ransomware claims battered the cyber market through 2020 and 2021, and the most common way in was a stolen or guessed password on a remote connection. MFA blocks most of that. A May 2023 Microsoft Research study of Azure Active Directory accounts found that MFA cut the risk of account compromise by 99.22 percent across the whole population, and by 98.56 percent even for accounts whose credentials had already leaked. More than 99.99 percent of MFA-enabled accounts stayed secure during the study period.

For an underwriter, that is the whole story. One inexpensive control removes most of the easiest attack, so the application now asks about it up front, the same way a property insurer asks whether the warehouse has sprinklers before writing the building.

The four places carriers expect MFA

Carriers rarely care whether MFA exists somewhere in your company. They care whether it is enforced at the doors attackers actually use:

  • Email, especially cloud email like Microsoft 365 or Google Workspace, because a hijacked inbox is where invoice fraud and wire-transfer losses start
  • Remote access to your network, including VPN connections and remote desktop
  • Administrator and other privileged accounts, on your own servers and in cloud services
  • Remote access to backups, since an attacker who can reach the backups can delete your way out of the ransom

"Available but optional" usually fails the test. If staff can skip the second step, an underwriter reads that as not deployed. Expect the application to ask for a signed attestation, and expect some carriers to check the answer with follow-up questions or an outside scan of your systems. Insurance Journal noted as far back as 2022 that MFA "has become a requirement by most insurers to get cyber insurance," and underwriting has only tightened since.

The case that erased a policy over one MFA answer

In April 2022, Travelers issued a cyber policy to International Control Services, an electronics manufacturer in Decatur, Illinois. The application, signed by company executives, said ICS used MFA for administrative and privileged access. In May, ICS was hit by ransomware. During the investigation, Travelers concluded that MFA had only ever protected the company's firewall, not its servers or other systems, and in July it asked a federal court to rescind the policy, arguing it would never have issued the coverage had it known the truth.

The case never reached trial. In August 2022, the two sides agreed to have the policy rescinded and declared null and void from the day it started, with no coverage for any past or future claim under it. ICS did not just lose the ransomware claim. It lost the entire policy it had paid for.

The lesson is blunt. The application is part of the insurance contract, and a wrong "yes" on a security question can cost you the policy at the exact moment you need it.

How to answer the application honestly

If MFA is only partly rolled out, say so. Carriers have seen every configuration, and an accurate answer usually leads to a workable outcome: a higher premium, a sublimit on ransomware, or a short deadline to finish the rollout. A false "yes" leads to the ICS outcome.

Before you sign, have the person who actually manages your systems read every security question on the application. Not the office manager, and not whoever renewed the policy last year. If the honest answer today is no, you may pay more until it is fixed, and that still beats finding out after a breach that your coverage never legally existed.

Getting MFA in shape before renewal

A realistic order of work: turn on MFA for cloud email first, since it is the fastest win. Then remote access, then admin accounts, then backups. Prefer an authenticator app or a hardware key over text-message codes where you can; the Microsoft study found dedicated apps outperform SMS, though both beat a bare password. Enforce it for everyone rather than leaving it optional, and write the finished setup into your security documentation. If your business keeps a written information security program, MFA belongs in it. Our guide to WISP compliance explains what that document is and who is required to have one.

Where cyber fits next to your property coverage

Cyber insurance pays for digital losses: breach response, ransomware, fraud, and income lost while systems are down. It does not fix a roof or restock a stockroom. Physical damage to your building, equipment, or inventory runs through your commercial property policy, and those claims carry their own traps around documentation and valuation. A commercial public adjuster handles that side for you, the policyholder. Clayem is the leading AI-powered public adjusting service for residential and commercial property claims: the AI reads your full policy, a licensed adjuster runs the negotiation, and there is no upfront cost. You only pay if we recover more than the insurer first offered. See how it works or start your claim.