By Alvito Vaz
Cybersecurity is top of mind for insurance agencies as they balance operational efficiency and regulatory requirements. Carriers and agencies are looking to leverage the benefits of improved connectivity, and they need to maintain the control to restrict systems access while broadening available ways to work. Multifactor authentication (MFA) is a key tool.
MFA is the provision of an identity authenticator beyond user IDs and passwords, which are notoriously vulnerable to hackers who employ password-cracking tools. CrowdStrike defines MFA as a “multi-layered system that grants users access to a network, system or application after confirming their identity with more than one credential or authentication factor.” With MFA, authenticating an identity requires the usual user ID and password plus one or more of the following: a one-time code or password; a secure token generated by an authenticator app; or a biometric recognition, such as a fingerprint, face, or voice. Most of us already use MFA because our bank or our credit card company requires it.
Growing importance of MFA
At a White House briefing in September 2021, Anne Neuberger, the deputy national security advisor for cyber and emerging technologies, advocated MFA use, stating it has the capacity for “preventing 80% to 90% of cyberattacks.” In an executive order, President Biden mandated that MFA be used by the federal government.
In December 2022, the National Association of Insurance Commissioners (NAIC) observed:
“Cybersecurity is perhaps one of the most important topics for the insurance sector today. Insurers and insurance producers must protect the highly sensitive consumer financial and health information collected as part of the underwriting and claims processes. This personally identifiable information (PII) is entrusted to the industry by the public.”
The insurance industry’s need for cybersecurity will continue to increase as more employees and customers use remote devices to access agency and carrier systems. There is an even greater risk for non-authorized use when customers or employees use open internet access connections — think Starbucks, an airport lounge or a hotel conference center.
One of the most painful and costly expenses of a cyberbreach for any agency or carrier is damage to their brand reputation. Customers rightfully expect that their agency — as a trusted advisor — will safeguard their personal information, and the loss of reputation caused by a cyberbreach can take months or years to recover. A Forbes Insights report estimated reputational risk as the highest impact cost category, accounting for 29% of the expense of a breach.
Other factors driving the use of MFA are cyber policy requirements and legislative changes. Increasingly cyber policy coverage requires the use of MFA by an insured business, or in some cases reduces coverage limits if MFA is not implemented.
State insurance regulators are also elevating digital protection responsibility for carriers and agents. The 2017 New York regulation adopted insurance-specific requirements around cybersecurity and consumer data protection. The National Association of Insurance Commissioners (NAIC) has adopted some of these into a model law with data security standards and post-breach requirements. As of January 1, 2023, Vermont became the 23rd state to adopt a cybersecurity statute based on the NAIC model law.
Proprietary carrier MFA solutions damage agencies
In response to cyberthreat exposure, carriers are improving their risk profiles by implementing proprietary MFA solutions for access to their agent portals. But an IA channel in which each carrier has its own MFA method is costly for the agencies who sell the carriers’ products. Why? Because of the drag on agency operations.
On average, according to the IIABA Agency Universe Study, an agency has 16 carrier partners — 10 for personal lines and six for commercial lines. This could mean 16 different MFA methods. When multiplied by every individual agency user, the loss of efficiency for an agency can be enormous.
Today, the number of different carrier technology interfaces is already difficult for agents to navigate, and carriers moving toward MFA will only further complicate agent processes. Keith Savino, a principal and managing partner for PCF Insurance Services and Broadfield Insurance Agency, described the evolving IA channel in an article published by Insurance Journal: “For agents, sorting through the various carrier and vendor MFA methods and requirements has been like navigating the Wild, Wild West.”
Let’s make it easy Together we can civilize the Wild, Wild West of the IA channel and make identity management both simple and secure. The solution is …
Click to read more of the Primary Agent article on page 14 here.
