by Alvito Vaz
Don’t be an insurance carrier or insurance agency fined by the New York Department of Financial Services (DFS) for violation of the New York cybersecurity regulations. Effective November 1, 2025, the requirements for Class A covered entities is even stricter. The requirement is for use of Multi Factor Authentication (MFA) for all connections unless an exemption has been requested. Additionally, the regulations extend compliance requirements to service providers used by covered entities to follow the same regulatory requirements including use of MFA.
A recent PropertyCasualty360 article reported that insurers owe New York $19 million for data breaches. And this is before the new stricter regulatory requirements for MFA usage are in effect. Then-DFS Superintendent Adrienne A. Harris explained that inadequate cyber security controls allowed hackers to steal New Yorkers’ personal information resulting in these fines. Harris also stated in a press release, “DFS’s first-in-the-nation cybersecurity framework has become a model for safeguarding the integrity of our financial system and the personal information of millions of New Yorkers.”
As carriers implement MFA to meet the regulatory requirements, agencies are faced with a dizzying set of different scenarios. An agent in the northeast recently told me, “What I am seeing in the marketplace is the scramble to meet New York’s cyber requirements with little to no consideration to their agents or customers. It appears they find a solution to meet the state laws and implement”. Not only does the lack of standardization impact agent operations, it also leads to increased risk as it often takes longer to manage provisioning and de-provisioning for the new requirements.
In contrast, SignOn Once by ID Federation, an insurance industry non-profit association, leverages existing security practices to implement a secure, MFA-compliant and operationally efficient workflow. Agents use their management system credentials to authenticate with ID Federation carrier partners, eliminating the need for multiple entry of IDs, passwords and MFA credentials. An agent who heard about SignOn Once at the recent AUGIE Group meeting tried it out with Nationwide Insurance, one of the ID Federation carriers, and said “I’ve been talking with Nationwide and tried it out for myself yesterday. It is super-slick going in through Real Time.”
This Halloween, ask your carriers for a treat by supporting SignOn Once. Carriers, you can avoid a trick by using SignOn Once to mitigate DFS regulatory requirements.
Alvito Vaz has more than 30 years of leadership experience in the insurance industry. He has held technology leadership positions at Progressive and Travelers, and, in the agency automation space, he has worked with comparative rater and management system solution providers. He has participated in the insurance standards setting process as a member of ACORD’s Property & Casualty Steering Committee and was an inaugural member of IIABA’s Agents Council for Technology (ACT).
