The lede: No bill mandates that a 40-person accounting firm in Ohio deploy multi-factor authentication or segment its network. But its insurance carrier does — and without that carrier's signature, the firm can't get bound, renewed, or paid out after a ransomware hit. Since 2023, at least 25 states have adopted versions of the NAIC's Insurance Data Security Model Law (MDL-668), pushing insurers to demand "effective controls, which may include Multi-Factor Authentication" as a condition of doing business. Carriers like Chubb and Marsh-brokered programs have gone further, building underwriting questionnaires that explicitly probe for zero-trust segmentation, privileged-access management, and phishing-resistant MFA on admin accounts — and declining or repricing coverage when the answer is no. This is regulation by proxy: state insurance commissioners set the floor, carriers translate it into binary bindability questions, and small and mid-size businesses that no federal cyber law has ever reached suddenly have a hard deadline to buy identity and zero-trust tooling or go uninsured. Treasury's Federal Insurance Office has been formally studying this exact intersection of catastrophic cyber risk and insurance-market behavior since 2022.

Who cashes in:

  • OKTA — Okta is the purest identity play in the group, and MFA/SSO enforcement across "all privileged and admin accounts" is now the single most common line item on carrier underwriting checklists. Insurers don't care which vendor a client uses, but Okta's dominant share of the SMB/mid-market identity market means it captures an outsized share of insurance-driven forced upgrades from basic password hygiene to enforced, auditable MFA.
  • ZS (Zscaler) — Zero Trust Network Access is now an explicit underwriting term of art, cited by name in Marsh and Chubb underwriting conversations. Zscaler built its entire product category around replacing flat, unsegmented VPN access with cloud-brokered, least-privilege segmentation — precisely the architecture insurers are asking applicants to prove exists before they'll write a policy.
  • CRWD (CrowdStrike) — Underwriters increasingly demand EDR deployment and "evidence" (logs, screenshots, live demos) that endpoint detection is actually running, not just licensed. CrowdStrike's Falcon platform is the most commonly named EDR brand in insurer control checklists, giving it a recurring seat at the bindability table alongside identity vendors.
  • PANW (Palo Alto Networks) — Palo Alto's Prisma Access and SASE bundle let mid-market IT teams check the "zero trust segmentation" and "privileged access" boxes in one procurement motion, positioning it as a consolidation winner as insurance-driven buyers look for fewer vendors, not more.