MFA Requirements for Cyber Insurance: What Carriers Actually Want in 2026

Multi-factor authentication (MFA) blocks more than 99% of automated account compromise attacks, according to Microsoft’s 2023 Digital Defense Report. That number is why cyber insurance carriers moved MFA from a best practice to a hard underwriting requirement.

Carriers aren’t enforcing MFA because they read the same security blogs you do. Ransomware losses between 2019 and 2022 wiped out underwriting profits across the market. Compromised credentials were the entry point in most of those claims, and MFA directly addresses that vulnerability at the login layer.

This article breaks down exactly which authentication methods satisfy carrier requirements in 2026, which systems must be protected, and where businesses most often fall short at application or renewal time.

Why Cyber Insurance Carriers Now Require MFA

Ransomware payouts between 2019 and 2022 exceeded premiums at several major carriers, forcing rate increases, new exclusions, and harder technical requirements across every renewal cycle. The losses weren’t random. Attackers consistently used compromised credentials as their entry point, and a stolen username and password was often all they needed to get in.

Carriers shifted MFA from a soft preference to a hard underwriting checkbox around 2021. Enforcement has tightened with every renewal cycle since. Missing MFA today results in higher premiums, reduced coverage limits, or outright application denial depending on the carrier and the policy tier.

Carriers also evaluate MFA alongside the rest of your technical posture. Secure backup solutions are a parallel underwriting checkpoint, because attackers routinely target backup infrastructure to eliminate recovery options before deploying their ransomware payload.

What Counts as MFA for Cyber Insurance Purposes

MFA requires at least two distinct factor categories. Combining two items from the same category, such as two passwords or two security questions, does not qualify.

The three factor categories carriers recognize:

• Something you know: a password or PIN
• Something you have: a hardware token, phone-based authenticator, or one-time code
• Something you are: a biometric (fingerprint, face recognition)

Not all MFA methods carry equal weight with carriers. Carriers increasingly flag SMS-based two-factor authentication as insufficient. How each type is evaluated:

• Time-based one-time password (TOTP) apps (Microsoft Authenticator, Google Authenticator): Accepted at most carriers. Six-digit codes rotate every 30 seconds and must be entered manually, limiting interception risk.
• Push notification apps: Meet the standard at most carriers. Some now require number matching or explicit confirmation prompts to prevent MFA fatigue attacks, where an attacker floods a user with push requests until one gets approved.
• SMS one-time codes: SIM-swap attacks let attackers intercept codes without touching the account password. Several major carriers now reject SMS as a qualifying second factor or assign it to a lower compliance tier.
• Biometric factors: Count only when paired with a separate, independent second factor.

Every Access Point Where Carriers Enforce MFA

Carriers don’t ask whether MFA is “on.” They ask which systems are covered and which aren’t. Gaps in any of the following access points create underwriting problems:

• Email and Microsoft 365 or Google Workspace. A near-universal requirement across all major carriers. The most commonly attested control and the most commonly audited.
• VPN and remote desktop (RDP). A hard requirement. RDP exposed to the internet without MFA is flagged as a critical gap on virtually every carrier questionnaire and is the most cited entry point in ransomware claims.
• Privileged access accounts. Domain admins, local admins, and service accounts with elevated rights require MFA coverage separately from standard user accounts. Confirming email MFA without confirming admin account MFA is one of the most common attestation oversights.
• Cloud management consoles. Azure portal, AWS console, and similar interfaces are standard requirements at most carriers since 2023 and now appear on new applications by default.
• Backup management interfaces. An attacker who reaches backup controls without MFA can delete or encrypt recovery points before executing the ransomware payload. Carriers are now checking this explicitly.
• Finance, payroll, and wire-transfer applications. A standard requirement on policies that include social engineering or funds-transfer fraud coverage.

Healthcare organizations and other regulated businesses will find these access control requirements align directly with HIPAA-compliant IT solutions, where federal compliance obligations and insurance requirements overlap significantly.

Hardware Tokens and Phishing-Resistant MFA: The 2026 Standard

The MFA tier your carrier requires depends on your coverage amount and the policy type you carry. The distinction between standard authenticator apps and phishing-resistant MFA now affects both policy availability and pricing at higher coverage tiers.

Hardware tokens (physical security keys built on FIDO2/WebAuthn standards) provide the strongest available protection. The private key never leaves the device, which means phishing pages, man-in-the-middle attacks, and credential-harvesting tools have no path to the authentication credential. Phishing-resistant MFA, which hardware tokens satisfy, is now the preferred standard for privileged and admin accounts at higher coverage levels.

