MFA 'Available' vs 'Enforced': What does my insurer require?

One of the most common reasons for cyber insurance claim denials is the “MFA Gap.” Many businesses believe they are compliant because most of their staff have MFA set up, but insurers look for technical enforcement.

The Difference Matters

MFA ‘Available’

This means users have the option to set up MFA, or it is enabled but has “exceptions” for certain legacy devices or specific users. If an attacker finds an account that hasn’t set it up, or uses a legacy protocol to sign in, your “available” MFA provides no protection.

MFA ‘Enforced’

True enforcement means:

• Conditional Access Policies: The system physically blocks any login attempt that does not provide a second factor.
• Mandatory Enrollment: New employees cannot access systems until MFA is configured.
• No Exceptions: Administrative accounts and remote access points are never exempt.
• Legacy Auth Disabled: Protocols like IMAP, POP3, and Basic Auth are completely turned off, as they often bypass MFA prompts.

Why Insurers Care

Attackers use automated tools to scan for accounts with weak or no MFA. If your insurance application stated that MFA is “required for all remote access,” and an investigation reveals a single entry point where it wasn’t enforced, the insurer may deny the entire claim on the grounds of misrepresentation.

Audit Checklist

1. Run an MFA report: Identify any users who have not registered a second factor.
2. Disable Legacy Auth: In Microsoft 365, ensure “Security Defaults” or specific Conditional Access policies are active.
3. Check Third-Parties: Ensure MFA is enforced on your accounting software, CRM, and cloud storage.

Unsure if your MFA meets insurance standards? Read our article on Cyber Insurance Denials in Queensland or Contact us for advice.