Insurers and regulators are turning their eyes to what we might call the "identity position" of companies: how they manage passwords, privileged accounts and authentication mechanisms. It is not a surprise: according to the IBM Threat Intelligence Index 2025, one in three intrusions goes through committed employee accounts. This has made identity management a key factor in assessing cyber risk and setting insurance premiums.
The economic context does not help to relax. The overall average cost of a data leak remains very high - IBM places that figure at around $4.4 million by 2025 - and many organizations are looking for policies to transfer part of that risk ( IBM Cost of a Data Break Report). In countries such as the United Kingdom, access to coverage has increased in recent years, but at the same time insurance companies tighten the requirements: where basic controls were enough to show first, evidence of continuous and effective practices is now called for ( Cyber Security Breaches Survey 2025).
Why does identity weigh so much on policy subscription? The answer is simple and technical at the same time: most effective attacks begin by obtaining valid credentials. From that point of support an attacker can climb privileges, move laterally and, if the defenses are weak, maintain persistence. For an insurer, good identity governance reduces the likelihood that a single initial access will trigger a catastrophe that will end up in a millionaire claim.
When evaluators review an organization, they pay attention to practical and measurable issues. Password hygiene remains relevant because, despite the rise of the MFA and the initiatives without a password, many authentication still depends on credentials. The problem appears when there is reuse of passwords in critical accounts, old protocols that allow for the theft of credentials more easily, inactive accounts that retain access or service accounts with passwords that never expire. The shared use of administrative credentials is also a matter of concern: it makes traceability difficult and multiplies the impact of a stolen credential.
Another critical area is the management of privileges. High-permit accounts, whether they are domain administrators, cloud administrators or service accounts with privileges, are often overassigned and outside central control. If an attacker can turn a normal account into a low-moving administrator, the risk is triggered and the premiums will reflect it. This is why subscribers review the composition of administrative groups, the existence of overlapping privileges and the registration and monitoring coverage in these accounts. In environments with Active Directory and cloud services, tools that detect inactive accounts or overassigned roles help to demonstrate that the organization controls its privilege perimeter; Microsoft for example offers guides to modernise authentication and reduce the dependence on inherited protocols ( Microsoft: disable legacy authentication).
The effective coverage and application of MFA (multifactor authentication) has become a recurring requirement. It is not enough to declare that MFA has been deployed: insurance companies seek application evidence consisting of remote access, e-mail, administrators and critical routes. Exceptions, non-interactive accounts or old protocols that dodge the second factor create shortcuts that attackers exploit after obtaining initial credentials. At this point the American technical orientation is instructive: the NIST SP 800-63B it contains recommendations on modern authentication that many risk assessments use as a reference.
Improving the identity position is not a task of immediate effects or of "activating a switch"; it is a process of maturity. Good news: insurers often value documented progress both or more than a perfect configuration from the first day. Start measuring, auditioning and correcting regularly transmits intention and reduces the probability of surprises. Audit tools for Active Directory and cloud platforms allow to quantify password exposure, identify forgotten privileged accounts and demonstrate that robust authentication policies are applied.
Remove weak passwords and share credentials It's an operational priority. Adopting minimum standards, avoiding re-use in critical accounts and forcing reasonable rotations reduces the surface that attackers can use after a leak. At the same time, documenting and auditing it creates the evidence that insurers seek.
Apply MFA at all critical points should no longer be a recommendation and become a standard: remote access, cloud management, corporate mail and any exposed interface that allows data control or exfiltration. It is not just a question of deploying MFA, but of ensuring that it covers all relevant roads and that exceptions are justified and controlled.
Reducing permanent privileged access by just-in-time models or temporary accesses limits the window in which a compromised credential can hurt. Less accounts always active with maximum permits means less systemic risk and therefore arguments for negotiating more favourable insurance conditions.
Review and certify permissions regularly is the most direct way to find orphan accounts, obsolete rights or members of administrative groups that should not have them. Routine access audits, with evidence of corrections, are currency in underwriting processes.
To demonstrate this work to insurers and auditors it is appropriate to rely on standards and tools that generate metrics and traces. Agencies and projects such as the OWASP have documented how credentials-based attacks occur on a large scale, and guides such as NIST or recommendations from manufacturers help to design a coherent strategy. There are also commercial solutions that provide visibility on password exposure in Active Directory and help prioritize remediations, for example, Specops Password Auditor is one of the tools used in Windows environments for that purpose.
At the end of the day, the message that insurance markets are sending is clear: identity management is no longer a purely operational matter to become a fundamental criterion of financial risk. Organizations that want better insurance conditions should combine technical controls with continuous review processes and the ability to demonstrate this progress. It is not a fashion: it is an adaptation to how adversaries attack today and how risk is valued by those who take financial responsibility when something goes wrong.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...