The insurance data CISOs can take to the board: misconfigured MFA loses more than no MFA at all

Resilience — a US cyber-insurance and risk-consultancy firm — has published an analysis of its manufacturing claims portfolio from March 2021 through February 2026, synthesised with public threat-intelligence from IBM X-Force and KELA. SecurityWeek covered it yesterday. The dataset is sector-narrow (one carrier’s book, manufacturing only) but the failure-mode rankings inside it are the kind of numbers a CISO can put in front of a CFO without translation.

Three numbers to take into the next budget conversation.

26% of losses came from misconfigured MFA. Eight per cent came from no MFA at all. That ratio — misconfigured MFA losing more than three times as much money as missing MFA — is the most counter-intuitive finding in the report, and the one most worth carrying into a board meeting. The single largest loss in the entire portfolio, a ransomware attack attributed to BlackCat, was directly enabled by a misconfigured MFA deployment. The implication for any organisation that has already done the MFA-rollout victory lap: MFA is not a project that finishes, it is a control that needs continuous validation. Resilience’s recommendation reads like a checklist — audit existing deployments, eliminate bypass conditions, validate enforcement across all accounts, configure conditional access policies properly. None of that is news. The news is that someone has now put a price on getting it wrong.

Ransomware is 12% of claims and 90% of losses. This is the rare-but-catastrophic shape that maps cleanly onto how risk officers actually think. Most of what the security team responds to in a year does not move the financial-loss number. The thing that does, when it lands, is ransomware — and in manufacturing especially, where downtime is the loss. The 12/90 split is the case for over-investing in ransomware containment and recovery relative to claim frequency. It is the answer to “we have not had one in two years, why are we still spending on it” — because the one you do have will cost more than everything you have ever paid out put together.

13% of losses came from software vulnerability exploits. The smaller of the three numbers, but Resilience’s recommendation is the part to dwell on: where rapid patching is not viable, “compensating controls including network isolation, virtual patching, and enhanced monitoring of vulnerable systems.” That is a vendor-neutral way of saying that the organisations losing money to exploits are the ones running unpatched systems on flat networks where one compromised host has line of sight to everything else. The fix is not heroic patching velocity. The fix is admitting which systems will not be patched on time and putting boundaries around them.

A fourth number worth flagging because it does not fit the ransomware narrative: transfer fraud and business email compromise together account for 30% of all claims. Per-incident loss is much smaller than ransomware, but the frequency means BEC is what most insureds are actually filing for. The control set Resilience recommends here is the one that has been recommended for a decade and is still patchily implemented — out-of-band confirmation for payment-detail changes, dual authorisation for large transactions, and targeted phishing training for finance and accounts teams. The persistence of the recommendation is the point. The controls work, organisations keep not doing them, and a meaningful fraction of every claims book is still BEC.

Caveat the analysis honestly when you put it in front of the board. The dataset is one carrier’s manufacturing portfolio over five years. Resilience sells insurance, decision support and consultancy, and the recommendations skew toward the products Resilience sells. The headline numbers will look different inside financial services, healthcare or retail, where the loss profile is shaped by data-breach exposure and regulatory fines as much as by operational downtime. But the underlying framing — that insurance claims are the only dataset in cybersecurity that comes pre-translated into pounds and pence — is sound. CFOs read claims data. The threat-intel deck never quite makes the same impression.