Cyber Insurance MFA and Identity Control Requirements in 2026
Cyber insurance underwriting changed fundamentally between 2020 and 2023. Before the ransomware wave, cyber insurance applications asked basic questions about antivirus, firewall, and backup existence. Underwriters priced risk based on industry and revenue without deep technical scrutiny of security controls. The claims experience from major ransomware campaigns changed that: insurers reviewing hundreds of ransomware claims found a consistent pattern. Attackers entered through compromised credentials, usually on remote access infrastructure or email. MFA was absent on those entry points. Lateral movement was enabled by shared or standing privileged credentials. The losses were preventable with controls that cost a fraction of the claims.
Insurers responded by restructuring their underwriting process around identity controls specifically. MFA coverage scope, privileged access management maturity, and authentication technology type moved from optional disclosures to primary underwriting factors. Organizations that could not demonstrate adequate identity controls found themselves facing premium increases, coverage sublimits, or outright declination.
This shift has not peaked. In 2026, underwriting requirements around identity controls are still evolving, with phishing-resistant MFA moving from premium differentiator to coverage requirement in high-risk sectors. Understanding what underwriters are asking and how to document your control state accurately is now a core security program responsibility.
What Underwriters Are Actually Asking in 2026
Cyber insurance application forms have expanded substantially in the identity controls section over the past four years. The following represents the questions appearing on current applications from major carriers in 2026.
MFA scope questions: Does the organization enforce MFA on email and collaboration platforms? Does the organization enforce MFA on VPN and remote access? Does the organization enforce MFA on cloud management consoles (AWS, Azure, GCP administrative interfaces)? Does the organization enforce MFA on privileged and administrative accounts? Some carriers ask for percentage coverage within each category rather than binary yes/no answers.
MFA technology questions: What MFA methods are in use? Options typically include: hardware security key (FIDO2/WebAuthn), authenticator app (TOTP), push notification, SMS/voice, and smart card or certificate. Some applications ask specifically whether phishing-resistant MFA (FIDO2 or certificate-based) is deployed for any categories.
Privileged access questions: Does the organization have a privileged access management solution? Are shared administrator passwords prohibited? Are privileged access sessions recorded? How are privileged credentials rotated? Are standing administrative accounts with persistent elevated rights permitted?
Ancillary identity questions: What percentage of endpoints have EDR deployed? Does the organization have an incident response retainer with a named IR firm? What is the backup frequency and is backup access protected by MFA? Are email filtering and anti-phishing controls deployed?
How answers affect coverage terms: MFA gaps on any of the four primary categories (email, remote access, cloud consoles, privileged accounts) typically result in premium loading of 10 to 30 percent depending on the carrier and risk profile. Absence of a PAM solution or compensating controls results in additional loading or sublimits on ransomware coverage specifically. SMS-only MFA in high-risk sectors may trigger coverage conditions or exclusions for phishing-based incidents in some carriers. Phishing-resistant MFA deployment, particularly for email and privileged accounts, is beginning to produce measurable premium reductions with carriers that have developed their own claims data to support the relationship.
Universal MFA: What It Means and What Insurers Count as Exceptions
The shift from 'do you have MFA' to 'what percentage of users have MFA enforced' is the most consequential change in identity underwriting since 2021. Binary MFA questions could be answered affirmatively by organizations that had MFA deployed for some users or some systems. Percentage questions reveal coverage gaps that binary questions masked.
Universal MFA means all active user accounts in the relevant category have MFA enforced, with no exceptions beyond documented and compensating-controlled legacy system integrations. Underwriters have learned from claims experience that the accounts without MFA are disproportionately the ones attackers exploit. An organization with 95 percent MFA coverage may have left the 5 percent unprotected accounts as the service accounts, shared accounts, and old contractor accounts that are exactly the credential types attackers prioritize because they receive less monitoring attention.
Legacy systems create two types of MFA exceptions that underwriters encounter. The first is application-level exceptions: legacy web applications, line-of-business software, and manufacturing systems that use proprietary authentication protocols or embedded credentials that cannot be federated through a modern IdP to receive MFA protection. These exceptions require compensating controls (network segmentation, jump server MFA, enhanced monitoring) and documentation.
The second is account-level exceptions: service accounts used by applications for machine-to-machine authentication that cannot accept interactive MFA challenges. Service account credentials should be treated as secrets rather than user credentials: unique per application, rotated on a defined schedule, stored in a secrets manager or PAM vault, and never used for interactive logins. Underwriters who find service accounts with shared passwords, no rotation policy, and no PAM coverage treat this as a PAM gap rather than a legitimate MFA exception.
