Why MFA is a Boardroom Issue, Not an IT One.

On February 25, 2024, the City of Hamilton fell victim to a ransomware attack that brought nearly 80% of its IT operations to a standstill. As their network was encrypted, critical city services—from licensing and finance to traffic systems—were disabled. The ransom demand? A staggering C$18.5 million. They refused.

Still, by June 2025, the total recovery costs had reached C$18.3 million, funded entirely by taxpayers after their insurer denied the claim due to incomplete MFA implementation. (GlobalNews)

But what’s shocking isn’t the attack.

It’s that Hamilton didn’t qualify for cyber insurance—because their MFA enforcement wasn’t comprehensive across all systems. Not just Microsoft 365. Not just VPN access. Incomplete MFA was the insurance disqualifier. (CP 24)

Why MFA Isn't Just an IT Checkbox

🧾 Insurance exposure: Incomplete MFA can void policies and leave organizations footing the full bill.

💰 Financial fallout: Hamilton’s C$18.3M recovery cost had to be paid by taxpayers—no insurer payout.

⏳ Operational downtime: Licensing, fire department systems, and other vital city services went offline for weeks.

📉 Public confidence erosion: Residents were left without services and grew distrustful of leadership.

🏛️ Legal & political scrutiny: Failure to meet basic security requirements triggered investigations and blame at the highest levels.

MFA Gaps: The Invisible Business Risk

Still think that MFA is an IT problem, not a Business problem?

SaaS tools like Google Drive, Workday, Slack, or Sales pipelines frequently lack enforced MFA even though they hold sensitive data. Attackers target these gaps, not just corporate mailboxes.

The result:

• An MFA gap can disqualify insurance claims.
• Orphaned identities and unchecked OAuth tokens remain active.
• AI tools, SaaS plugins, and forgotten apps—without enforced MFA—become attack channels.

What Executives Should Ask

• Are all identity-owned apps and cloud services covered by MFA—not just email and VPN?
• Do we have visibility into legacy, unsanctioned, and third-party tools where MFA might be missing?
• Can we prove MFA coverage today if the insurer or regulator comes knocking?

What Forward-Looking Teams Do Differently

Strong security leaders are changing the rules:

Smart security leaders are changing the approach:

• ✅ Enforce MFA beyond the basics: Coverage now extends to SaaS tools, integrations, and shadow apps—not just email or VPN.
• 🔍 Maintain real-time identity visibility: Know exactly which users, tools, and tokens have access—and which are missing MFA.
• 🚨 Catch posture drift immediately: If MFA is turned off or bypassed, the security team is alerted before it becomes an incident.
• 📂 Have audit-ready evidence: Demonstrate comprehensive MFA coverage to meet insurer and regulator expectations.
• 🛠 Use tools built for the modern perimeter: Platforms like FrontierZero continuously map user–app connections, flag risks, and surface blind spots in SaaS access.

Final Thoughts

MFA lapses aren’t just an IT oversight—they’re a major boardroom risk. From broken insurance coverage to multi-million-dollar recovery costs, incomplete protection in even one application can devastate operations, public trust, and financials.

In Hamilton’s case:

• No ransom paid.
• No insurance payout.
• C$18.3M paid out anyway.

In 2025, it’s clear: multi-factor enforcement is a business imperative, not just a checkbox. It’s your strongest defense—and a board-level requirement for resilience.

🔒 See Every User Without MFA — in 15 Minutes

You don’t need a multi-week audit to know where your exposure is.

With FrontierZero, you can:

• Spot users without MFA across all connected apps, from Google Workspace to Salesforce
• Identify admin accounts without MFA, including dormant ones no one knew still had access
• Highlight third-party tools connected via OAuth that bypass MFA entirely

Start your free trial and get real answers in under 15 minutes.

👉 Start Free Trial | No credit card required