REFERENCE GUIDE

How to Write an MFA Policy That Satisfies Cyber Insurance Underwriters

Write MFA policy for cyber insurance. Sections underwriters expect, approved methods, exceptions, and evidence requirements explained.

BindLedgerApril 3, 202615 min read

Most MFA policy templates are too generic for cyber insurance.

They say things like "users must use multi-factor authentication where available" or "MFA should be enabled on critical systems." That sounds responsible. It is also exactly the kind of language that collapses under underwriting scrutiny.

Cyber insurers are not asking for a motivational memo about MFA. They are asking whether MFA is enforced on the specific access paths that drive real claims: email, remote access, VPN, privileged accounts, cloud administration, and third-party access.

A policy that does not speak in that language is usually not good enough.

Key takeaways

  • A carrier-acceptable MFA policy is specific about scope, access paths, approved methods, exceptions, review cadence, and proof.
  • Coalition, Travelers, and Hartford all ask about MFA differently, but the operational truth behind the questions is largely the same.
  • A policy by itself does not prove readiness. It has to be paired with platform evidence showing enforcement.
  • In 2026, the strongest MFA policies do not just say "we require MFA." They define which methods are preferred, which are temporary fallbacks, and how exceptions are governed.

The Complete Guide to Cyber Insurance Evidence in 2026

What brokers, MSPs, and business owners need to know about collecting, organizing, and submitting cyber insurance evidence for renewal. Control requirements, carrier mapping, and the mistakes that get claims denied.

Read article ->

The short answer is this:

A cyber-insurance-ready MFA policy should define who must use MFA, where MFA is required, which methods are approved, how exceptions are approved, how break-glass and service accounts are handled, how compliance is reviewed, and what evidence proves enforcement. If your policy cannot answer those questions, it is probably too vague for underwriting.

What this cyber insurance requirement really is

An MFA policy is the governance layer behind the checkbox.

It tells the underwriter and the insured five things:

  1. which users and accounts are in scope,
  2. which access paths require MFA,
  3. which authentication methods are acceptable,
  4. how exceptions are controlled, and
  5. how the organization verifies the control is real.

That is why BindLedger's MFA template page frames the deliverable around enforcement scope, approved authentication mechanisms, exception procedures, and compliance verification - not just a one-line policy statement.

What carriers are actually looking for

Carrier forms are different. The control they want is not.

Here is the cleanest cross-carrier view.

CarrierWhat the form asksWhat your policy must cover
CoalitionMFA for email, VPN, remote access, and privileged accountsScope by access path, not just "all users"
TravelersMFA for remote access to email and other systems with private or sensitive data in bulkRemote access, email, sensitive-data systems, evidence of enforcement
HartfordMFA on remote network access and email; ransomware supplemental digs into remote desktop, privileged access, and Microsoft 365 add-onsRemote access paths, admin / privileged access, cloud services, and stronger control language around phishing risk

That is the first principle.

Do not write the policy around your identity platform. Write it around the attack paths and underwriting questions.

The carrier signals you should design around

Coalition: separate the access paths

Coalition's application is disciplined because it does not accept the blanket statement "we have MFA." It asks separately about:

  • email,
  • VPN,
  • RDP / RDWeb / RD Gateway or other remote access,
  • and network / cloud administration or other privileged accounts.

That means a carrier-ready policy should explicitly enumerate those paths.

Travelers: connect MFA to data-bearing systems

Travelers' CyberRisk short form asks whether the applicant has MFA for remote access to email and other systems and programs that contain private or sensitive data in bulk.

That means your policy should not stop at workforce SSO. It should include remote access to high-sensitivity systems.

Hartford: tie MFA to remote access, email, and broader ransomware posture

The Hartford's CyberChoice underwriting application asks whether nonpublic personal records are encrypted at rest, in transit, and on mobile devices, and its ransomware supplemental asks how remote desktop is protected, which Office 365 security add-ons are used, how access is controlled, how privileged access is controlled, and more.

That means your MFA policy should sit inside a larger access-control model, not as a standalone sentence.

