Cybersecurity

Cyber Insurance MFA Requirements 2026: What Carriers Want

Cyber insurance MFA requirements in 2026 — what carriers require for email, VPN, admin, and executive accounts, plus the deployment gaps that get claims denied.

Douglyn June 1, 2026 10 min read

Close-up of a FIDO2 hardware security key being inserted into a laptop USB-C port with cyber insurance policy paperwork in soft focus behind it

Coalition’s 2024 Cyber Claims Report buried a finding most operators missed: 82% of denied cyber insurance claims involved organizations that had MFA — but not properly implemented across their environment. Not “no MFA.” Not “lying on the application.” Properly implemented across their environment. The gap is in the words “across their environment.”

That gap is the entire 2026 cyber insurance MFA question.

Carriers have moved from “do you have MFA?” (a yes/no on the application) to “show me where MFA is enforced, on which accounts, with which factor, and where the gaps are.” Underwriting is no longer a questionnaire; it’s a technical audit dressed up as one. Three of four carriers now run external attack-surface scans during underwriting. The application question still says “do you have MFA”; the verification process tells them the truth.

For South Florida mid-market businesses — and especially healthcare practices, professional services firms, and construction operators where claim volume is highest — this post is the deeper read on what carriers actually want when they say “MFA on every account.” Companion to the parent guide on 2026 cyber insurance requirements.

Key Takeaways

The 82% rule. Most denied cyber insurance claims involve MFA-on-application that wasn’t MFA-in-deployment. The application is binary; the operational reality is granular.
Phishing-resistant MFA (FIDO2 / Windows Hello) is the new baseline for $5M+ limits and for all privileged, executive, finance, and IT accounts. Authenticator-app MFA with number matching covers the rest of the workforce.
SMS is increasingly rejected — particularly for email, VPN, admin consoles, and executive accounts.
Service accounts are the gap that gets claims denied. Carriers want documented inventory + compensating controls, not blanket MFA exemption.
Documented controls swing premiums 20–40%. The MFA evidence binder is the most important artifact you produce at renewal.

The 82% Problem: Why MFA Became the Make-or-Break Question

Cyber insurance carriers underwrite probability of loss and severity of loss. MFA reduces both — but only when it’s actually deployed everywhere it matters. The deployment-vs-attestation gap is what carriers learned to investigate post-2022.

The pattern in denied claims is consistent. Application says MFA-yes. Forensics finds attacker compromised an account that didn’t actually have MFA — a service account, a shared mailbox, a legacy admin account, an executive who was exempted from the policy. Carrier investigates, finds the gap, denies the claim under the cyber policy’s representations clause.

The Coalition number (82% of denials) isn’t an outlier; it’s the new normal. Travelers, Beazley, Chubb, and AXA XL all tightened their MFA-evidence requirements in 2024–2025 — and they enforced those requirements at claim time, not just at underwriting.

”MFA on Every Account” — What Carriers Actually Mean in 2026

The application question is “MFA on every account that accesses business data.” Operators routinely interpret this as “MFA on the email.” Carriers mean something much broader. The 2026 scope:

Email (every mailbox-enabled account, including shared mailboxes and aliases)
VPN (every workforce member who connects remotely)
Remote Desktop / RDP (every account, including admin RDP)
Cloud admin consoles (Microsoft 365 admin center, Google Workspace admin, AWS, Azure, GCP, Cloudflare, identity provider admin)
Banking and finance systems (treasury management, payroll, expense management)
ERP / accounting (NetSuite, Acumatica, QuickBooks Online, Sage Intacct — every administrative account, not just CFO)
Practice management / EHR (Epic, Athena, Cerner, eClinicalWorks, Greenway — every clinical and administrative login)
CRM (Salesforce, HubSpot — at minimum admin tier)
File shares and cloud storage (SharePoint, Dropbox Business, Google Drive — admin tier and any access to sensitive data)
Privileged access management tools (the PAM tool itself needs MFA, even though it issues MFA to others)

Plus the non-obvious ones that catch operators off guard:

Service accounts (we’ll cover separately)
Contractors and third-party support with any access to business data
Vendor portals (anyone with access to a vendor’s system that reaches your data — managed service portals, accounting firm portals)
Break-glass / emergency admin accounts (yes, even these — with strict compensating controls)

The carrier’s question isn’t “do most accounts have MFA.” It’s “can you produce a coverage report that shows 100% enrollment across this scope, with documented exceptions and compensating controls for every exception?”

