Insurers face multimillion-dollar fines for data breaches. (c) Systemniy_Dreamstime
By Alvito Vaz
Insurance carriers are in the business of mitigating loss and managing risk. However, recent high-profile cases show that carriers could be doing a better job of addressing this exposure. In November, the New York Department of Financial Services (NYDFS) announced an $11.3 million settlement with two national carriers for violating cybersecurity regulations requiring insurance companies to put in place policies and procedures to provide controls and protect consumer data. More recently another large insurance carrier reached a $3.25 million settlement due to “negligent data security practices.”
In February 2024, the National Institute of Standards and Technology (NIST) released the updated Cybersecurity Framework (CSF) 2.0. This is a comprehensive guide for managing cybersecurity risks and improving security posture. A key section of CSF 2.0 is the “protect” guidance, which strengthens weak spots around access management. This includes the use of Multi-Factor Authentication (MFA) to add an extra layer of protection.
Independent agent carriers depend on agencies to drive business. As an agent friend reminds me, “No money is made until a policy is sold.” This requires providing access credentials to hundreds of thousands of individuals. And to make it even more complex, each of these individuals is likely to work with 10 to 15 different carrier partners. Yes, MFA is more secure, but the operational impact of working with 10 to 15 different processes is an operational burden for the agency.
A recent MFA study reported that an agency representative must use three different MFA processes and log in to MFA more than six times each day. Yes, there is a solution. ID Federation, an industry non-profit founded by insurance peers, provides SignOn Once. Agents can leverage their management system credentials to access carrier websites and RealTime transactions without having to re-enter ID information. Both leading management system vendors support ID Federation.
On Valentine’s Day show your agents the love and provide them with a secure and operationally efficient connection to carrier systems. An added benefit for carriers is that SignOn Once follows industry security practices, provides regulation compliance for MFA, and is consistent with NIST CSF 2.0 guidance for security procedures.
While MFA strengthens authentication, enforcing the principle of least privilege further reduces risks by ensuring users and applications only have access to what is necessary for their roles. However, achieving least privilege effectively requires more than just strong authentication — it demands Identity Governance and Administration (IGA) to manage access rights and minimize security gaps.
SignOn Once is ID Federation’s primary initiative. For more information visit www.idfederation.org or contact me at alvito@idfederation.com.
Alvito Vaz is the executive director of ID Federation. He is a long-time participant in AUGIE and has held business and technology leadership roles at Progressive and Travelers. He can be reached at alvito@idfederation.com.
