July 15, 2026 · MFA · requirements
What MFA do cyber insurance carriers actually require?
The short answer
Cyber insurance carriers require multi-factor authentication to be enforced — not optional — in three places: every business email account, every form of remote access (VPN, remote desktop, remote-support tools), and every administrator or privileged account. Partial rollouts typically fail the application question, and MFA's absence is the most common single reason small businesses get declined.
The Founder
Founder, Surable · 20 years in IT and information security
Ask an underwriter what disqualifies a small business fastest and you'll hear the same answer: no MFA. It's the first control on the application because stolen credentials are the front door for most attacks — and because it's so cheap to fix that not having it reads as a signal about everything else.
But "do you have MFA?" is not actually the question carriers ask. They ask something more specific, in three parts.
Where exactly is MFA required?
1. All business email accounts. Not most. All. Email is where password resets land, where wire instructions get sent, and where an attacker with one phished password can quietly read everything. Applications ask whether MFA is enforced for all users — an opt-in rollout with stragglers is a "no."
2. All remote access. VPN, remote desktop (RDP), and remote-support tools like the ones your IT provider uses. Internet-reachable remote access without MFA is the classic ransomware entry point, and several carriers treat it as close to uninsurable.
3. All administrator accounts. Domain admins, Microsoft 365 / Google Workspace admins, firewall and backup consoles. A phished admin password turns a bad day into a total one, so privileged accounts get their own line on most applications.
What does "enforced" mean in practice?
Enforced means the system requires the second factor — the user can't skip it, and new accounts get it automatically:
- Microsoft 365: Security Defaults (free tier) or Conditional Access policies requiring MFA for all users, with no permanent exclusions.
- Google Workspace: 2-Step Verification set to enforced for every organizational unit, with a bounded enrollment window.
Exceptions are where applications go to die. If a legacy system genuinely can't do MFA, isolate it, document the compensating controls, and disclose it — that's a defensible answer. A silent exception is a misrepresentation you attested to.
The setup, honestly described
For a business already on Microsoft 365 or Google Workspace, enforced MFA is free and takes an afternoon, most of which is communication: tell everyone the date, send the 3-step enrollment instructions, run enforcement, then chase the last two people (there are always two). The written MFA policy that goes with it — required by the same applications — is a two-page document if you start from a decent template.
That afternoon removes the single most common declination trigger in small-business cyber underwriting. There is no better return on effort anywhere in this process.
Answering the application question accurately
The honest-and-favorable framing, in order of preference:
- "Yes, enforced for all users" — because you actually did the rollout above.
- "Yes, with documented exceptions" — the legacy system is named, isolated, and has compensating controls in writing.
- Never "yes" as an aspiration. The attestation you sign makes your MFA answer a warranty; a claim investigation will pull the authentication logs.
Want to see how your MFA posture — and the other nine domains carriers probe — scores today? The free Readiness Check takes five minutes and shows you exactly where you stand.
Common questions
Does 'MFA on email' include shared mailboxes and service accounts?+
Carriers ask about all accounts, and attackers specifically hunt the forgotten ones. Shared mailboxes should be converted to a form that can't be signed into directly or protected the same way; service accounts that can't do MFA should be documented with compensating controls (long unique credentials, conditional access, monitoring).
Is SMS-based MFA acceptable?+
It's better than nothing and generally counts as MFA on applications today, but app-based push or hardware keys are meaningfully stronger. If you're setting up fresh, start with an authenticator app — same effort, better control, and no awkward disclosure later.
We have no VPN or remote desktop. How do we answer the remote-access question?+
Accurately: 'no remote access exists' is a legitimate and favorable answer. Verify it's actually true first — remote-support tools, exposed RDP on a forgotten server, or a vendor's back door all count as remote access.
How do I prove MFA is enforced if the carrier asks?+
Export or screenshot the enforcement policy from your admin console (Microsoft 365 Conditional Access / security defaults, or Google Workspace 2-Step Verification enforcement), and keep your written MFA policy current. Policy plus console evidence answers any follow-up.
Sources
Find out where you stand — free, in 5 minutes
Instant readiness score across the ten domains carriers probe, plus your top three gaps and how to fix them.