Carrots never tasted so good. 🥕

Incentives are important, and we’re happy to announce our newest “carrot” for Coalition policyholders: the Multi-Factor Authentication (MFA) Retention Reduction endorsement.

That’s a mouthful, but it’s simple. We’re happy to reward good security practice, and MFA (or 2FA) is not just good security practice -- it’s great security practice.

Multi-Factor Authentication is a security measure that adds a layer of protection to systems by requiring at least one additional verification step beyond a username and password. With MFA, users must also provide a digital token or code that is provided by a secondary device (often a phone) in the physical possession of the user in order to gain access to their account.

This new endorsement, now available on all Coalition surplus lines policies, provides that if a Coalition policyholder experiences a business email compromise, and has MFA enabled, then they will only be required to cover 50% of the highly applicable self-insured retention up to a maximum reduction of $10,000. Enable MFA, and save $$$$ … it’s that simple.

Coalition is the first cyber insurance provider to incentivize this essential security practice. As of today (September 10, 2019), this coverage enhancement will automatically be added to all new surplus lines quotations, and has been added to all existing surplus lines policies automagically with an effective date of October 1, 2019. Here's more details about the endorsement, and you can always contact Coalition's Security Team with questions.

Why are we doing this?

In December, 2017, we launched with the idea that “When things do fail, we use that data to build better insurance and security products.” That blog post explained why Coalition was founded, and our mission to solve cyber risk.

In our role as cyber 911 for our policyholders, we help our customers directly when something goes wrong. Our experience over the past two years has only reinforced the value of enabling MFA. Insurance provides a proven mechanism for rewarding actions that reduce risk.

Coalition numbers:

• 36% of Coalition claims originate from a business email compromise $

• 160,000 is the average loss from a cyber attack originating from a business email compromise for a small to midsize business

Business email compromises resulted in a range of losses from ransomware and social engineering to funds transfer fraud, regulatory penalties, restoration costs, and more. All of these losses could have been avoided altogether or substantially minimized if the policyholder had MFA in place.

Microsoft and Google numbers:

• 99.9% - percent of automated cyber attacks prevented by MFA (Microsoft)

• 100% - percent of automated bots blocked by MFA (Google)

Not every attack is automated, but MFA reduces the risk in all situations. Google provided more details:

“We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.”

On-device prompts includes digital token applications, such as Google Authenticator or Duo security.

How do I enable MFA?

The good news is that MFA is freely available for most popular business email systems, including Microsoft and Google, as well as for critical business systems such as Salesforce, Amazon Web Services, Box, and more. We’ve provided detailed instructions and we’re also happy to advise our policyholders (and brokers!) on implementation.

We hope you enjoy this carrot!