Understand what MFA evidence cyber insurers accept. Learn platform requirements, enrollment proof, and common rejection reasons.
Cyber insurers require evidence that multifactor authentication (MFA) is enforced across all users and cannot be bypassed. Acceptable evidence typically includes screenshots of Entra ID (formerly Azure AD) Conditional Access policies showing MFA required for all users and cloud applications, Okta admin console settings documenting MFA enforcement, Cisco Duo policy enforcement screenshots, or Google Workspace 2-Step Verification reports. Underwriters request enrollment reports, usage statistics, and documentation that MFA cannot be disabled by end users. Common insufficient evidence includes password manager MFA (considered weaker than native platform MFA), MFA enabled for some users but not all, and attestations without supporting screenshots. Requirements often mandate 100% user adoption with documented proof of active enforcement.
Brokers request MFA policy screenshots from IT/security team, manually compile enrollment and usage reports, compile into email or PDF, submit to underwriter.
Non-standardized evidence format; unclear exactly what platforms/configurations underwriters will accept; manual gathering of enrollment/usage reports; no way to prove policies have not changed since screenshot was taken.
Structured MFA compliance attestation with platform, policy rules, user enrollment count, last-active timestamp, and API-queryable enforcement status.
Use Evidence Room
Use Evidence Room →“Underwriters require enrollment reports, usage statistics, and evidence that MFA cannot be disabled by end users.”
“Cyber insurers typically require 100% user adoption with documented proof of active MFA usage across your organization.”
“Password manager MFA is considered weaker than native platform MFA and is often insufficient for cyber insurance.”