Breaking Down the Barriers: Why Phish-proof Multi Factor Authentication is the Turning Point for Cyber Insurance

In this post we’re talking insurance. Cyber insurance. What are the challenges for the industry and SMEs (Small and Medium Sized Enterprises)? And more importantly what is the solution? Let’s dive in. 

What is Cyber Insurance? 

Well, this might seem like an obvious place to start, and it is. But let’s just cover it. Cyber insurance is a type of business insurance that protects organizations in case of damages incurred as the result of breach of its IT systems, for example, a cyber-attack. The costs of a data breach can be far reaching and can include:

• Loss of Data (this can include customer data, sensitive intellectual property) 
• Operational downtime with lost sales (e.g. MGM Casinos)
• Ransomware payments (not in all countries)
• Compensating customers
• Incident response & investigation
• Recovery & restart
• Investment in new security 
• Legal fees
• Penalties (such as GDPR)
• Brand reputation 

All of which can be devastating for any company of any size, however even more so for small businesses. Spoiler alert: It is estimated that 60% of SMEs go out of business following a cyber-attack.

Cyber Security for Small Business 

According to Cisco, 43% of cyberattacks target SMEs. They also report small businesses spend “an average of $955,000 per attack to restore normal operations” making a successful breach disastrous for small to medium enterprises (SMEs). 

Small businesses are especially at risk from cybercrime. Perhaps even more so than the enterprise since they do not have the same level of expertise or protection in place. This makes them a soft target, and because they often interface with larger companies, they are an attractive ‘entry point’ to larger networks for cybercriminals. The cost of a breach could spell the end of business altogether for a smaller company - they are by far one of the most vulnerable groups. 

Munich Re reports 90% of attacks are caused by human error (such as phishing) [research from Sanford University from 2022]. 90% of ransomware attacks originated through a phishing email. If companies could eliminate phishing alone, they would significantly reduce their risk of a breach.

Phishing is Still a Major Problem

Phishing is the number one problem, no matter the size of business or the industry and the size of the threat and number of attacks just keeps on growing alongside the creativity of the criminals. But why does it hit SMEs particularly hard? 

Very often, in smaller organizations, employees are already executing many roles. The boss might be doubling up as HR and Marketing for example. Small business owners just don’t have the time, the resources, or the skill set to deal with cyber security. There is rarely a dedicated IT team let alone cyber security experts in-house. 

It can also come down to a lack of awareness – small businesses know they need protection, but without the right in-house expertise, they do not know where to start. As the saying goes, you don’t know what you do not know.

More savvy business owners might look towards the implementation of Multifactor Authentication (MFA), but this can also be a minefield. As we frequently discuss, MFA is a method not a result. And as such different MFA tools offer various levels of effectiveness. Very few MFA tools can prevent phishing and most products only protect against brute force attacks. Criminals know the difference though and will exploit 1^st generation MFA solutions whether they use SMS, apps, or fobs. Aside from the confusion and common misunderstandings about the technology, there is the lack of time, budget, and knowledge required to deploy MFA - even if it were desired. 

This paints a sad picture. It makes SMEs the most vulnerable and the most powerless. So how about cyber insurance for SMEs?

Cyber Insurance for Small Business 

SMEs desperately need cyber insurance, but unfortunately, often find themselves locked out of any meaningful cover, that is insurance that would protect them against the biggest threats such as phishing. This is due to a disconnect that currently exists in the industry. 

SMEs are in critical need of the right cyber-insurance coverage. The question is not if, but when an organization will be hit by a cyber-incident, starting almost exclusively with phishing. However, they often find themselves ineligible because they lack protection, such as multi-factor authentication. The requirement to have MFA deployed is becoming mainstream for insurers. And with 99% of claims coming from SMEs, this situation is not sustainable for the insurers and leads to bad outcomes for everyone concerned:

• Premiums are either prohibitively expensive or 
• Unavailable to SMEs (because they are unable to deploy MFA). 

And here lies the most significant challenge - the most vulnerable are not currently being served the right products. And they continue to be at risk. 

Phish-proof MFA Provides the Answer 

Let’s recap on the issues and challenges of cyber insurance for small business: 

• SMEs are at the highest risk of cybercrime. 
• The impact of a successful breach could mean the end of business.
• 90% of all breaches originate from phishing attacks. 
• SMEs need help to protect their business and they need access to cyber insurance. 
• There are significant barriers. SMEs are struggling to deploy MFA because: 
• ~ It is too expensive
• ~ It doesn’t protect against phishing, 
• ~ They do not have enough time to deploy MFA
• ~ They do not have the expertise to deploy MFA
• The best cyber insurance is unavailable or prohibitively expensive. Underwriters are weary due to the considerable risk and loss ratio.
• Brokers want to help their customers but there are limited products that fit the requirements.

What if there were an MFA solution that customers could deploy in just a few minutes without any technical expertise? 

What if that MFA solution didn’t require a second device? Meaning that the customer did not need any further investment to deploy for all users? 

And… wait for it… what if that MFA solution was un-phishable? What if it could prevent all credential phishing and every single password-based attack, effectively eliminating up to 90% of all risk related to cyber security and thus cyber insurance? 

That would solve the insurers' problems and those of the small business, right? Correct. 

Brokers! Here’s The Game Changer – And You’re in The Driving Seat!

In a new partnership with ERGO Versicherung AG, brokers now have access to an insurance solution which incorporates phish-proof MFA, AuthN by IDEE. 

And this is all about the brokers. The industry is changing. It has to. And brokers are at the very heart of this change.

Whatever the size of company, in today’s hyper connected online world, cyber security and cyber insurance is no longer just a ‘nice to have.’ It is essential. Risks and threats are constantly evolving and are rising all the time. The size of the opportunity to help businesses with these challenges is vast. Now is the time for the insurance industry to meet the growing demand by finding ways to help their customers. 

Brokers need to be able to facilitate better eligibility for their customers when it comes to accessing technology, products, and services in this area. In doing so, they can also dramatically enhance their own proposition, positioning themselves as a value-added partner rather than simply a sales function that ticks boxes. 

We are seeing more and more brokers that are helping their customers strengthen their overall security posture with value-added services such as assessments and gap analysis, which enables them to qualify for cyber insurance - this is a real differentiator. By adopting this approach, brokers can open conversations on a consultative basis which promotes long-term, high value relationships based on trust and expertise. We really believe this is the direction technology vendors and the insurance industry should be moving in – together. It represents a real win-win for all parties when we work together in this way. It is an exciting time to be involved. 

In the case of ERGO, the new insurance option offers comprehensive, preventative protection, designed especially for the SME market. So, brokers, it is now over you! 

‍Are you a broker? For more information on this insurance solution, please get in touch.

Read: "Cyber insurance: MFA specialist IDEE and ERGO Versicherung AG start cooperation" press release.

‍