7 minute read
MFA Is Necessary. Let's Make It Simple
By Alvito Vaz, ID Federation
Cybersecurity is top of mind for insurance agencies as they balance operational efficiency and regulatory requirements. Carriers and agencies are looking to leverage the benefits of improved connectivity, and they need to maintain the control to restrict systems access while broadening available ways to work. Multifactor authentication (MFA) is a key tool.
MFA is the provision of an identity authenticator beyond user IDs and passwords, which are notoriously vulnerable to hackers1 who employ password-cracking tools2. CrowdStrike defines MFA3 as a “multi-layered system that grants users access to a network, system, or application after confirming their identity with more than one credential or authentication factor.” With MFA, authenticating an identity requires the usual user ID and password plus one or more of the following: a onetime code or password; a secure token generated by an authenticator app; or a biometric recognition, such as a fingerprint, face, or voice. Most of us already use MFA because our bank or our credit card company requires it.
Growing Importance of MFA
At a White House briefing4 in September 2021, Anne Neuberger, the deputy national security advisor for cyber and emerging technologies, advocated MFA use, stating it has the capacity for “preventing 80% to 90% of cyberattacks.” In an executive order5, President Biden mandated that MFA be used by the federal government.
In December 2022, the National Association of Insurance Commissioners (NAIC) observed:
“Cybersecurity is perhaps one of the most important topics for the insurance sector today. Insurers and insurance producers must protect the highly sensitive consumer financial and health information collected as part of the underwriting and claims processes. This personally identifiable information (PII) is entrusted to the industry by the public.”
The insurance industry’s need for cybersecurity will continue to increase as more employees and customers use remote devices to access agency and carrier systems. There is an even greater risk for nonauthorized use when customers or employees use open internet access connections — think Starbucks, an airport lounge, or a hotel conference center.
One of the most painful and costly expenses of a cyberbreach for any agency or carrier is damage to their brand reputation. Customers rightfully expect that their agency — as a trusted advisor — will safeguard their personal information, and the loss of reputation caused by a cyberbreach can take months or years to recover. A Forbes Insights report6 estimated reputational risk as the highest impact cost category, accounting for 29% of the expense of a breach.
Other factors driving the use of MFA are cyber policy requirements and legislative changes. Increasingly cyber policy coverage requires the use of MFA by an insured business, or in some cases reduces coverage limits if MFA is not implemented.
State insurance regulators are also elevating digital protection responsibility for carriers and agents. The 2017 New York regulation7 adopted insurance-specific requirements around cybersecurity and consumer data protection. The National Association of Insurance Commissioners (NAIC) has adopted some of these into a model law8 with data security standards and post-breach requirements. As of January 1, 2023, Vermont became the 23rd state to adopt a cybersecurity statute based on the NAIC model law9. [See box at end of article for the status in IA&B’s three-state footprint.]
Proprietary Carrier MFA Solutions Damage Agencies
In response to cyberthreat exposure, carriers are improving their risk profiles by implementing proprietary MFA solutions for access to their agent portals. But an IA channel in which each carrier has its own MFA method is costly for the agencies who sell the carriers’ products. Why? Because of the drag on agency operations.
On average, according to the IIABA Agency Universe Study10, an agency has 16 carrier partners — 10 for personal lines and six for commercial lines. This could mean 16 different MFA methods. When multiplied by every individual agency user, the loss of efficiency for an agency can be enormous.
Today, the number of different carrier technology interfaces is already difficult for agents to navigate, and carriers moving toward MFA will only further complicate agent processes. Keith Savino, a principal and managing partner for PCF Insurance Services and Broadfield Insurance Agency, described the evolving IA channel in an article11 published by Insurance Journal: “For agents, sorting through the various carrier and vendor MFA methods and requirements has been like navigating the Wild, Wild West.”
Let’s Make It Easy
Together we can civilize the Wild, Wild West of the IA channel and make identity management both simple and secure. The solution is SignOn OnceTM by ID Federation. Not only does it provide an efficient route to better security across the channel, but it was designed for us by our peers.
ID Federation is a nonprofit group of carriers, agencies, and insurance technology vendors who collaborate on secure and efficient industry standards. The two largest agency management providers — Applied Systems and Vertafore — are members of ID Federation. Forwardthinking carriers that already are on board with IA channel efficiency are also members. A list of members is available at IDFederation.org/member-roster.
Industry-wide adoption of SignOn Once will enable carriers to enhance their agency management system security, including MFA, in a uniform manner that will benefit the entire channel. SignOn Once will provide agents with consistent, secure, and efficient access among carrier platforms.
The Benefits of a United IA Channel
From their ID Federation-partner agency management system, an agent can connect to carriers that support SignOn Once without having to re-enter IDs and passwords. Even better, a single MFA process, completed when an agent signs on to their management system, suffices to eliminate MFA requirements across the multiple-carrier portal.
Still better, the solution can be universal. In sum, SignOn Once by ID Federation, which is free for agencies, answers the need for secure and standardized identity management, including MFA, across the entire IA channel. With a single sign-on just once a day, every agent could connect securely to the IA channel through their management system, using a trusted credential. And every carrier can enhance their security while helping their agents.
All that’s required is for carriers, agents, and industry partners to participate.
Advocate for Ourselves
Independent agents and their carriers need to know that SignOn Once by ID Federation is designed to benefit everyone, and they should work toward industry-wide adoption. Agents should talk with their carriers who are not yet on board with SignOn Once, encouraging them not to pursue proprietary MFA methods, but instead to cooperate through ID Federation for the greater good.
The more we work together, the safer and more efficient identity management will be. SignOn Once by ID Federation has already paved the road to that better place for the entire IA channel.
Vaz is the business manager of ID Federation and has more than 30 years of experience with insurance industry automation. He can be reached at alvito@IDFederation.com.
IMPLEMENTATION OF NAIC MODEL LAW
Insurance data security legislation based on the NAIC model law was passed in Delaware in 2019 and Maryland in 2022. While the law in Maryland applies only to insurance carriers, Delaware’s law also applies to independent agents (with exemptions from certain requirements for agencies with fewer than 15 employees). Similar legislation in Pennsylvania, House Bill 739, has been reintroduced based on an identical proposal from the previous legislative session. In May of this year, HB 739 was sent to the Senate for approval after the House voted unanimously in favor of its passage.
Sources:
1 https://www.beyondtrust.com/blog/ entry/password-cracking-101-attacksdefenses-explained
2 https://techreport.com/spy/bestpassword-crackers/
3 https://www.crowdstrike.com/ cybersecurity-101/multifactorauthentication-mfa/
4 https://www.whitehouse. gov/briefing-room/statementsreleases/2021/09/02/ press-briefing-by-presssecretary-jen-psaki-and-deputynational-security-advisor-for-cyberand-emerging-technologies-anneneuberger-september-2-2021/
5 https://www.whitehouse.gov/ briefing-room/presidentialactions/2021/05/12/executiveorder-on-improving-the-nationscybersecurity/
6 https://images.forbes.com/ forbesinsights/StudyPDFs/IBM_ Reputational_IT_Risk_REPORT.pdf
7 https://www.dfs.ny.gov/industry_ guidance/cybersecurity
8 https://content.naic.org/sites/ default/files/inline-files/MDL-668.pdf
9 https://www.jdsupra.com/ legalnews/naic-insurance-datasecurity-model-law-1854646/
10 https://www.independentagent. com/research/agencyuniversestudy/ agency-universe.aspx
11 https://www.insurancejournal. com/magazines/magfeatures/2022/11/07/693270.htm