As cyber‑insurance premiums continue to rise, it’s no longer enough to just “have MFA.” Insurers now demand strong, phishing‑resistant implementations—or they won’t provide coverage. Meeting the mfa requirements for cyber insurance means understanding which MFA types are accepted, how to upgrade legacy systems, and what it means for policy costs and risk.

Why Insurers Are Raising the Bar

MFA is now one of the top technical requirements insurers look at when assessing cyber-risk. Insurance carriers have seen an increase in claims tied to account takeovers, many of which succeeded because the organization relied on outdated MFA like SMS codes. As a result, insurance underwriters are demanding stronger controls across the board.

Understanding Phishing‑Resistant MFA

Not all MFA is created equal. Traditional methods—like SMS or mobile app prompts—can be intercepted or spoofed. “Phishing-resistant MFA” refers to methods that verify the user and device in a cryptographically secure way. Examples include hardware security keys (like YubiKeys) and certificate-based authentication. These methods drastically reduce the risk of credential phishing attacks.

Business Risks of Weak MFA

• Policy denial or voiding: Insurers may reject your claim if your MFA does not meet their underwriting criteria.
• Higher premiums: Basic MFA often leads to increased costs. Some insurers offer reduced rates for phishing-resistant MFA adoption.
• Regulatory exposure: Financial and healthcare regulators increasingly expect strong authentication methods as part of compliance obligations.

Five Steps for Business Leaders

1. Audit Your Current MFA

Identify how users are authenticating. Are you using SMS, push notifications, app-based codes, or security keys? Review login methods across email, VPN, remote access, and internal applications.

2. Upgrade to Phishing‑Resistant Methods

Start with your most privileged accounts—executives, finance, and IT administrators. Implement FIDO2-based hardware tokens or certificate-backed smart cards that validate both user identity and device integrity.

3. Confirm Requirements with Your Insurance Provider

Talk directly with your broker or carrier. Ask for a list of MFA methods that meet current underwriting standards and get confirmation in writing where possible.

4. Train Your Staff

Phishing-resistant MFA only works if it’s understood and used correctly. Provide step-by-step training for security key use and make adoption easy across departments.

5. Monitor and Report Compliance

Keep records of your MFA rollout, including coverage by user group and authentication method. This information may be required during insurance renewals or audits.

Helpful Resources

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) offers guidance on phishing-resistant MFA. Learn more from their official publication here:
Implementing Phishing-Resistant MFA (CISA).

Where Cost+ Can Help

Cost+ helps businesses meet the latest Security+ standards required by insurers. We assess existing MFA, implement compliant solutions, and document everything to help you secure coverage at the best possible rate.

Bottom Line

If your company still relies on SMS or app-based MFA, it may no longer meet mfa requirements for cyber insurance. Upgrading to phishing-resistant MFA isn’t just smart—it could be essential to keeping your business protected and insured.

By Thomas McDonald
Vice President

As extreme weather, aging infrastructure, and rising energy demands continue to strain the U.S. power grid, businesses face increasing risks of unexpected outages and rolling blackouts. For many organizations, even a short disruption can lead to significant financial losses, reputational harm, and operational chaos. This brief outlines why executives should prioritize power contingency planning, what questions to ask IT and facilities teams, and how to build a resilient business strategy in the face of grid instability. For related guidance, see our Executive Brief on backup testing and validation.

The Growing Challenge of Grid Reliability

Power reliability has become a growing concern for organizations of all sizes. According to the U.S. Department of Energy, demand for electricity is outpacing upgrades to transmission infrastructure in several regions, increasing the likelihood of grid stress during peak periods. Summer heatwaves, winter storms, wildfires, and cyberattacks have all contributed to a noticeable uptick in outages over the past five years.

For businesses, the impact can be significant: lost sales, halted production, data loss, and damaged customer trust. Yet many executives assume that power contingency planning is purely a facilities or IT responsibility, rather than a boardroom priority. Engaging your Recovery+ team early can help close this gap.

Why Executives Need to Lead

While operational teams handle day-to-day technical details, executives are ultimately responsible for ensuring the organization can meet its obligations — to customers, partners, and regulators — even during adverse events. Without top-down leadership, power contingency plans often remain incomplete, untested, or underfunded.