Why most MFA policies fail in underwriting

The usual failure modes are boring. That is why they happen so often.

Failure 1: The policy is vague

"Users should use MFA where feasible."

That sentence sounds fine internally. It is terrible for underwriting.

It leaves unanswered:

  • which users,
  • which systems,
  • what counts as feasible,
  • who decides,
  • and what happens when something is excluded.

Failure 2: The policy defines users but not access paths

A policy can say "all employees must use MFA" and still say nothing useful about:

  • VPN,
  • RDP,
  • remote support tools,
  • cloud admin panels,
  • privileged SaaS roles,
  • or third-party access.

Carriers care about the path, not just the person.

Failure 3: The policy is disconnected from evidence

A written policy is not proof that MFA is enforced.

Underwriters, brokers, and claims reviewers all need a cleaner chain than "the document says so." The policy has to be written in a way that can be matched to exports from Entra ID, Duo, Okta, a VPN platform, or a remote access stack.

Failure 4: The policy ignores exceptions

Break-glass accounts, service accounts, legacy systems, M&A transitions, and vendor portals all create exceptions. If the policy pretends they do not exist, the truth will surface later in the worst possible moment.

Failure 5: The policy freezes the organization at a weak method set

In 2026, an MFA policy that treats SMS the same as phishing-resistant methods is already behind the security curve. Carriers may not always ask that distinction directly yet, but the broader security baseline has moved.

The 12 sections every carrier-ready MFA policy should include

This is the part to copy into your drafting checklist.

1. Purpose

State why the policy exists in operational language, not just compliance language.

What good looks like: The purpose should tie MFA to account-compromise prevention, remote-access security, protection of privileged access, and support for cyber insurance attestations and evidence collection.

Sample language: This policy establishes mandatory multi-factor authentication requirements for access to organizational email, remote access services, cloud administration interfaces, privileged accounts, and other systems designated as sensitive. The purpose of this policy is to reduce account-compromise risk, strengthen access control, and support defensible cyber insurance attestations.

2. Scope

Define who and what is covered.

Include:

  • employees,
  • contractors,
  • MSP personnel,
  • third-party administrators,
  • temporary workers,
  • privileged users,
  • and any user with access to in-scope systems.

Also define which systems are in scope:

  • email,
  • VPN,
  • remote desktop / remote support tools,
  • cloud admin portals,
  • IAM platforms,
  • sensitive SaaS systems,
  • and systems containing private or sensitive data.

Sample language: This policy applies to all workforce identities, contractors, managed service providers, and third parties with access to organizational systems. It also applies to all interactive access to email, VPN, remote administration tools, cloud services, privileged functions, and systems containing regulated, confidential, or business-critical information.

3. Definitions

This is boring, but it matters.

At minimum define:

  • MFA,
  • privileged account,
  • remote access,
  • break-glass account,
  • service account,
  • approved authenticator,
  • exception.

NIST's small-business MFA guidance is useful here because it keeps the factors simple: something you know, something you have, and something you are.

4. Required MFA coverage by access path

This is the section most templates miss.

Do not just say "MFA is required on all accounts." State the paths.

Minimum coverage list:

  • email access,
  • VPN access,
  • remote desktop and remote support access,
  • cloud administration and control-plane access,
  • privileged administrative access,
  • access to systems that store or expose private / sensitive data in bulk,
  • third-party and MSP access to your environment.

Sample language: MFA is mandatory for all interactive access to organizational email, VPN services, remote desktop services, remote support tools, cloud administration interfaces, identity-provider administration consoles, and privileged accounts. MFA is also mandatory for any remote access to systems containing private, regulated, or otherwise sensitive information in bulk.

5. Approved authentication methods and method hierarchy

This is where the policy should be precise and modern.

NIST SP 800-63B-4 says applications assessed at AAL2 must offer a phishing-resistant authentication option, and AAL3 requires a phishing-resistant authenticator with a non-exportable authentication key. Microsoft's current guidance says FIDO2 security keys are, according to CISA, the gold standard of MFA. Microsoft also warns that Microsoft Authenticator by itself is not phishing-resistant, although managed-device and Conditional Access controls can materially improve protection from external phishing.