Phishing-Resistant MFA: Which Factors Carriers Actually Accept

Not all MFA is equal in carrier eyes. The current factor hierarchy from most-preferred to least-acceptable:

1. Phishing-resistant MFA (preferred for privileged access)

FIDO2 hardware keys (YubiKey, Feitian, Google Titan) — gold standard
Windows Hello for Business with hardware-backed credentials
Apple Passkeys / device-bound passkeys
Smart cards / PIV (common in defense and regulated industries)

These satisfy CISA’s phishing-resistant MFA definition: the credential cannot be phished, replayed, or stolen via a man-in-the-middle attack. For $5M+ policy limits, this is increasingly the baseline expectation for privileged and executive accounts.

2. Authenticator apps with number matching (acceptable baseline)

Microsoft Authenticator (with number matching enforced)
Duo Mobile (with verified push enabled, not auto-approve)
Okta Verify (with FastPass or push with number matching)
Google Authenticator for TOTP (lower preference than push with number matching)

These satisfy most carriers for non-privileged workforce accounts. The “number matching” piece matters — without it, push-fatigue attacks (where the attacker spams push notifications until the user accidentally approves) are a known weakness, and carriers know it. Older push implementations without number matching are increasingly downgraded.

3. SMS / voice-call MFA (increasingly rejected)

Once the standard, now the exception. SMS MFA is rejected outright on:

Privileged and admin accounts (universal across major carriers)
Email accounts (most carriers in 2026)
Executive accounts at high-limit policies

It’s still accepted for lower-tier workforce accounts at many carriers, but the trajectory is clear: every renewal cycle since 2022 has narrowed the acceptable scope for SMS. Plan to migrate off it.

4. Email-based MFA (functionally not MFA)

Sending a code to an email account that doesn’t have its own MFA is widely treated as no-MFA at all. Carriers explicitly call this out as a disqualifying configuration.

The Deployment Gaps That Get Claims Denied

The Coalition 82% number breaks down into a recurring pattern of specific gaps:

Service accounts running on shared passwords

The most-cited gap. A service account (used by software to authenticate to other software) typically can’t do interactive MFA, so operators leave it on a static password — sometimes a default vendor password. Attackers compromise the service account, escalate to admin-level access, exfiltrate data. Carrier investigates, finds the service account had no compensating controls, denies the claim.

The fix: documented service account inventory, password vault, IP allowlisting, certificate-based authentication where possible, short-lived tokens for cloud systems, regular rotation with documented dates.

”Remember this device for 30 days” on privileged accounts

A conditional-access exception meant to reduce friction. It’s also an attacker’s dream: once they steal a session cookie (via infostealer malware, BEC, or MFA prompt-bombing), they can ride the trusted-device window for up to 30 days without re-authenticating. Carriers consider this a deployment gap even though the account technically “has MFA.”

The fix: disable the trusted-device window for privileged accounts (admin, finance, executive, IT). Force MFA on every sign-in.

Conditional access enabled but coverage gaps

Microsoft Entra ID, Okta, and similar platforms let admins write conditional access policies — “require MFA when accessing X application.” The policy is only as good as its scope. Operators routinely write the policy for “all users” and then add an exclusion group “to test it,” and the test group becomes permanent. Or they exclude service accounts and shared mailboxes by default. Either way, the coverage report shows the gap.

The fix: audit conditional access policies quarterly. Verify the exclusion groups have justified, documented entries — not “test user from 2022.”

Contractors and third-party support without MFA enforcement

Any contractor, vendor, or third-party support tech with access to your environment is in scope for the carrier’s MFA expectation. Operators often onboard contractors as guests in their identity provider, then either forget to enforce MFA on guests or assume the contractor’s own organization has handled it.

The fix: explicit MFA policy for guest / B2B users. Documented attestation from contractor organizations that their access methods have MFA.

M2M / API integrations without authentication best practices

Modern SaaS connects via API tokens, OAuth flows, and service principals. Many of these can’t use interactive MFA but can use stronger compensating controls — short-lived tokens, IP allowlisting, scope-limited credentials, secret rotation. Carriers expect you to be using them.

The fix: API access inventory. Token rotation cadence. Least-privilege scopes. Secret management out of source control.

The MFA Matrix Carriers Want to See

A coverage map that carriers can audit at a glance. The level of detail underwriters expect for $1M+ policies:

Account Category	Minimum acceptable MFA	Preferred MFA	Typical exceptions
Workforce email	Authenticator app w/ number matching	FIDO2 / Windows Hello	None — must be 100%
Executive email	Authenticator app w/ number matching	FIDO2 required at most $5M+ carriers	None
Workforce VPN / RDP	Authenticator app w/ number matching	FIDO2 / Windows Hello	None
Cloud admin consoles	FIDO2 / Windows Hello / authenticator	FIDO2	None
Finance / banking systems	Authenticator app w/ number matching	FIDO2 / Windows Hello	None
ERP / EHR / practice management	Authenticator app w/ number matching	FIDO2 for admin tier	None
Service accounts (M2M)	N/A — compensating controls	Cert-based auth + short-lived tokens	Documented inventory required
Shared mailboxes	Tied to underlying account MFA	FIDO2 for owners	Documented
Contractors / B2B guests	Authenticator app w/ number matching	FIDO2 if accessing sensitive data	Documented attestation from contractor org
Break-glass admin	FIDO2 / hardware token	FIDO2	Strict logging, alerting, quarterly review

This is the table the renewal binder needs to produce — not exactly this format, but this level of detail.

