With one in three cyberattacks now involving the compromise of an employee account, insurance companies and regulators are placing great importance on identity posture when assessing cyber risk.
However, for many organizations, these assessments remain largely opaque. Factors such as password hygiene, privileged access management, and multi-factor authentication (MFA) coverage are increasingly influencing how cyber risk and insurance costs are assessed.
Understanding the identity-centric factors behind these assessments is important for organizations seeking to demonstrate lower risk exposure and secure more favorable insurance terms.
Why is identity posture driving underwriting right now?
With the global average cost of a data breach reaching $4.4 million in 2025, more organizations are turning to cyber insurance to manage their financial risks. In the UK, coverage rates have increased from 37% in 2023 to 45% in 2025, but rising claims volumes are prompting insurers to tighten underwriting requirements.
Compromised credentials is one of the most reliable ways for attackers to gain access, escalate privileges, and persist within your environment. For insurers, strong identity management supports more sustainable underwriting decisions by reducing the likelihood that a single account compromise will lead to widespread disruption or data loss.
What insurance companies want from identity security
Password hygiene and credential leakage
Despite the increased use of multi-factor authentication and passwordless initiatives, passwords still play an important role in authentication. Organizations should pay particular attention to the following behaviors and issues that increase the risk of credential theft and misuse:
When passwords are reused across identities, especially across administrative and service accounts, there is a high chance that a single credential can be stolen and lead to widespread access. Traditional authentication protocols are still common within networks and are frequently abused to harvest credentials. NTLM persists in many environments, even though it was functionally replaced by Kerberos in Windows 2000. A dormant account with valid credentials. It often acts as an unmonitored entry point and retains unwanted access. Service accounts have passwords that never expire, creating a long-lived and low-visibility attack path. Sharing administrative credentials reduces accountability and amplifies the impact of a breach.
From an underwriting perspective, evidence that an organization understands and actively manages these risks is often more important than the existence of individual technical controls. Regularly auditing password health and credential compromise helps demonstrate maturity and intent to mitigate identity-driven risks.
privileged access management
Privileged access management is a key measure of an organization’s ability to prevent and mitigate breaches. Privileged accounts can have high levels of access to systems and data, but they are often given excessive privileges. As a result, insurance companies are paying close attention to how these accounts are managed.
Delegated privileges outside of service accounts, cloud administrators, and central monitoring significantly increase risk. This is especially true when operating without MFA or logging.
Excessive membership in the Domain Administrator or Global Administrator roles, and overlapping administrative scopes all suggest that privilege escalation is rapid and difficult to contain.
Privileged access that is poorly controlled or unknown is typically considered higher risk than a small number of tightly controlled administrators. Security teams can use tools like Specops Password Auditor to identify stale, inactive, or overprivileged administrative accounts and prioritize remediation before those credentials fall into the wrong hands.
Specops Password Audit – Dashboard
When determining the likelihood of damaging infringement, the question is simple. If an attacker compromises one account, how quickly can that attacker become an administrator? If the answer is “immediately” or “with minimal effort,” your insurance premiums will tend to reflect that exposure.
Scope of MFA
Most organizations can credibly state that they have MFA in place. However, MFA only meaningfully reduces risk when applied consistently across all critical systems and accounts. In one documented case, the City of Hamilton was denied $18 million in cyber insurance after a ransomware attack because MFA was not fully implemented across affected systems.
While MFA is not foolproof, fatigue attacks first require valid account credentials and then depend on the user approving an unfamiliar authentication request, the outcome of which is not guaranteed.
On the other hand, accounts that authenticate through older protocols, non-interactive service accounts, and conveniently exempt privileged roles all provide viable bypass paths once initial access is achieved.
As a result, insurance companies are increasingly requiring MFA for all privileged accounts, not just email and remote access. Organizations that ignore this may be subject to higher premiums.
4 steps to improve your ID Cyber Score
There are many ways organizations can improve identity security, but insurers are looking for evidence of progress in several key areas:
Eliminate weak shared passwords: Enforce minimum password standards and reduce password reuse, especially for administrative and service accounts. Strong password hygiene limits the impact of credential theft and reduces the risk of lateral movement after initial access. Enforce MFA on all critical access paths. Ensure MFA is enforced for remote access, cloud applications, VPNs, and all privileged accounts. Insurers increasingly expect MFA coverage to be comprehensive rather than selective. Reduce permanent privileged access: Limit permanent administrative privileges where practical, and employ just-in-time or time-limited access for advanced tasks. Having fewer privileged accounts running at any given time directly reduces the impact of a credential compromise. Regularly check and authenticate access: Regularly review user and privilege permissions to ensure they match their current roles. Stale access and orphaned accounts are common red flags in insurance evaluations.
Insurers increasingly expect organizations to demonstrate that identity management not only exists, but is actively monitored and improved over time.
Specops Password Auditor supports this by providing clear visibility into password leaks in Active Directory and enforcing controls to reduce credential-based risks.
To understand how these controls can be applied to your environment and align with insurance carrier expectations, talk to a Specops expert or request a live demo.
Source link