That means your policy should show a preference hierarchy. For more on phishing-resistant MFA and passkeys as a modern authentication approach, see our detailed guidance.

A practical 2026 hierarchy:

  1. FIDO2 security keys / passkeys / platform-bound phishing-resistant authenticators
  2. Certificate-based or hardware-backed enterprise authenticators
  3. Authenticator-app TOTP
  4. Push-based MFA with number matching and managed-device controls
  5. SMS / voice only as a documented temporary exception, not as the preferred long-term baseline

Sample language: Approved MFA methods shall be prioritized as follows: phishing-resistant authenticators such as FIDO2 security keys or equivalent platform-bound authenticators; certificate-based or hardware-backed enterprise authenticators; authenticator application one-time passcodes; and push-based MFA with number matching and device-compliance controls. SMS and voice-based methods may be used only as temporary exception methods approved under this policy.

That language is strong without pretending every environment can go fully phishing-resistant overnight. For deeper context on phishing-resistant MFA and modern authentication, see Passkeys: Phishing-Resistant MFA for Cyber Insurance Renewals.

6. Enrollment, issuance, and identity verification

State how users are enrolled and who approves method issuance.

A real policy should answer:

  • who can register a user,
  • what identity proofing is required for resets,
  • how replacement devices are issued,
  • and how help desk workflows prevent social engineering.

This matters because the weakest point in MFA is often not the authenticator. It is the recovery flow.

7. Service accounts and non-human identities

This is where weak policies go silent.

You cannot force a password prompt and second factor onto every non-human identity in the same way you do for a person. But you can define what those accounts are allowed to do and what compensating controls apply.

Your policy should cover:

  • prohibition on interactive sign-in for service accounts unless explicitly approved,
  • inventory and owner requirement,
  • secret rotation,
  • vaulting,
  • network restriction,
  • least privilege,
  • log review,
  • and periodic revalidation.

Sample language: Service accounts and other non-human identities are not exempt from access-control governance. Interactive use of service accounts is prohibited unless explicitly approved. Each service account must have a documented owner, defined business purpose, least-privilege permissions, monitored use, and compensating controls appropriate to the system and risk.

8. Break-glass / emergency access accounts

Carriers may not ask this section explicitly on every form, but sophisticated reviewers care about it.

You need a way to preserve emergency access without turning that account into a silent exception hole.

Your policy should state:

  • how many break-glass accounts exist,
  • how credentials are stored,
  • who can access them,
  • how use is logged,
  • how use is reviewed,
  • and what extra controls apply.

9. Third-party and MSP access

This is another overlooked section.

If an MSP, vendor, outsourced admin, or contractor can access your environment, the MFA policy should say so explicitly.

Sample language: All third-party, vendor, contractor, and managed service provider access to organizational systems shall use MFA at a security level equivalent to internal user access for the same function. Privileged third-party access shall be separately approved, logged, and reviewed.

10. Exception management

This section separates a real policy from a fake one.

A good exception process requires:

  • written request,
  • business justification,
  • named owner,
  • defined compensating controls,
  • time-bound approval,
  • review date,
  • and removal plan if the exception exists due to legacy constraints.

Bad language: Exceptions may be granted as needed.

Good language: Exceptions to MFA enforcement must be documented in writing, approved by the designated security owner, include the reason for the exception, the affected system or identities, the compensating controls in place, the expiration date, and the remediation plan required to eliminate the exception where feasible.

11. Logging, review cadence, and evidence retention

If the policy is supposed to support cyber insurance readiness, it should say how enforcement is verified.

That means describing at least:

  • review frequency,
  • required reports,
  • exception register review,
  • coverage review for privileged accounts,
  • and retention of audit records or exports.

Sample language: The organization shall review MFA coverage, exceptions, privileged-account enforcement, and authentication-method configuration at least quarterly and before any cyber insurance application or renewal attestation. Evidence of review shall be retained in a form sufficient to support underwriting, audit, or post-incident validation.

