When we renewed our cyber insurance back in June, we were required to implement 2FA for all of our O365 accounts, our VPN, and our AS/400. Last year, they had only required 2FA for our Admin accounts in O365. In previous years, there hadn't really been any such requirements, other than checking the right boxes and using the right words in the yearly 8-page cyber-security audit.
The Director is the one who deals directly with this, not me, but I definitely got the feeling that the cyber-insurance provider is no longer playing the odds on "they might not be hit by cyber crooks", and is instead working from the position of "they're going to be hit, we must force them to minimize their vulnerability surface to lower our payout rate".
They were a bit unrealistic in their implementation timeline requirements - we were told of the 2FA requirement in late May, with them expecting full compliance by June 30. We didn't hit that day, nor the July 30 extension. In fact, we are just now finishing up enabling it for the O365 accounts. We were going to go with RSA's Authorization Manager, but the lead times for their Professional Services group are rather long. As an interim, we enabled MFA in O365 for each account, and used another vendor for the AS/400 requirement (and they got their stuff installed and working inside of a week, but sadly, their product is AS/400-only with no hope of crossover to cover O365 and VPN).