Leadership should focus on three core goals:

• Uptime: Keep critical systems online, even if at reduced capacity.
• Safety: Protect employees and customers during disruptions.
• Continuity: Maintain communications, data integrity, and core operations.

What Questions to Ask Your Teams

Executives don’t need to be electrical engineers or IT architects to lead effectively. Instead, they should ask the right questions to ensure accountability and clarity:

• Do we have an updated power contingency plan that includes IT, facilities, and key business functions?
• Which of our systems and operations are mission-critical, and what level of backup power do they require?
• Have we tested our uninterruptible power supplies (UPS) and generators within the last six months?
• Do we have vendor relationships in place for emergency fuel, generator rental, or co-location if our main site is offline?
• Are our backup and recovery processes resilient to a sudden outage in the middle of business hours?
• Do employees know who to contact and what procedures to follow during an outage?

Simply asking these questions — and demanding clear answers — can uncover vulnerabilities and motivate proactive improvements. For help with structured policies and audits, consult our Security+ services.

Key Elements of a Resilient Strategy

Here are some specific components your team should consider as part of a robust power contingency plan:

Invest in Backup Power

At a minimum, critical systems such as servers, network equipment, and emergency lighting should be connected to UPS systems capable of bridging short outages or providing enough time to shut down gracefully. For longer outages, diesel or natural gas generators are often the best solution — but they require regular maintenance and fuel contracts to remain reliable.

Identify Tiered Priorities

Not every system needs to stay online during an outage. Work with IT and operations teams to map out which systems are truly critical, which can operate in reduced mode, and which can pause safely. This helps optimize the use of limited backup power resources. For more insight, see our Recovery+ page.

Test and Review Regularly

Even a well-designed plan can fail if not regularly tested. Conduct at least annual — and ideally quarterly — simulated outages to verify equipment, employee readiness, and communication channels. Capture lessons learned after each exercise and update plans accordingly.

Plan Beyond IT

Power planning is not just about data centers and computers. Consider HVAC for employee comfort and safety, emergency lighting, security systems, refrigeration (if applicable), and customer-facing systems such as point-of-sale. A holistic approach ensures nothing is overlooked. Partnering with Support+ can help align facilities and technology priorities.

Don’t Wait for a Crisis

Power disruptions rarely announce themselves in advance. By the time a storm hits or the grid operator issues a blackout warning, it’s often too late to react effectively. Leaders who invest in planning now not only reduce risk but also strengthen customer confidence and organizational resilience.

As the Department of Energy’s summer reliability assessment makes clear, outages are no longer rare, isolated events. They are becoming part of the business environment — and executives who treat them as such are far better positioned to maintain competitive advantage during disruption.

Final Thoughts

Power outages and grid instability may seem like operational issues, but they have strategic consequences. Executive oversight is crucial to ensure plans are comprehensive, tested, and aligned with organizational goals. By asking the right questions and insisting on accountability, business leaders can ensure their organizations remain resilient — no matter what happens to the grid.

For more insight into national power grid risks, see the U.S. Department of Energy’s 2024–2025 Reliability Assessment.

With Atlantic hurricane season officially running from June 1 through November 30[¹], now is the time for a backup testing for business continuity audit. Without routine backup testing, companies risk extended downtime, data corruption, and regulatory fallout when disaster strikes.

Why Summer Is Your Deadline

Noaa confirms the Atlantic hurricane season spans June 1 to November 30, with peak activity typically in late August through September[¹]. That gives businesses a narrow window to confirm backups are working—and recoverable—before systems are threatened by storms.

Risks of Untested Backups

• Silent failures: Corrupt files, misconfigured snapshots, or incomplete backups may go unnoticed until it’s too late.
• Recovery paralysis: Teams can’t restore critical systems efficiently without tested recovery plans.
• Compliance fines: Regulations (e.g., HIPAA, PCI, SOX) often require periodic backup validation. Failure can result in penalties or audit failures.
• RFQ fallout: In procurement or insurance processes, proof of backup testing can be a decisive factor.