12. Ownership, enforcement, and annual review

Name the control owner.

Do not leave the policy owner ambiguous. The policy should state who maintains it, who approves changes, and how often it is reviewed.

A copy-and-customize MFA policy outline

If you want the shortest draftable version, use this skeleton.

Section 1: Purpose

This policy establishes mandatory multi-factor authentication requirements for access to organizational systems in order to reduce account compromise risk, protect privileged access, and support defensible cyber insurance attestations.

Section 2: Scope

This policy applies to all employees, contractors, third parties, MSP personnel, and other users who access organizational systems. It applies to interactive access to email, VPN, remote support tools, remote desktop services, cloud administration portals, privileged accounts, and systems containing sensitive or regulated information.

Section 3: Required MFA coverage

MFA is required for:

  • email access,
  • VPN access,
  • remote desktop and remote support access,
  • cloud and identity administration,
  • privileged accounts,
  • and remote access to systems containing sensitive data in bulk.

Section 4: Approved methods

Approved methods are prioritized as follows:

  1. phishing-resistant authenticators such as FIDO2 security keys or equivalent platform-bound authenticators,
  2. certificate-based or hardware-backed authenticators,
  3. authenticator app one-time passcodes,
  4. push MFA with number matching and approved device controls.

SMS and voice-based methods are temporary exception methods only and require separate approval.

Section 5: Service accounts and emergency accounts

Service accounts may not be used interactively unless explicitly approved. Break-glass accounts must be limited, vaulted, monitored, and reviewed after each use.

Section 6: Exceptions

Exceptions require documented justification, defined compensating controls, named ownership, review date, and expiration date.

Section 7: Verification and review

MFA coverage and exceptions must be reviewed at least quarterly and before any cyber insurance attestation or renewal submission. Evidence of review must be retained.

That outline is intentionally short. The live policy should expand each section with your actual systems, users, and ownership model.

How strong should the methods section be in 2026?

This is where many teams need the most judgment.

NIST's current guidance is not saying every business must move to AAL3 overnight. It is saying the floor is rising. AAL2 applications must offer a phishing-resistant option, and AAL3 requires a phishing-resistant authenticator with a non-exportable key. NIST's small-business MFA guidance also makes the basic principle clear: MFA means two or more distinct factors. A biometric is not magic by itself; in higher-assurance models it works together with a physical authenticator.

Microsoft's current federal MFA guidance adds useful implementation reality:

  • FIDO2 security keys are described as the CISA "gold standard" of MFA.
  • Windows Hello for Business is phishing-resistant.
  • Microsoft Authenticator alone is not phishing-resistant.
  • Managed-device and Conditional Access combinations can still materially improve resistance to external phishing.

The right policy response is not "ban everything except hardware keys tomorrow."

The right response is:

  • prefer phishing-resistant methods for privileged and high-risk access,
  • describe the approved fallback methods honestly,
  • and make weaker methods temporary where possible.

That is a strong security position and a defensible underwriting position.

What evidence proves the policy is real

A policy is governance evidence. It is not technical proof.

To make the control defensible, pair the policy with these artifacts:

  • identity-provider policy export,
  • MFA user coverage report,
  • privileged-role inventory with MFA requirement,
  • VPN or remote-access MFA proof,
  • exception register,
  • recent sign-in or authentication activity,
  • and the latest policy approval date.

The best packet combines policy, coverage, usage, and exceptions.

If you need the extraction side, see How to Export MFA Evidence from Entra ID, Duo, and Okta for Your Cyber Insurance Renewal. For the broader Microsoft 365 attestation context, see Cyber Insurance for Microsoft 365 Tenants: The 2026 Attestation Checklist.

The seven MFA policy mistakes that create underwriting risk

Mistake 1: Using "should" where you mean "must"

"Should" is advice. "Must" is a control.

Mistake 2: Forgetting at least one major access path

Email-only language is not enough. User SSO-only language is not enough. You need VPN, remote access, and privileged administration coverage.