Standard authenticator apps remain acceptable for general user accounts at most carriers as of 2026. The stricter phishing-resistant standard kicks in at the admin and privileged account level.

Carriers writing limits above $1 million increasingly ask whether admin accounts use hardware security keys rather than software-based TOTP. That answer affects both availability and pricing. If your coverage limit increased at last renewal, your required MFA tier changed with it. Review carrier questionnaire language year over year rather than assuming prior answers still qualify.

MFA Gaps That Trigger Claim Denials or Coverage Reductions

Carriers now include MFA warranties in policy language. If you attested MFA but hadn’t actually enforced it at the time of an incident, the carrier can deny the claim as material misrepresentation. These are the five gaps that surface most often in claims investigations:

1. MFA attested but not enforced. “Enabled” and “required” are not the same. If users can bypass MFA at sign-in, the attestation is inaccurate and the claim is at risk.
2. Email protected, remote access not. MFA enabled for Microsoft 365 but not enforced for VPN or RDP is the single most common gap found in post-claim audits. The email attestation looks clean while the actual entry point stays open.
3. Service accounts excluded. Legacy admin accounts and service accounts excluded from MFA enforcement policies carry elevated rights and rarely generate the session-level monitoring that would surface abuse. They appear consistently in claims investigations.
4. Legacy systems with no documented compensating controls. Older systems that don’t support modern authentication are not automatic exceptions. Carriers expect network segmentation or compensating controls documented before your application date.
5. Shared admin credentials. Shared accounts with no individual attribution defeat MFA audits entirely. When multiple users authenticate under the same identity, accountability cannot be established at the account level.

For a broader view of where covered claims fail after a ransomware incident, ransomware coverage requirements and claim pitfalls covers the full range of denial scenarios beyond MFA gaps.

Businesses across the Chicago area with identified MFA gaps should address them before renewal. Chicago cybersecurity services from a managed provider give you both the remediation and the documentation that holds up under post-claim scrutiny.

How to Document MFA Compliance Before You Apply or Renew

The attestation distinction carriers look for first is the difference between MFA being available and MFA being required. An “enabled” setting that users can bypass at sign-in doesn’t meet the standard.

Before you apply or renew, work through these four documentation steps:

1. Build an access inventory. List every system with remote or elevated access and confirm the enforcement status for each entry, including all privileged access accounts and service accounts. A complete, current inventory is the foundation of a defensible application.
2. Audit conditional access policies. In Microsoft 365 or Azure AD, confirm that policies enforce MFA at sign-in and generate audit-ready logs. Document that no broad exclusion groups exist. An exclusion covering executives, legacy systems, or a service account class is a gap that surfaces immediately under audit review.
3. Document compensating controls. If any system cannot support MFA, document compensating controls in writing before your application date.
4. Compare year-over-year answers. Review your prior-year application answers side by side with your current deployment. Discrepancies between years raise underwriter questions even before a claim is filed.

Getting Your MFA Posture Ready Before Renewal

Start your MFA audit 60 to 90 days before renewal, not the week the questionnaire arrives. The remediation timeline is longer than most businesses expect.

Work through access points in this order:

• Privileged and admin accounts first. The highest-value targets and the most scrutinized items on carrier questionnaires.
• VPN and remote desktop second. The most cited entry point in ransomware claim investigations, and the most common gap between what’s attested and what’s actually enforced.
• Email and cloud consoles third. Likely already covered, but confirm that no exclusion groups exist in your conditional access policies before you attest.
• Line-of-business applications last. Finance, payroll, and wire-transfer systems require MFA if your policy includes funds-transfer fraud coverage.

Close the gap between what you plan to attest and what is actually enforced before you submit. Some carriers ask whether MFA is “enforced by policy,” which requires a technical control, not user training. A third-party assessment produces documentation that survives post-claim scrutiny better than internal attestation alone.

Carrier requirements will tighten further as attack patterns evolve and claims data accumulates. What qualifies on a 2026 questionnaire is the floor, not the standard. Businesses that treat MFA as a documented, enforced, and audited control avoid the attestation mismatches that cause coverage disputes at exactly the wrong time.

The right time to address MFA gaps is before the questionnaire arrives, not after a claim is filed. A complete access inventory, properly scoped conditional access policies, and third-party documentation create a posture that holds up under any level of carrier scrutiny.

When MFA compliance becomes a managed risk rather than a recurring crisis, your team can focus on the work that actually moves the business forward.

Talk to LeadingIT about cybersecurity services to find out exactly where your MFA posture stands before your next renewal or call 815-788-6041.