by ID Federation
The insurance industry is often accused of legacy thinking. As a business based on being risk averse it is not unusual that processes and procedures used by insurance professionals tend to change very slowly. Change is associated with risk. However, the failure to change could also increase exposure to risks. This is a constant theme from software vendors as they rollout new versions with improved security protection. Cybercriminals, unlike insurance professionals, are quick to change and rapidly adopt new techniques to breach systems.
As insurance utilizes insurtech we also need to consider the security implications of integrating artificial intelligence (AI) and application programming interfaces (APIs) in our infrastructure. Depending on legacy procedures is not effective in defending against cybercriminals who are constantly looking to breach confidential customer information maintained in insurance systems. The historic method of ID and password protection is no longer effective to prevent unauthorized access. In addition to improved password cracking, due to increased processing power, password breaches where credentials are shared are also becoming more frequent. On June 30, 2025, Cybernews reported “Several collections of login credentials reveal one of the largest data breaches in history, totaling a humongous 16 billion exposed login credentials.”
APIs have been used for decades to facilitate insurance transactions. Consider personal insurance comparative ratings where APIs connect from an insurance agency to multiple carriers providing confidential information like driver license numbers and maybe even Social Security numbers. With new technology AI bots are being used to perform routine transactions. Maybe the AI bot is collecting renewal information or looking to download policy documents from carrier to an agency management system. In either case — API or AI bot — credentials to the respective agency and carrier system are provided to allow access.
Insurance holds large amounts of sensitive data — personal information, medical claims and high value articles, for example — that make the industry a juicy target for cybercriminals. Additionally, in the independent agent channel each agent has access credentials for 10 to 15 insurance carriers. A single breach has the potential to expose information across multiple business partners.
Multi-factor authentication (MFA) has become a necessary addition to the legacy authentication protection of only ID and password. America’s cyber defense agency says MFA is a powerful way to protect your organization, and “the use of MFA on your accounts makes you 99% less likely to be hacked.” Creation and use of 10 to 15 different MFA credentials — one for each insurance carrier partner — is a cumbersome and inefficient process. Ask carriers to support a consistent cybersecurity standard for credential access. This federated approach has been used successfully across leading technology providers, including Google, Amazon and Facebook.
ID Federation, an industry non-profit association created by insurance peers, is working to drive adoption of a common standard for authentication. This eliminates the need for multiple IDs, passwords and MFA procedures. Use of a single authentication through the agency management system allows sharing security credentials in a federated model. Ask your carrier to step away from legacy thinking and adopt a federated security standard within the independent insurance channel. Yes, we can have both improved security and efficient operation by working together as an industry.