The 30-Day Rollout for Mid-Market

The practical sequencing we run with clients who need to close MFA gaps before a renewal cycle:

Days 1–5 — Discovery. Pull the MFA coverage report from your identity provider. Tag every account by category (workforce, executive, admin, service, guest, shared). Identify every gap.

Days 6–10 — Privileged accounts first. Deploy FIDO2 hardware keys to every admin, finance, executive, and IT account. This is the smallest population (typically 5–15% of users) and the highest-leverage MFA upgrade. Update conditional access policies to require MFA on every sign-in for these accounts — no trusted-device window.

Days 11–18 — Email, VPN, RDP universal rollout. Authenticator-app MFA with number matching for every workforce account on email, VPN, and remote access. Communicate the rollout, run a registration drive, enforce the conditional access policy at the end of the window.

Days 19–23 — Service account compensation. Build the inventory. Move shared passwords into the password vault. Enable IP allowlisting where possible. Document the rotation cadence. Where you can’t move off shared credentials, document the compensating control.

Days 24–28 — Audit and document. Run the coverage report again. Verify 100% workforce enrollment. Build the exception register. Capture screenshots for the renewal binder.

Days 29–30 — Binder assembly. The five evidence pieces (coverage report, conditional access policies, service account inventory, PAM documentation, exception register) compiled into a single PDF ready to hand to the broker or underwriter on request.

This is well-defined work, and BASG runs it as a fixed-bid engagement for clients facing imminent renewals. See our cybersecurity services and broader managed IT services for how the ongoing operational layer sits on top once the controls are in place. Compliance frameworks (HIPAA, CMMC, SOC 2, PCI-DSS) live under industry compliance.

For the broader 8-control framework that cyber insurance underwriting evaluates, see the 2026 cyber insurance requirements parent guide — this MFA post is the deeper dive on control #1.

What Goes in the Renewal Binder

The exact evidence that turns a “yes/no MFA question” into an underwriter-grade documented control:

Identity provider MFA coverage report — Entra ID, Okta, Google Workspace. Shows 100% enrollment with documented exceptions. PDF export.
Conditional access policy screenshots — every policy that requires MFA, with scope and exclusion documentation visible.
Service account inventory — every M2M account, purpose, authentication method, rotation cadence, compensating control.
Privileged access management documentation — admin session provisioning, monitoring, FIDO2 enforcement, quarterly review process.
Exception register — every account that can’t have MFA, with documented reason and alternative control.

This binder is what separates the renewals that go flat (or improve) from the renewals that get declined or priced up. The five pieces are objective, evidence-based, and answer the underwriter’s actual question: do you know your environment and control it deliberately?

The Bottom Line

In 2026, “do you have MFA?” is an outdated question. The real underwriting question is “can you produce the coverage map?” Carriers have moved from questionnaires to evidence-based audits, and the 82% denied-claim rate at the largest carrier in the market is direct proof that the gap between MFA-attestation and MFA-deployment is where claims die.

For South Florida mid-market firms — healthcare, professional services, construction, financial firms — the work to close this gap is well-defined and not technically complex. It’s operational rigor, not new technology. The firms that do it right at renewal save 20–40% on premium and remove their largest source of claim-denial risk. The firms that don’t pay more for less coverage and remain exposed to the operational gap that 82% of denied-claim victims share.

If your business is approaching cyber insurance renewal in the next 90 days and you want to walk in with a documented MFA program rather than scramble for evidence after the broker requests it, our team can help. The 30-day playbook above is the engagement we run.

Frequently Asked Questions

Does cyber insurance require phishing-resistant MFA in 2026?

For limits above $5M and for privileged or executive accounts, yes — phishing-resistant MFA (FIDO2 hardware keys, Windows Hello for Business, or authenticator apps with number matching) is becoming the baseline at most major carriers including Coalition, Travelers, Beazley, and Chubb. For lower limits and non-privileged workforce accounts, authenticator-app MFA generally still satisfies the requirement, though SMS-based MFA is increasingly rejected even for non-privileged use. The trend line is clear: every renewal cycle since 2022 has tightened the acceptable factor. Practical guidance for 2026: deploy FIDO2 keys for all admin, executive, finance, and IT accounts; deploy authenticator-app MFA with number matching for the rest of the workforce; document any account that cannot have MFA with the compensating control.