Documentation that satisfies underwriters for legacy exceptions
An inventory of systems that cannot support MFA federation, the technical reason MFA cannot be implemented (proprietary auth protocol, embedded credential, no SAML/OIDC support), the compensating controls applied (network segmentation diagram, bastion host architecture, monitoring configuration), and the planned remediation timeline or permanent exception justification for systems that cannot be replaced.
Documentation that creates underwriting friction
A blanket claim that 'some legacy systems cannot support MFA' without identifying which systems, what compensating controls exist, or what monitoring is in place. This answer suggests the organization has not inventoried its MFA exceptions and cannot demonstrate that compensating controls are applied consistently.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Privileged Access Requirements
Privileged access management questions have become more detailed and more technical in 2026 underwriting applications. Carriers have incorporated claims data showing that ransomware operators systematically abuse privileged credentials to achieve domain-wide deployment capability, and the underwriting questions now probe for the specific controls that prevent this pattern.
The core PAM requirements that underwriters expect are: no shared administrative passwords (every administrator has an individual account with unique credentials, not a shared admin@domain account), no standing domain administrator accounts (elevated rights are time-limited or session-based rather than persistent), privileged session activity is logged and ideally recorded (for forensic investigation capability and for deterrence of insider abuse), and privileged credentials are rotated on a defined schedule (not left static for months or years).
Organizations with a dedicated PAM product (CyberArk, BeyondTrust, Delinea, ManageEngine PAM360) can document these controls through vendor-generated reports. Underwriters are familiar with PAM platform reporting formats and can assess coverage from system-generated documentation more easily than from manually compiled spreadsheets.
Organizations without a dedicated PAM product but with equivalent controls implemented through native platform tools can document them as follows: Azure AD Privileged Identity Management (PIM) for just-in-time domain administrator elevation with approval workflows satisfies the standing privilege requirement. AWS IAM role assumption with time-limited session credentials satisfies the same requirement for cloud administrator access. Jump server or bastion host infrastructure with individual admin accounts and session logging satisfies the session recording requirement for on-premises access.
The weakest representation is 'we have IT policies that prohibit shared admin passwords' without evidence that those policies are enforced technically rather than just documented. Underwriters have seen enough claims where policy said one thing and forensic investigation found another to discount policy-only controls without technical enforcement evidence.
Phishing-Resistant MFA: The New Premium Differentiator
Phishing-resistant MFA refers specifically to authentication methods that cannot be intercepted by adversary-in-the-middle attacks, SIM swapping, or real-time phishing proxies. The two primary phishing-resistant MFA technologies are FIDO2/WebAuthn hardware security keys (YubiKey, Google Titan Key, and FIDO2-certified alternatives) and certificate-based authentication (smart card, PIV, device certificates through platform authenticators).
Standard TOTP (time-based one-time password) authenticator apps are not phishing-resistant. A real-time phishing proxy can present a fake login page, capture the username and password, immediately relay them to the real site, capture the TOTP code from the MFA challenge, relay it back, and establish an authenticated session before the 30-second TOTP window expires. This attack pattern is documented in ransomware and BEC incidents against organizations that had deployed authenticator app MFA and believed they were protected against phishing.
FIDO2 authenticators are phishing-resistant because the authentication is cryptographically bound to the origin (the specific domain the user is authenticating to). A FIDO2 key will not authenticate to a phishing domain even if it visually resembles the real site, because the origin mismatch causes the cryptographic challenge to fail. SMS codes and TOTP codes do not have this origin binding and can be relayed by an attacker in real time.
The government mandate is driving commercial underwriting expectations. CISA's Implementing Phishing-Resistant MFA guidance explicitly states that FIDO2 and certificate-based authentication are the only MFA methods that satisfy phishing-resistant requirements. OMB Memorandum M-22-09 required federal agencies to implement phishing-resistant MFA for all users, a mandate that has influenced the standards that cyber insurers reference when evaluating organizational controls.
For regulated sectors in 2026, phishing-resistant MFA for email access and privileged account access is moving from a premium-reduction opportunity to a coverage requirement. Financial services organizations under FFIEC guidance, healthcare organizations under OCR investigation scrutiny, and organizations with FedRAMP or DoD contract requirements already face phishing-resistant MFA mandates that align with underwriter preferences. For organizations not yet subject to these mandates, deploying phishing-resistant MFA for email and privileged accounts is the single identity control improvement with the highest combination of security value and cyber insurance premium impact.