Four Steps to Effective Backup Testing

1. Inventory & Prioritize Data

List all data types (databases, documents, virtual machines, configurations). Assign priorities based on RTO/RPO needs.

2. Test Full Restores Quarterly

Perform a full restore for a subset of critical systems at least once per quarter. Verify end-to-end integrity—files open, services start, user access confirmed.

3. Simulate Disaster Scenarios

Conduct tabletop and live failover drills. Document recovery steps and spot gaps in roles, permissions, or infrastructure.

4. Automate Monitoring & Reporting

Use automation tools to flag backup failures or missed schedules. Maintain audit logs and quarterly reports for governance reviews.

Expected ROI

The expense of backup testing is trivial compared to the cost of a data disaster—where downtime costs average $5,600/minute[²]. Tested backups help you recover within SLAs, reduce liability, and avoid reputational damage.

Need Support?

If your team lacks the time or tools to implement structured testing, Cost+ offers Recovery+—our fully managed backup validation and disaster readiness service.

Bottom Line

Demonstrating a culture of verified backups and recovery readiness is no longer optional—it’s a business imperative entering hurricane peak months. A proactive backup testing for business continuity initiative today can prevent catastrophic delays and compliance breaches tomorrow.

[¹] NOAA: Atlantic hurricane season runs June 1 to November 30, peaking late Aug–Sep :contentReference[oaicite:2]{index=2}.
[²] Cost of downtime sourced from industry averages (~$5.6K/minute).

Traditional perimeter-based security models—like firewalls and VPNs—are no longer sufficient in today’s digital landscape. Organizations now rely on cloud apps, remote work setups, and extended third-party ecosystems, rendering old security strategies ineffective. This Zero Trust architecture guide is designed for business leaders, providing clarity on what Zero Trust means, why it matters, and how to implement it successfully.

What Is Zero Trust?

Zero Trust is a security philosophy that rejects implicit trust. Instead, every access request—whether from inside or outside the network—must be continuously authenticated, authorized, and monitored. Unlike traditional perimeter defenses, Zero Trust shifts protection to the identity, device, and data layers. The NIST Zero Trust Architecture guide outlines this strategy in detail.

Why It Matters Now

• Remote and hybrid workforce: Employees are using diverse devices and networks, far beyond corporate boundaries.
• Rising cyber threats: Ransomware, business email compromise, and supply chain attacks exploit trust in internal systems.
• Compliance demands: Regulations increasingly mandate least-privileged access and continuous verification.

Core Principles of Zero Trust

• Identity: Strong authentication using single sign-on (SSO), multi-factor authentication (MFA), and identity governance.
• Device Security: Ensuring only trusted, compliant devices can connect.
• Least‑Privilege Access: Granting users only the permissions they need—no more.
• Microsegmentation: Dividing networks into zones so breaches are contained.
• Continuous Monitoring: Ongoing auditing and real-time analysis of access events.

Business Use Cases & Scenarios

• Remote Access: Zero Trust Network Access (ZTNA) replaces traditional VPNs for secure remote work.
• Vendor Collaboration: Grant external users limited, conditional access to sensitive systems.
• Cloud App Security: Enforce identity-based controls on SaaS apps and APIs.
• Regulated Industries: Detailed access records meet PCI-DSS, HIPAA, and financial compliance standards.

Roadmap to Zero Trust Implementation

1. Start with an Assessment: Use a maturity framework such as the CISA Zero Trust Maturity Model to evaluate your organization’s current position.
2. Establish Quick Wins: Start with high-impact basics: enforce MFA, enable device compliance, deploy SSO, and pilot ZTNA.
3. Define Your Access Policies: Create granular rules specifying who can access what resources, under which conditions.
4. Roll Out in Phases:
   • Phase 1: Identity and device verification
   • Phase 2: Network segmentation and application control
   • Phase 3: Monitoring, database protection, and automation
5. Track Progress with Metrics: Monitor improvements in blocked breaches, abnormal access attempts, and policy compliance.
6. Maintain and Adapt: Zero Trust isn’t a one-time project. Policies, tools, and reviews must evolve with threats and business growth.

