EVIDENCE TEMPLATE — UC-01

Create your MFA enforcement policy for cyber insurance

The platform helps organizations develop customized multi-factor authentication policies aligned with major carrier expectations, deliverable in approximately two minutes.

📋 What this cyber insurance requirement is

An MFA policy documents your organization's requirements for multi-factor authentication across email, remote access, VPN, and privileged accounts. Carriers require this because MFA is one of the most effective controls against account compromise and lateral movement. The policy defines which systems require MFA, which authentication methods are acceptable, how exceptions are managed, and how compliance is verified.

Create your MFA enforcement policy below

What you'll get
  • Identity provider identification and version
  • MFA enforcement scope (email, VPN, remote access, admin accounts)
  • Approved authentication mechanisms
  • Exception procedures and compensating controls
  • Compliance verification and audit procedures

What carriers are looking for

Each carrier asks slightly different questions. Here are some named artifacts by carrier.

Coalition
  • Email MFA enforcement status
  • VPN access MFA requirements
  • Remote access MFA enforcement
  • Privileged account MFA
Hartford
  • MFA on all remote network access
  • Email access MFA enforcement
  • Exception documentation
Travelers
  • Detailed MFA supplement covering email and remote access
  • Directory services and authentication mechanism details
  • Backup environment and infrastructure specifications
  • Endpoint and server configurations
Beazley
  • MFA enforcement status and scope
  • Endpoint protection measures
  • Remote access controls

Evidence that proves readiness

BindLedger automatically verifies

  • Identity provider identification and version
  • MFA enrollment percentages by user category
  • Conditional access and security policy configuration status

Requires manual collection

  • Screenshots of conditional access policies
  • MFA enrollment reports and audit logs
  • Admin account MFA configuration evidence
  • Exception registers with compensating controls documented
  • Policy review dates and approver authorization

Important: What this doesn't prove

Be upfront about these gaps. Carriers appreciate honesty over overstatement.

Actual user MFA enrollment

A policy requiring MFA doesn't prove users are actually enrolled or using MFA. Enrollment percentages can lag behind policy intentions.

Legacy authentication blocking

Policies may not address legacy authentication protocols that bypass MFA entirely, allowing attackers to authenticate without MFA if they access directly.

Correct conditional access configuration

Technical MFA setup might be incomplete or incorrectly configured, creating gaps that sophisticated attackers can exploit.

Admin and service account MFA

Privileged accounts sometimes operate outside standard MFA controls due to technical constraints, creating high-value targets for attackers.

Enforcement of compensating controls

Exception processes might exist, but compensating controls for users unable to use MFA may be weak or unenforced.

Who owns what

🤝

Broker

Interprets carrier MFA requirements, packages documentation for submission, and manages timeline for carrier responses.

🔧

MSP/IT

Sets up identity provider, enables and enforces MFA enrollment, generates reports, and configures conditional access policies.

💼

Business Owner

Approves the policy, makes decisions on exceptions, authorizes MFA scope, and attests to implementation status.

Frequently Asked Questions

Do all carriers require MFA policies?

Most carriers mandate documented evidence of enforced (not just enabled) MFA. Coalition, Travelers, Hartford, and Beazley explicitly address MFA enforcement in their applications. It's now a standard cyber insurance requirement.

Is SMS-based MFA acceptable to carriers?

SMS receives carrier scrutiny due to SIM-swapping vulnerability. Authenticator apps, push notifications, and FIDO2 hardware keys are preferred alternatives. If SMS is used, it should be supplemented with other MFA factors and documented as a temporary measure pending replacement.

Which identity providers do carriers accept?

Microsoft Entra ID, Okta, Google Workspace, Duo, JumpCloud, and OneLogin all support centralized MFA enforcement via conditional access policies. Carriers recognize these as industry-standard platforms for MFA management.

How often should we update the MFA policy?

Annual review minimum, or whenever identity providers change, MFA scope expands, authentication methods shift, or new threats emerge. Document review dates and approver sign-off for carrier audits.

What's the difference between an MFA policy and technical evidence?

Policy documents state organizational intent and requirements. Technical evidence (screenshots, reports, logs) proves actual implementation and functionality. Carriers want both to confirm intent aligns with reality.

Which carriers are strictest on MFA?

Coalition, Travelers, and Beazley request extensive MFA documentation. Hartford mandates MFA across all remote access. Plan conservatively by assuming all carriers will ask detailed follow-up questions about enforcement, identity provider configuration, and exception handling.

Sources

  • Coalition cyber insurance applications and renewal documents
  • Hartford cyber insurance applications and renewal documents
  • Travelers cyber insurance applications and renewal documents
  • Beazley cyber insurance applications and renewal documents
  • BindLedger research, March 2026

Get your policies in order

← Browse all templatesStart a renewal readiness check →Decode a carrier form