Cyberliability Insurance

Cyberliability Insurance

Computer Support
September 21, 20252 min read

Will Cyber-Insurance Deny Your Claim Without MFA? 7 Controls Insurers Expect in 2025

TL;DR (50 seconds): Lack of MFA by itself doesn’t always void coverage—but if your policy requires it (via warranties/minimum-practices) or you told the insurer you had MFA when you didn’t, your claim can be limited, rescinded, or denied. Insurers now treat MFA as table stakes and are pushing six other controls that materially affect pricing and insurability.

The straight answer

  • Can a claim be denied without MFA?
    Yes, in two common scenarios:

    1. Your policy includes a “minimum required practices”/security warranty (or similar “failure to maintain” clause) and you didn’t maintain MFA; or

    2. You misrepresented having MFA on the application—insurers have successfully moved to rescind policies on that basis (see Travelers v. International Control Services).

  • Even when not denied outright, lack of MFA today often means no quote, higher deductibles, or tighter sub-limits at renewal, because carriers view MFA as baseline hygiene. Major brokers and carriers publicly rank MFA among the top controls they look for.

A quick story from the field

I led MFA rollouts for two highly regulated SMBs—one in healthcare research, one in financial services supply-chain. In both cases, underwriters flagged renewals until we: (1) enforced MFA on email, remote access, and admin accounts, and (2) proved coverage >98% with screenshots and export logs. Quotes improved, and one carrier removed a ransomware sub-limit at binding.

Real case to know

  • Travelers v. ICS (2022): Travelers sought (and the parties stipulated to) rescission of a cyber policy after alleging the insured misrepresented its MFA posture on the application during a ransomware event. Takeaway: your security questionnaire is under oath—answer precisely and keep evidence.

Why MFA is non-negotiable in 2025

Microsoft continues to show MFA blocks the overwhelming majority of account-takeover attempts (≈99%+), and regulators are tightening requirements (e.g., NYDFS will require MFA broadly by Nov 1, 2025 for covered financial entities). Prefer phishing-resistant methods (FIDO2/WebAuthn) for admins and high-risk apps.

Nathan Taylor

Nathan writes for the Australian magazine, Croc Nation. He recently graduated from Perth University with a degree in Journalism.

Back to Blog