Technology & Tool Landscape

Zero Trust requires integrated layers of protection:

• IAM platforms: Okta, Microsoft Entra
• MFA solutions: FIDO2 keys, app-based authenticators
• ZTNA gateways: Cloudflare, Palo Alto Prisma
• Microsegmentation tools: VMware NSX, Illumio
• SIEM platforms: Splunk, Azure Sentinel

Select solutions that integrate with your identity, cloud, and endpoint architecture.

Common Pitfalls & How to Avoid Them

• Treating Zero Trust as a product instead of a long-term strategy
• Lacking policy clarity before implementation
• Ignoring employee experience and adoption barriers
• Failing to update protections as new risks emerge

Where Cost+ Fits In

Cost+ helps businesses implement Zero Trust principles through tailored services:

• Support+ – IT help desk and infrastructure support
• Security+ – Endpoint protection, monitoring, and email security
• Compliance+ – Consulting to meet HIPAA, SOX, PCI, and other mandates

Our team aligns Zero Trust adoption with your risk profile and business goals.

Conclusion

Zero Trust is no longer optional—it’s foundational to securing modern organizations. By adopting a strategy that includes strong identity, device validation, segmentation, and continuous monitoring, business leaders can dramatically reduce risk and improve resilience. Use this zero trust architecture guide to assess your readiness, implement smart protections, and create a more secure future for your organization.

By Gregory McDonald

Domain names are the cornerstone of any online business. Yet domain hijacking—when attackers steal control of your domain—can happen suddenly, disrupting email, website access, and brand reputation. Protecting your domain with effective domain hijacking protection strategies is essential, not optional.

What Is Domain Hijacking?

Domain hijacking occurs when unauthorized parties gain control of a domain by changing DNS settings or transferring registration without the owner’s consent. This can happen through compromised registrar accounts, phishing, or expired domains. Attackers then redirect websites or email, host malware, or hold domains for ransom. Recovery is often difficult and slow.

Why It Matters for Business Leaders

It’s not only small brands at risk. Even major domains—like “sex.com,” “Perl.com,” and various TLDs—have fallen victim. When your domain is stolen, you lose your web presence, interrupt customer access, and can incur serious legal or financial penalties.

Core Domain Hijacking Protection Steps

• Enable 2FA on your registrar account — protect against password theft.
• Activate registrar (client) lock — prevents unauthorized transfers.
• Use WHOIS privacy — hides public contact info and prevents social engineering attacks.
• Monitor domain expiry — set auto-renew and backup payment methods to avoid expiration.

Best Practices for Business Leaders

1. Choose a Trustworthy Registrar

Pick ICANN-accredited registrars with strong security policies, 24/7 support, and clear dispute resolution. Quality matters more than cost.

2. Secure Your Account

Implement strong, unique passwords and 2FA via security keys (e.g., FIDO2). Avoid SMS-based codes, which can be intercepted or SIM-swapped.

3. Lock and Monitor Domain Transfers

Registrar lock must be enabled on every domain. Receive email alerts for any changes. Set up internal approval processes before transfers.

4. Encrypt Registrar Emails and Admin Access

Confirm your domain admin contact uses secure email and retrieval methods. Attackers often target account recovery emails first.

5. Plan for Recovery Now

If hijacking occurs, act fast. Contact your registrar, then escalate to ICANN, UDRP, or legal channels. Even fast action can take weeks, so prevention is key.

Real-World Examples

• In 2000, *WhoAmI.com* was stolen via a phished Network Solutions account and took days to recover.
• The “Sea Turtle” campaign in 2019 hijacked national-level DNS, prompting U.S. warnings.

Useful References

SecurityScorecard explains domain hijacking tactics and prevention strategies here:
What Is Domain Hijacking and How to Prevent It

Where Cost+ Helps You Stay Secure

Cost+ supports businesses with **Security+**, including registrar reviews, multi-domain monitoring, auto-renew setups, and recovery processes—preventing domain hijacking before it impacts your brand.

Bottom Line

Domain hijacking protection is an essential part of modern risk management. Don’t wait for a breach to act—secure your registrar account, enable locking, and prepare a recovery plan to protect your domain and brand.

By Thomas McDonald
Vice President