MFA coverage gaps: what compliance and insurers are now enforcing

TL;DR: MFA is shifting from best practice to enforceable expectation as regulators, insurers, and policy frameworks demand proof of coverage, with documented penalties, denied claims, and breach exposure when access points lack MFA, according to Push Security. The real issue is no longer whether MFA exists, but whether it is consistently enforced and provable across the modern identity surface.

NHIMG editorial — based on content published by Push Security: MFA regulators, insurers, and policy-makers are getting stricter on MFA requirements

By the numbers:

• 2 in 5 of these accounts are missing MFA, and many also have a password vulnerability.
• A 1,000 user organization has over 15,000 accounts with various configurations and associated vulnerabilities.
• Roughly 20-25% of cyber insurance premiums are dictated by the security controls in place.

Questions worth separating out

Q: How should security teams handle MFA gaps across SaaS applications?

A: Security teams should treat SaaS MFA as a coverage problem, not a single control deployment.

Q: Why do missing MFA controls create both breach and insurance risk?

A: Missing MFA increases the chance that stolen credentials or browser-based attacks will succeed, but it also creates a governance problem after the fact.

Q: What do teams get wrong about MFA compliance?

A: Teams often mistake a written policy for actual enforcement.

Practitioner guidance

• Map MFA enforcement across the real application estate Inventory every SaaS, browser login flow, and exception path so you can see where MFA is missing or bypassed.
• Separate policy claims from proof of enforcement Document where MFA is mandatory, where it is optional, and where compensating controls exist, then retain evidence that those settings were active during the relevant period.
• Prioritise browser-based telemetry for identity risk Monitor session hijacking, consent phishing, password spraying, and anomalous login patterns at the browser layer so that identity abuse is detectable before downstream impact occurs.

What's in the full article

Push Security's full article covers the operational detail this post intentionally leaves for the source:

• Framework-by-framework breakdown of how PCI DSS, HIPAA, GDPR, NYDFS 500, and NIST SP 800-63-3 treat MFA obligations.
• Detailed discussion of how cyber insurers assess attested MFA coverage after a breach and how disputes can arise.
• Case study specifics on the City of Hamilton claim denial, including the coverage dispute and financial impact.
• Browser-based detection and response capabilities for MFA gaps, stolen session tokens, and risky OAuth behaviour.

👉 Read Push Security's analysis of MFA regulation, insurance, and browser attacks →

MFA coverage gaps: what compliance and insurers are now enforcing?

Explore further

View Full Forum →  |  NHI Foundation Course →