Requirement 2: Privileged Account Protection including Service Accounts

Requirement 1: Multi-Factor Authentication (MFA) for Administrative Access

Insurers have recently focused attention on privileged accounts, particularly non-human service accounts used for machine-to-machine communication to run various management, scanning and software maintenance processes. These accounts are often targeted due to their low visibility as well as the fact that they are typically excluded from password rotation. Some policies now require companies to conduct regular inventories of these accounts and put in place security measures to prevent attackers from using them for malicious access.

Because user accounts are the way that company resources are accessed – including SaaS applications, on-prem servers and workstations, and cloud workloads – attackers relentlessly try to compromise those accounts by making use of the more than 24 billion credentials for sale on the dark web. MFA is the most effective protection against this attack, reducing the effectiveness of malicious access by 99%ץ

The goal of the new cyber insurance requirements is to increase the resilience of various attack surfaces within the environment. Zooming in on the identity attack surface, we can identify two key areas:

Examining the New Identity Security Requirements