Cyber insurance · renewal questionnaire

Your renewal asks if MFA covers all remote and administrative access. Does it — really?

Cyber insurers stopped accepting "we have Okta" as a yes. The renewal questionnaire asks, line by line, whether MFA is enforced on remote network access, on every administrative and privileged account, and on the systems that can't use your cloud IdP. Answer wrong and the policy is declined, surcharged, or quietly written with a coverage exclusion you only discover at claim time. The gap is almost always the same: domain logons, RDP, VPNs, firewalls, and Linux servers your SSO never touched. Authnull puts a factor on exactly those paths so you can answer every line truthfully.

Talk to a compliance engineer

At a glance

FrameworkCyber insurance renewal

Key controlsRemote · Privileged · Directory

Applies toAny org renewing a policy

TimingBefore you can bind

You walk away withA coverage report for your broker

Mapped to specific controls — not a generic MFA checklist.

The line that put you here

“Do you enforce multi-factor authentication for all remote access to your network, and for all administrative or privileged access to directory services, servers, and network infrastructure?”

— Representative cyber-insurance MFA attestation

These questions are scored, and a single "no" can move you to a higher premium tier or an exclusion. The honest answer hinges on the access paths underneath your IdP — which is exactly where Authnull operates.

Requirement mapping

Requirement → Authnull

Control	What it requires	How Authnull covers it	Status
Remote access	MFA on all remote access to the network (VPN, remote-desktop gateways).	RADIUS MFA in front of every VPN and firewall — FortiGate, AnyConnect, GlobalProtect and more — plus MFA on RDP gateways.	Covered
Privileged	MFA on all administrative and privileged accounts.	A factor on AD domain logon, Windows / RDP sign-in, and Linux SSH — including local and break-glass admin accounts.	Covered
Directory	MFA protecting access to directory services (Active Directory).	Authnull challenges at the domain-controller logon path itself, not just the application layer.	Covered
No bypass	MFA that can't be bypassed with a local or service credential.	Enforcement at AD, local Windows, and Linux PAM means there is no side door around the cloud IdP.	Covered

Why your IdP report isn't enough

The gap is always below the cloud login.

Your IdP already satisfies

Microsoft 365 / Google sign-in

SAML & OIDC web apps

What it leaves for the audit

AD domain logon

RDP & Windows servers

VPN, firewalls & network gear

Linux SSH

Authnull enforces MFA on every path on the right — at the directory, OS, and RADIUS layer — so the column that fails the audit becomes the column that passes it.

Evidence

What you hand the assessor.

Coverage report

A one-page export of which access paths enforce MFA — paste it into the questionnaire or hand it to your broker.

Per-login records

Every challenge logged with user, system, factor and result — proof the control is live, not just configured.

Live before renewal

Agentless RADIUS and AD integration go live in days, so you can attest truthfully before the binder deadline.

Answer every MFA line on the renewal with a yes.

Stand up MFA on remote and privileged access this week, then export the coverage report for your broker. Start free, or walk the questionnaire with us in 20 minutes.

Talk to a compliance engineer

Other deadlines we cover

All compliance pages

PCI DSS v4.08.4.2 · 8.4.1 · 8.4.3 · 8.5.1 CMMC 2.0 Level 2IA.L2-3.5.3 · 3.5.4 · AC.L2-3.1.12 HIPAA Security Rule§164.312(d) · 312(a)(2)(i) · 308(a)(4)NIS2 DirectiveArt. 21(2)(j) · 21(2)(d) · Art. 20 SOC 2 Type IICC6.1 · CC6.6 · CC6.7