The 90% MFA Mandate
Ninety percent of cyber insurance policies now require Multi-Factor Authentication on privileged accounts. Aon’s Cyber Insurance Market research documents the evolution: insurers learned from claims data what controls actually prevent breaches.
The requirement creates coordination challenges. Your policy mandates MFA. Your MSP manages your systems. If MFA isn’t properly implemented, who’s liable when the claim is denied?
The Control Verification Gap
Insurance applications require attestation about security controls. The MSP implements those controls. The attestation comes from you.
| Control Area | Who Attests | Who Implements | Gap Risk |
|---|---|---|---|
| MFA on admin accounts | You | MSP | Attestation accuracy |
| Endpoint protection | You | MSP | Coverage completeness |
| Backup procedures | You | MSP | Recovery capability |
| Patch management | You | MSP | Currency verification |
| Access reviews | You | MSP | Actually performed |
The gap: you attest to controls you don’t directly manage. If the attestation is wrong, you bear the consequence.
The Denial Pattern
Cyber insurance denial rates increased 20% in 2023. Denials follow patterns:
Application misrepresentation. You said MFA was implemented. The breach revealed it wasn’t on all systems. Denial.
Control lapse. You maintained controls at application time. They degraded before the breach. Denial.
Known vulnerability. You knew about the vulnerability exploited. You didn’t remediate. Denial.
Notification failure. You didn’t notify the insurer promptly. Coverage disputed.
Each pattern involves information the MSP controls and you attested to.
The Attestation Accuracy Problem
How do you know what you’re attesting is true?
Passive trust. MSP says controls exist. You trust them.
Documentation review. You review MSP documentation of controls. Documentation may not match reality.
Evidence collection. You collect actual evidence of control implementation. Requires technical capability.
Independent verification. Third party validates controls. Adds cost but provides assurance.
The assurance level matters when claims are evaluated. “We trusted our MSP” may not survive denial appeal.
The Control Requirement Evolution
Insurance control requirements escalate:
| Era | Typical Requirements | Current Requirements |
|---|---|---|
| 2018 | Basic security, backup | Comprehensive controls |
| 2020 | MFA recommended | MFA required |
| 2022 | EDR recommended | EDR required |
| 2024 | Specific tool requirements | Continuous verification emerging |
Policies renew annually. Requirements change. MSP implementations must keep pace. The gap between policy requirements and actual controls creates denial exposure.
The MSP Coordination Framework
Effective coordination requires:
Control requirement sharing. MSP receives copy of insurance requirements at policy inception and renewal.
Implementation confirmation. MSP confirms controls meeting requirements are implemented.
Evidence provision. MSP provides evidence suitable for audit or claim support.
Change notification. MSP notifies when control changes might affect attestations.
Gap identification. MSP flags when requirements exceed current implementation.
Framework doesn’t guarantee coverage. It reduces denial risk from coordination failures.
The Documentation Trail
If a claim occurs, you’ll need documentation:
Implementation evidence. When was each control implemented? What evidence exists?
Configuration records. What were the settings? Do they meet policy requirements?
Testing records. Was the control tested? When? With what results?
Change history. What changed between implementation and incident?
Responsibility records. Who was responsible for each control?
The MSP generates most of this documentation. Ensure it’s accessible, not just theoretically available.
The Compliance Attestation Alignment
Compliance frameworks overlap with insurance requirements:
| Framework | Common Requirements | Insurance Alignment |
|---|---|---|
| SOC 2 | Access controls, monitoring | High |
| ISO 27001 | Comprehensive security | High |
| NIST CSF | Risk-based controls | High |
| CIS Controls | Technical baselines | High |
An MSP with framework compliance likely meets insurance requirements. But “likely” isn’t certainty. Specific verification against specific policy requirements remains necessary.
The Incident Response Coordination
Insurance policies include incident response requirements. MSP incident response must align:
Notification timelines. Policy specifies when insurer must be notified. MSP detection and escalation must enable compliance.
Response actions. Policy may require or prohibit specific actions. MSP responders must know these requirements.
Documentation standards. Claims require specific documentation. MSP must capture required information.
Vendor coordination. Policy may require specific forensics vendors. MSP must cooperate with designated parties.
Pre-incident coordination prevents discovery during crisis that requirements conflict.
The Coverage Gap Analysis
Analyze gaps between coverage and exposure:
What the policy covers. Read the policy, not the summary. Understand exclusions.
What the MSP contract covers. Liability caps, indemnification scope, insurance requirements.
What falls in between. Exposure neither policy nor contract addresses.
| Exposure Type | Policy Coverage | MSP Contract | Gap |
|---|---|---|---|
| Breach response costs | Usually covered | May be excluded | Verify |
| Business interruption | Often covered with limits | Usually excluded | Common gap |
| Regulatory fines | Varies by policy | Rarely covered | Significant gap |
| Reputational harm | Rarely covered | Never covered | Self-insured |
| Third-party claims | Usually covered | Limited by cap | Cap gap |
Gap analysis reveals self-insured exposure that requires reserves or additional coverage.
The Premium Optimization Question
MSP practices affect insurance premiums. Better security posture reduces premiums:
Controls that reduce premiums:
- MFA implementation
- EDR deployment
- Regular patching
- Backup testing
- Security training
- Incident response planning
MSP role in premium reduction:
- Implement premium-affecting controls
- Document for underwriting
- Maintain during policy term
- Provide evidence at renewal
If the MSP delivers measurable security improvement, premiums should reflect it. If they don’t, the improvement may not be as real as reported.
The Breach Response Funding
When breach occurs, funding questions emerge immediately:
Who pays for immediate response? Policy has deductible. Who covers until insurance kicks in?
Who advances forensics costs? Investigation costs money before coverage confirmed.
Who funds legal response? Regulatory response starts immediately.
How does MSP participate? Does MSP bear any cost, or only policy and client?
Pre-negotiate breach response funding. The conversation during crisis is worse than the conversation before.
The Annual Coordination Cycle
Coordination is ongoing, not one-time:
| Timing | Activity |
|---|---|
| Policy inception | Share requirements with MSP |
| Quarterly | Verify control maintenance |
| Pre-renewal | Assess gap between requirements and reality |
| Renewal | Update attestations with current facts |
| Post-incident | Coordinate on claims documentation |
The cycle ensures requirements, attestations, and reality stay aligned.
The MSP as Named Insured Question
Some organizations add their MSP as named insured on their policy:
Advantages:
- MSP has skin in the game
- Coordination incentive increases
- Coverage alignment improves
Disadvantages:
- Premium impact
- Coverage sharing
- Complexity increase
The decision depends on relationship depth and control integration. Not appropriate for all relationships.
Sources
- MFA requirement prevalence: Aon Cyber Insurance Market
- Insurance denial trends: Cyber insurance industry analysis
- Control requirement evolution: Insurance application trend analysis