Do service accounts need MFA for cyber insurance?

Yes — and this is one of the most-cited gaps in denied claims. Service accounts (accounts used by software systems to authenticate to other systems, not used by humans) cannot typically use interactive MFA. Carriers acknowledge this, but they require: (1) a documented inventory of every service account that touches business data; (2) compensating controls — strong unique passwords stored in a vault, IP allowlisting, certificate-based authentication, or short-lived tokens; (3) regular rotation cadence with documented dates; (4) least-privilege scope review on a documented cadence. The carrier's underwriter is looking for evidence you know which service accounts exist and that they're not standing default credentials with admin rights. The 'we have MFA on everyone' attestation while service accounts run on shared passwords is the exact gap that drives Coalition's reported 82% denied-claim rate.

What MFA factor does cyber insurance require on email?

Email is where most carriers draw the strictest line because business email compromise (BEC) is the highest-volume claim driver. The current 2026 expectation: at minimum, authenticator-app MFA with number matching (Microsoft Authenticator, Duo Mobile, Okta Verify) on every email account — including executive and shared mailbox access. SMS MFA on email is increasingly rejected across major carriers. For executive and finance accounts, expect to need phishing-resistant MFA (FIDO2 or Windows Hello). The single biggest evidence ask: an MFA coverage report from your identity provider (Microsoft Entra ID, Okta, Google Workspace) showing 100% of mailbox-enabled accounts have MFA registered AND a conditional access policy enforcing it for all sign-ins. 'Available but not required' MFA fails the audit. 'Required but enrollment is at 87%' fails the audit. The number underwriters look for is 100%, with documented exceptions for service accounts.

Why do cyber insurance claims get denied for MFA issues?

Three reasons, all variations of the same problem: MFA was claimed on the application but wasn't deployed across the actual environment. Coalition's 2024 Cyber Claims Report found 82% of denied claims involved improperly implemented MFA. The specific gaps that drive denials: (1) MFA on the corporate email but NOT on the VPN, RDP, or cloud admin consoles — attackers pivot through the weak surface; (2) MFA on workforce accounts but NOT on service accounts, shared mailboxes, or M2M integrations — attackers compromise the service account and bypass the policy; (3) MFA enabled in the directory but a conditional access exception allowing 'remember this device for 30 days' on privileged accounts — attackers steal the session token. The renewal application asks 'do you have MFA on all accounts accessing business data,' the operator answers yes, the attacker breaches via the gap, the carrier investigates, finds the gap, denies the claim, and the operator is left with a six- or seven-figure incident cost. The application question is binary; the operational reality is granular. Carriers increasingly verify before paying.

Can we get cyber insurance without phishing-resistant MFA?

For limits below $5M and for organizations without heavy executive or finance exposure, yes — most carriers will still write coverage with authenticator-app MFA (with number matching) as the second factor. The trade-off is premium: organizations on app-based MFA pay 15–30% more on renewal than identical organizations on FIDO2 hardware keys, all else equal, because carriers price the residual phishing exposure into the policy. Above $5M in limits, or for organizations with material privileged-account exposure (financial services, professional services with executive principals, healthcare with C-suite EHR access), phishing-resistant MFA is increasingly a hard requirement, not a discount. The math: if your premium is $40K/year and FIDO2 hardware keys cost $50/user one-time for 50 employees ($2,500), the premium reduction pays for the keys in under a quarter. For most BASG clients, we recommend FIDO2 for privileged accounts regardless of carrier requirement and authenticator-app for everyone else.

How do we document MFA compliance for cyber insurance renewal?

The renewal binder needs five specific pieces of evidence for the MFA question: (1) A coverage report from your identity provider (Entra ID, Okta, Google Workspace) showing every user account, their MFA enrollment status, and their registered methods. 100% enrollment with documented exceptions is the bar. (2) Conditional access policy screenshots showing MFA is required for sign-in to every business-data application (email, VPN, RDP, cloud admin, ERP, EHR, financial systems). (3) Service account inventory listing every M2M / service / shared account, its purpose, its authentication method, its rotation cadence, and which control compensates for the lack of interactive MFA. (4) Privileged access management documentation — how admin sessions are provisioned, monitored, and revoked, including whether FIDO2 or equivalent phishing-resistant MFA is used. (5) Exception register — any account that cannot have MFA, with the documented reason and the alternative control. Carriers don't expect perfection; they expect evidence that you know your environment and control it deliberately. The firms that walk into renewal with this binder routinely keep premiums flat or improve them by 20–40%. The firms that wing it absorb the carrier's worst-case-pricing assumption.

Tags: cyber insurance mfa requirements phishing resistant mfa cyber insurance 2026 fido2 security key mfa deployment cyber insurance underwriting south florida cybersecurity

Back to Blog