With one in three cyber attacks now involving compromised employee accounts, insurers and regulators are placing greater emphasis on ownership when assessing cyber risk.
In most organizations, however, this assessment remains murky. Factors such as password hygiene, special access management, and the level of multi-factor authentication (MFA) are increasingly influencing how cyber risks and insurance costs.
Understanding the diagnostic factors behind these assessments is important for organizations seeking to demonstrate lower risk exposure and secure more favorable insurance policies.
Why the ownership position is now driving the write-up
With the global average cost of a data breach reaching $4.4 million by 2025, many organizations are turning to cyber insurance to manage financial exposure. In the UK, coverage has increased from 37% in 2023 to 45% in 2025, but rising claim rates are prompting insurers to tighten underwriting requirements.
Credential compromise remains one of the most reliable methods for attackers to gain access, escalate privileges, and continue within an environment. For insurance companies, strong identity controls reduce the likelihood that a single compromised account could lead to a wider disruption or data loss, supporting more stable underwriting decisions.
What insurers want to see in identity protection
Password hygiene and authentication exposure
Despite the growing use of multi-factor authentication and passwordless systems, passwords still play an important role in authentication. Organizations should pay particular attention to behaviors and issues that increase the risk of data theft and abuse, including:
- Password reuse across identitiesespecially between administrative or service accounts, increasing the likelihood that a single stolen certificate leads to wider access.
- Probate agreements they are still common on networks and are often exploited to harvest information. NTLM persists in many environments despite being replaced by Kerberos in Windows 2000.
- Inactive accounts with active credentials, which act as unsupervised access points and generally prevent unnecessary access.
- Service accounts with passwords that never expire, they create long-lasting, low-profile attack methods.
- Shared administrative credentialsreduce accountability and increase the impact of compromise.
From an underwriting perspective, evidence that the organization understands and manages these risks is often more important than individual technical controls. Regular password hygiene checks and disclosures help demonstrate maturity and the intent to mitigate identity-driven risk.
Privileged access management
Privileged access management is an important measure of an organization’s ability to prevent and mitigate breaches. Special accounts can have higher access to systems and data, but are often restricted. As a result, insurers pay close attention to how these accounts are managed.
Service accounts, cloud administrators, and delegated rights without centralized monitoring raise the risk significantly. This is especially true if they work without an MFA or logging.
Excessive membership in Domain Admin or Global Administrator roles and overlapping administrative scopes all suggest that privilege escalation can be both rapid and difficult to contain.
Poorly controlled or anonymous privileged access is generally viewed as a greater risk than a small number of tightly controlled controllers. Security teams can use tools like Specops Password Auditor to identify old, inactive, or multi-privileged control accounts and prioritize remediation before those credentials are compromised.
 |
| Specops Password Auditor – Dashboard |
When determining the likelihood of a damaging breach, the question is straightforward: if an attacker compromises one account, how quickly can they become an administrator? When the answer is “quickly” or “with little effort,” premiums tend to reflect that exposure.
MFA installation
Most organizations can clearly state that MFA is used. However, MFA only reduces risk if it is applied consistently across all critical systems and accounts. In one documented case, the City of Hamilton was denied an $18 million cyber insurance payout after a ransomware attack because MFA had not been fully activated on all affected systems.
While MFA is not foolproof, fatigue attacks first require valid account information and then rely on the user approving an unusual authentication request, a result that is far from guaranteed.
Meanwhile, accounts authenticating with older protocols, non-interoperable service accounts, or privileged roles for convenience, all provide effective ways to bypass once initial access is achieved.
That’s why insurers are increasingly requiring MFA for all special accounts, as well as email and remote access. Organizations that ignore it may face higher premiums.
Four steps to improve your internet score
There are many ways organizations can improve identity protection, but insurers want evidence of progress in a few key areas:
- Remove weak and shared passwords: Use minimal password policies and minimize password reuse, especially for administrative and service accounts. Strong password hygiene limits the impact of identity theft and reduces the risk of collective movements following initial access.
- Use MFA for all important access methods: Ensure that MFA is enabled for remote access, cloud applications, VPNs, and all special accounts. Insurers often expect MFA coverage to be comprehensive rather than selective.
- Reduce privileged access permanently: Reduce permanent administrative privileges where applicable and gain timely or time-limited access to advanced functions. Fewer accounts remain open directly reducing the impact of risk exposure.
- Always review and verify access: Perform regular reviews of user permissions and permissions to ensure they are consistent with current roles. Old access and orphaned accounts are common red flags in an insurance audit.
Insurers often expect organizations to not only demonstrate that control ownership is in place, but that they are actively monitored and developed over time.
Specops Password Auditor supports this by providing clear visibility into password exposure within Active Directory and enforcing controls that mitigate data-based risks.
To understand how these controls can be applied to your facility and meet insurance expectations, speak to a Specops expert or request a live demo.