Mistake 3: Ignoring service accounts

If your policy says nothing about them, the underwriter is left to assume the hardest corner of the environment is unmanaged.

Mistake 4: No exception process

A hidden exception is worse than a documented one.

Mistake 5: No ownership

A policy with no owner will drift.

Mistake 6: No review cadence

An undated policy is weak evidence. An annually reviewed policy is better. A quarterly control-review note paired with the policy is even better.

Mistake 7: Treating registration as enforcement

If the policy does not state how enforcement is verified, operators will start exporting enrollment data and calling it proof. That is how MFA answers go wrong.

Create the policy before renewal week

An MFA policy is not the whole answer. But it is the governance document that makes the technical exports understandable.

If you need a carrier-aligned starting point:

FAQ

Does a written MFA policy by itself satisfy cyber insurance underwriters?

No. It helps, but it is governance evidence, not technical proof. Underwriters usually need to know that MFA is enforced in practice, which means pairing the policy with exports, coverage reports, exception records, and evidence for specific access paths.

What should an MFA policy cover for cyber insurance?

At minimum: email, VPN, remote access, privileged accounts, cloud administration, third-party access, approved methods, exception process, review cadence, and evidence retention.

Is SMS acceptable in an MFA policy?

It can be documented as a temporary or fallback method, but a modern policy should not present SMS as the preferred long-term control everywhere. Stronger and phishing-resistant methods should be prioritized where possible, especially for privileged and high-risk access.

Do service accounts need to be in the policy even if they cannot use interactive MFA?

Yes. The policy should define how non-human accounts are governed, what compensating controls apply, and whether interactive use is prohibited.

How often should the MFA policy be reviewed?

At least annually as a document, and more often as a control review. Quarterly review of coverage, privileged-account enforcement, and exceptions is a strong practical baseline.

What is the biggest drafting mistake?

The biggest mistake is writing a policy around generic users instead of specific access paths. Carriers are asking about the path attackers use, not just whether MFA exists somewhere in the environment.

Verify your email security posture now

Free carrier-mapped DNS scan. No signup required.

Scan your domain →

Sources

  1. Coalition Cyber Policy Application (CYUSP-00NA-1022-01) https://cdn.intelligencebank.com/us/share/NMXD/DX90l/Xo8rX/original/Coalition-Cyber-USA-NEWAPP-COMBINED-202302

  2. Travelers, "CyberRisk Short Form Renewal Application" https://asset.trvstatic.com/download/assets/cyb-14203.pdf/ae74d9ea63c911eea2fad22664723407

  3. The Hartford, "CyberChoice Underwriting Application" https://assets.thehartford.com/image/upload/cyberchoice_cyber_new_business_application.pdf

  4. The Hartford, "CyberChoice Secure Supplemental Ransomware Application" https://assets.thehartford.com/image/upload/ransomware_supplemental_application.pdf

  5. NIST, "Multi-Factor Authentication" https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/multi-factor-authentication

  6. NIST SP 800-63B-4, "Digital Identity Guidelines: Authentication and Authenticator Management" https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63B-4.pdf

  7. Microsoft Learn, "Meet multifactor authentication requirements of memorandum 22-09" https://learn.microsoft.com/en-us/entra/standards/memo-22-09-multi-factor-authentication

  8. Georgia Technology Authority, "Multi-Factor Authentication Policy (PS-21-002)" https://gta-psg.georgia.gov/psg/multi-factor-authentication-policy-ps-21-002

  9. St. Mary's College of California, "Multi-Factor Authentication Policy Template" https://www.stmarys-ca.edu/sites/default/files/2024-08/SMC-Multi-Factor-Authentication-Policy-2.0_0.pdf

  10. BindLedger MFA template page https://www.bindledger.com/templates/mfa-policy

  11. BindLedger, "How to Export MFA Evidence from Entra ID, Duo, and Okta for Your Cyber Insurance Renewal" https://www.bindledger.com/blog/export-mfa-evidence-entra-duo-okta-cyber-insurance

Related articles