How to Document Identity Controls for the Application
The quality of identity control documentation submitted with a cyber insurance application or renewal materially affects underwriting outcomes. Carriers that receive clear, system-generated evidence of controls can underwrite more confidently and with less conservative premium loading than carriers who receive vague narrative descriptions that cannot be independently verified.
The following documentation checklist covers the identity control evidence that produces the strongest underwriting outcomes.
MFA coverage report from your identity provider
A system-generated report from Okta, Entra ID, or your primary IdP showing the percentage of active user accounts with MFA enrolled and enforced by category (all users, privileged accounts, external users). Entra ID generates MFA status reports through the Authentication Methods Activity Report. Okta provides MFA enrollment reports through the admin console. This report is more credible than a manually compiled spreadsheet and can be dated to within the application period.
PAM vendor documentation or equivalent controls evidence
A screenshot or export from your PAM platform showing the number of privileged accounts under management, credential rotation configuration, and session recording status. If using Azure PIM as a PAM equivalent, an export of PIM assignment history showing time-limited role activations. If using AWS IAM role assumption, evidence of session credential configuration and logging through CloudTrail.
EDR deployment percentage
A system-generated report from your EDR platform (CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, or equivalent) showing the percentage of managed endpoints with an active EDR agent. EDR deployment is a supporting identity control because EDR is the detection mechanism for credential theft attempts on endpoints. Underwriters weight EDR coverage alongside MFA coverage as complementary controls.
IR retainer contract
A copy of your incident response retainer agreement with a named firm. The retainer demonstrates that a breach investigation can begin within hours rather than days, which reduces the scope and cost of claims. Many carriers require an IR retainer for higher-premium policies; having one in place before the application improves coverage terms regardless of whether it is required.
Legacy system exception documentation
An inventory document listing systems that cannot support MFA, the technical reason, the compensating controls in place (network diagram for segmentation, bastion host configuration, monitoring alert configuration), and the review or remediation timeline. This document should be maintained as a living document that is updated annually at minimum.
Premium Impact of Identity Control Gaps
Specific premium percentages are insurer-specific, not publicly disclosed, and vary by industry, revenue, coverage limit, and risk history. However, the directional patterns are consistent across multiple carrier and broker reports and provide useful framing for prioritizing identity control investments before renewal.
MFA gaps on primary categories (email, remote access, cloud consoles, privileged accounts) are the most impactful single factor in premium loading. Organizations that cannot demonstrate MFA enforcement on all four categories face loading that can exceed the cost of remediation within one renewal cycle. For a mid-market organization paying 200,000 dollars annually in cyber premium, a 20 percent loading attributable to MFA gaps represents 40,000 dollars per year, enough to fund a meaningful MFA deployment expansion.
SMS-only MFA versus authenticator app MFA produces measurable premium differences with carriers that have decomposed their claims data by MFA method. The loading for SMS-only MFA is smaller than for no MFA but meaningful in carriers with the most granular underwriting criteria.
Phishing-resistant MFA deployment for email and privileged accounts is producing premium reductions with carriers that have quantified the risk reduction in their claims portfolio. The reduction is carrier-specific and must be negotiated with supporting documentation, but carriers that have adopted phishing-resistant MFA as a positive rating factor include several of the specialist cyber carriers.
PAM solution absence or documented PAM gaps produce loading specifically on ransomware coverage sublimits and business interruption coverage rather than on all coverage categories. Underwriters who understand the ransomware claim pattern know that PAM gaps are specifically correlated with domain-wide ransomware deployment capability, which is the scenario that produces the largest business interruption claims. Some carriers apply a ransomware sublimit specifically for organizations without PAM rather than loading the overall premium, which means the financial impact appears in the coverage terms rather than the premium line.
The bottom line
Three identity control improvements have the highest combined impact on coverage terms and premium before your next cyber insurance renewal.
First, close MFA coverage gaps on the four primary categories. If your IdP shows anything below 95 percent enforcement on email, remote access, cloud management consoles, and privileged accounts, close those gaps before renewing. The premium loading for coverage gaps in these categories exceeds the cost of enforcement for most organizations. Pull your MFA coverage report now and know your numbers before the renewal discussion begins.
Second, document your privileged access controls with system-generated evidence. If you have a PAM product, generate the report. If you use Azure PIM or AWS role assumption as your PAM equivalent, export the evidence. If you have gaps, document the compensating controls. Underwriters who receive documented controls evidence underwrite more favorably than those who receive narrative descriptions without supporting documentation.
