
Cyber Insurance 2026: MFA and Training Requirements
In 2026, no MFA can mean no coverage, and underwriters now want documented awareness training and phishing simulations too. Here is what insurers look for and how to evidence it.
Security awareness tips, industry news, and product updates.

In 2026, no MFA can mean no coverage, and underwriters now want documented awareness training and phishing simulations too. Here is what insurers look for and how to evidence it.

Reused passwords plus breached credentials are the fuel behind account takeover. Here is how to roll out password managers and build credential hygiene that actually holds across your organization.

ShinyHunters' May 2026 breach of the Canvas LMS exposed data tied to thousands of schools and hundreds of millions of users. Here is why education is a prime target and how awareness training reduces the risk.

Qilin led ransomware activity in early 2026 as groups shift from encryption to pure data extortion. The constant across nearly every attack is the human layer. Here is what CISOs should do.

Compromised browser extensions are quietly stealing session cookies and tokens - and stolen sessions sail right past passwords and MFA. Here's why attackers are living in the browser, and how to govern extensions.

Consent phishing tricks users into approving a malicious OAuth app — granting attackers token-based access to mail and files without ever touching a password or triggering MFA. Here is how it works and how to shut it down.

Scattered Spider doesn't hack your MFA — it calls your help desk and talks an agent into resetting it. Here's how help desk social engineering works and how to lock the door.

Passwords and even push-based MFA keep falling to phishing. Passkeys close the door structurally because there is no shared secret to steal. Here is why they work and how to roll them out.

The FBI is warning about Kali365, a phishing-as-a-service platform that hijacks Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass MFA. Here's how the attack works and how to defend your organization.

Device code phishing is spreading through criminal toolkits and phishing-as-a-service offerings. Here is how the Microsoft 365 attack works and what teams should do next.

Microsoft is warning US organizations about a sophisticated code-of-conduct phishing campaign using PDFs, CAPTCHA gates, and AiTM token theft. Here is what security teams should watch for next.

A new campaign abused Google AppSheet emails to steal Facebook business accounts at scale. Here is what your team should watch for and how empowsec helps build the right response habits.