Multifactor authentication (MFA) is now a widely used method across industries and technology systems. Why? It’s an easily implemented way to add a layer of security beyond the standard login with a user ID and password.
MFA is proving effective in combating cyber risk for independent agents as well as other users throughout the insurance industry. Adding another layer of security can prevent many cyberattacks: As many as 90% of the breaches can be avoided if users employ more than just an ID and password, according to the federal government.
The Independent Insurance Agents of Arizona recently held an online townhall event on the topics of MFA and cybersecurity. Panelists were Jim Rogers from The Hartford, Ryan Smith from Adar IT/Rigid Bits Cybersecurity, moderator Chris Cline from the Big I’s Agents Council for Technology (ACT) and me.
In addition to MFA, we at the townhall event discussed the state of cyber risk and regulation, why companies are taking action, how that is impacting independent agencies, and how agencies can lean into the topic.
Here is part 2 of 2 blogs about the event. Review part 1 here.
Independent agencies typically are small business owners, pointed out Rogers, who “are really dependent on their reputation. And they should be looking at the reputational risk of: ‘What happens if my data is breached?’” Many types of personal information are valuable to hackers to steal and sell. Agencies face regulatory and other demands to protect it.
Independent agencies may find their own cyber insurance policies limited or eliminated if they don’t implement MFA. A million-dollar policy limit for one agent could be reduced to $100,000, absent MFA implementation. Make sure you understand the potential MFA requirements for any cyber policy for an independent agency.
Smith noted that New York State Department of Financial Services in 2021 released its cyber insurance risk framework for property-casualty insurance carriers to outline best practices for managing cyber insurance risk.
Cline said that carrier agreements increasingly call on independent agencies to take on greater vigilance and obligation against cyber risk, including the use of MFA. He noted the tradeoff of living “through the pain of the MFA to avoid knowing the ugliness potentially downstream.”
Carriers have been making agent agreements “more robust,” Rogers pointed out, including around identity provisioning. Agencies have “a lot of responsibilities” with regard to “what we [as a carrier] expect our agents to be doing to manage their identity and the access they have into our systems as carriers.”
Smith noted that the insurance industry does not live in a risk-free world: “… people want to try to secure away any kind of risk. There’s no risk acceptance in the cybersecurity world. When you look at the cybersecurity best practices and frameworks, we have to accept risks. The only way to really remove all of them is to not even use the computer in the first place.”
SignOn Once by ID Federation provides one entry point for an agency user into systems of multiple business partners through the agency’s management system. Not only does this provide efficiency at the point of provisioning identities for users, but it also provides efficiencies at the point of decommissioning a management system ID. That’s because at the same time an agency decommissions a set of credentials, it also decommissions the person with those credentials with carriers. That reduces cyber risk significantly for carriers.
Rogers noted that connecting through an agency management system can enable agents to eliminate the need for MFA usage individually with carriers.
Behavior change might be needed among some in the industry. “If you have a lot of shared IDs and passwords in your agency, that’s not going to work,” said Rogers.
“You really need to have one ID to one ‘belly button.’ And then as you implement MFA, your life will be easier, especially from a carrier point of view.” SignOn Once from ID Federation allows agents to be more efficient and carriers to be more secure by using a single MFA process.
“MFA can be a pretty significant stop gap,” asserted Cline, who also noted that ACT offers an Agency Cyber Guide with a full set of cybersecurity resources.
Listen to ACT’s MFA and Cybersecurity Townhall session here: https://www.independentagent.com/ACT/Pages/webinars/act-webinars.aspx
Alvito Vaz is executive director of the ID Federation. He has had over 30 years of leadership in the insurance industry with technology positions at Progressive and Travelers. His involvement in the agency automation space has included working with comparative rater and management system solution providers. As a member of ACORD’s Property & Casualty Steering Committee, he was engaged in the insurance standards setting process. An inaugural member of IIABA’s Agents Council for Technology (ACT), he has chaired and participated in ACT workgroups. Alvito continues to champion the use of standards to improve operational efficiency across the IA channel.