Third, deploy phishing-resistant MFA for email access and privileged accounts if you are in a high-risk sector or if your carrier has begun asking specifically about phishing-resistant methods. The security benefit of FIDO2 over TOTP is real and well documented. The premium impact is carrier-specific but increasingly measurable. And for organizations in financial services, healthcare, or government contracting, the regulatory alignment between phishing-resistant MFA mandates and underwriting preferences makes this investment doubly justified.
Frequently asked questions
Does cyber insurance require MFA on every system or just certain categories?
Cyber insurance underwriters in 2026 distinguish between MFA categories rather than requiring a single blanket answer. The categories that receive the most scrutiny are remote access (VPN, RDP, remote desktop services, jump servers), email and collaboration platforms (Microsoft 365, Google Workspace), cloud management consoles (AWS Console, Azure Portal, GCP Console), and privileged accounts (domain administrators, local administrators, service accounts with elevated rights). Most underwriters currently ask for MFA coverage across these four categories specifically, and some application forms request percentage coverage for each category. An organization that has MFA enforced on remote access and email but not on cloud management consoles or privileged accounts will face more underwriting scrutiny than one with consistent coverage across all four categories. Beyond these four primary categories, some underwriters are beginning to ask about MFA coverage for backup systems and disaster recovery infrastructure specifically, because ransomware operators increasingly target backup systems to prevent recovery. Organizations that have MFA enforced on primary systems but allow backup console access without MFA have a coverage gap that underwriters recognize from ransomware claim patterns. The honest answer is that universal MFA, meaning MFA enforced on every user account for every system, is the ideal but not always achievable due to legacy systems, operational technology, and shared accounts. Underwriters expect exceptions to exist; they expect those exceptions to be documented, controlled, and compensating-controlled. An undocumented exception with no compensating control is a coverage and misrepresentation risk.
Is SMS-based MFA still accepted by cyber insurers in 2026?
SMS-based MFA is still accepted by most cyber insurers in 2026 as a baseline control, but it is increasingly treated as an inadequate control for high-risk access categories, and some carriers are beginning to add exclusions or premium loading specifically for organizations that rely primarily on SMS MFA rather than app-based TOTP or phishing-resistant FIDO2 methods. SMS MFA is vulnerable to SIM swapping attacks, SS7 protocol attacks, and real-time phishing proxies (adversary-in-the-middle tools like Evilginx2 and Modlishka) that intercept SMS codes in real time as the user enters them on a phishing page. These attack patterns are well documented in ransomware and business email compromise claims, and underwriters who review claim data recognize SMS MFA as present but insufficient for preventing phishing-based credential theft. The practical impact on underwriting in 2026 is as follows: organizations with SMS-only MFA across all categories will typically obtain coverage but may face premium loading, sublimits on social engineering coverage, or requirements to transition to app-based or phishing-resistant MFA within a defined remediation timeline. Organizations with app-based TOTP (Google Authenticator, Microsoft Authenticator) are treated more favorably. Organizations that have deployed FIDO2 or hardware security keys for privileged accounts and email access are treated most favorably, and some carriers are beginning to offer explicit premium discounts for phishing-resistant MFA deployment. For organizations in high-risk sectors (financial services, healthcare, critical infrastructure), the bar is higher. Some carriers in these sectors are requiring phishing-resistant MFA specifically for privileged account and email access as a coverage condition rather than a premium differentiator.
What counts as a PAM solution for cyber insurance underwriting purposes?
Cyber insurance underwriters ask about privileged access management to assess whether an organization has controls that prevent attackers from leveraging compromised administrator credentials to move laterally and deploy ransomware at scale. The specific question on most application forms asks whether the organization has a PAM solution, and the intent is to verify controls against shared passwords, standing privileged accounts, and unmonitored administrative sessions. A dedicated PAM product (CyberArk, BeyondTrust, Delinea, ManageEngine PAM360, or comparable platforms) is the clearest positive answer. However, underwriters do not uniformly require a named vendor product. The underlying controls that PAM is meant to address are what matters: no shared administrator passwords (each administrator has a unique account), no standing domain administrator rights (elevated access is time-limited or session-based), administrator sessions are logged and ideally recorded, and privileged account credentials are rotated regularly. Organizations without a dedicated PAM product can represent equivalent controls if they can document: individual administrative accounts for each administrator (no shared admin@domain credentials), just-in-time access elevation through Azure PIM, AWS IAM role assumption, or Okta Privileged Access, session logging through bastion host or jump server infrastructure, and password rotation through a privileged credential management policy with evidence of enforcement. The weaker the PAM documentation, the more likely underwriters are to apply premium loading or request a supplemental questionnaire. Organizations that answer 'no' to the PAM question without providing alternative control documentation will face more adverse underwriting treatment than those who answer 'no, but here are the compensating controls we have in place.'
How do legacy systems without MFA support affect coverage eligibility?
Legacy systems that cannot support MFA are a recognized reality in enterprise environments, and underwriters in 2026 generally do not disqualify organizations for having legacy exceptions. What matters is how those exceptions are handled, documented, and compensating-controlled. The underwriting question is not 'do you have legacy systems that cannot support MFA' but rather 'what controls prevent those legacy systems from being exploited as an entry point that bypasses your MFA-enforced perimeter.' Acceptable compensating controls that underwriters recognize include: network segmentation that isolates legacy systems from internet-accessible network segments, jump server or bastion host requirements with MFA enforcement at the bastion layer (so access to legacy systems requires MFA at the bastion even if the legacy system itself cannot enforce MFA), dedicated service accounts with unique credentials used only for that specific legacy system with no shared credential reuse, and enhanced monitoring for authentication activity on legacy systems with alerting for anomalous access patterns. Documentation is as important as the controls themselves. An inventory of legacy systems that cannot support MFA, the business justification for continued operation, the compensating controls applied to each system, and the roadmap or sunset plan for the legacy system demonstrates to underwriters that the exception is managed rather than ignored. An undocumented legacy exception with no compensating controls and no remediation timeline is a meaningful underwriting concern. The same system with documented compensating controls is treated as a managed risk. For operational technology environments (industrial control systems, SCADA, manufacturing equipment) where MFA support is architecturally impossible and system replacement is not feasible in a short timeframe, underwriters generally understand the constraint but expect network isolation and enhanced monitoring as baseline compensating controls.
What happens if you misrepresent MFA coverage on your cyber insurance application?
Misrepresentation of material facts on a cyber insurance application, including MFA coverage scope, can result in policy rescission if a claim is filed and the insurer discovers during claim investigation that the representation on the application was inaccurate. Insurance policy contracts include representations and warranties provisions that require the applicant to accurately disclose material facts. MFA coverage scope is now universally considered a material fact in cyber insurance underwriting. Insurers conduct forensic investigation as part of the claims process. A ransomware claim will typically involve a forensic incident response firm engaged by the insurer to determine the attack vector, the entry point, the lateral movement path, and the controls that were or were not in place at the time of the incident. If forensic analysis reveals that the attacker entered through remote access that was not protected by MFA, and the application represented MFA on remote access as enforced, the insurer has grounds to dispute or deny the claim based on material misrepresentation. The practical risk of misrepresentation in MFA coverage is not theoretical. Several high-profile coverage disputes in 2023 and 2024 involved insurers declining to pay claims on the basis that the organization had represented MFA coverage that the forensic investigation determined was not accurately implemented at the time of the application. In some cases, the MFA policy existed but was not enforced for all user accounts in the covered category, creating a gap between the policy and the practice. The correct approach for organizations with MFA coverage gaps is to accurately represent current coverage percentages, document known exceptions, and if possible, commit to a remediation timeline on the application. Underwriters can work with organizations that are transparent about gaps; they cannot underwrite organizations that misrepresent their control state and then file claims that reveal the misrepresentation.
Which cyber insurance carriers have the most stringent identity control requirements?
Cyber insurance carriers vary significantly in the rigor of their identity control requirements, with specialization in higher-risk sectors typically correlating with more stringent requirements. Coalition, At-Bay, and Corvus are among the carriers that have historically applied the most detailed technical underwriting questions around identity controls, reflecting their data-driven underwriting models that incorporate real-time technical scanning of applicant attack surfaces alongside application questionnaire data. Coalition's underwriting process includes an external attack surface scan that can detect whether an organization has exposed RDP, unpatched software, or publicly accessible systems that suggest inadequate controls even if the application represents otherwise. At-Bay has published research on the correlation between specific technical controls (MFA on email, PAM maturity) and claim frequency that informs its underwriting criteria. Traditional carriers (Chubb, AIG, Beazley, Zurich) have also substantially hardened their identity control requirements in response to loss experience from 2020 through 2024. Beazley in particular has been among the more active carriers in requiring phishing-resistant MFA as a condition for full coverage in certain sectors. For large enterprise risks (over 250 million dollars in revenue), the Lloyd's market and reinsurance capacity increasingly applies consortium underwriting standards around identity controls, and the most stringent requirements come from underwriters managing excess layers where claim exposure is highest. Organizations with annual cyber premiums above 500,000 dollars should expect detailed identity control questionnaires with follow-up requests for documentation as standard practice.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.