The insurance industry needs multifactor-authentication unity
A consistent approach to MFA will boost security and efficiency.
A cybersecurity breach may be just another sickening story most insurance agencies and carriers have heard told, but when you go through one yourself — or help a client who is going through one — you suddenly get a new perspective.
The cost of a breach is only one aspect of the event. There is also angst, embarrassment, and a ton of lost productivity and time.
The investment in multifactor authentication (MFA) is worth it to avoid the crippling effects of a successful hack. MFA is a cybersecurity protocol that requires users to confirm their identity by more than one method, for example, user ID/password and a code sent by phone or email; a security token produced by a computerized authenticator program; or some a biometric identifier, such as voice or facial recognition.
Multifactor authentication is good medicine. But right now, about 40% of carriers aren’t using it, and about 20% of agents either don’t see its value or are unsure of its value, according to a recent IIABA Agents Council for Technology survey.
The insurance industry is and will increasingly be under pressure to bolster its cybersecurity. The Securities and Exchange Commission is pressing listed companies on cyber, and the costs of cyber breaches are escalating. MFA is a cybersecurity basic, and it can be done with efficiency.
MFA needed for each carrier portal
At this point, agents, CSRs and others wishing to sign in to carrier portals will need to go through the authentication process for each carrier that requires authentication. While the ACT survey didn’t indicate this was an enormous time expenditure, agents did say they want MFA to be “simple and effective” and they want the industry to “adopt one method across the industry with multiple ways to authenticate (app, text, voice).” To sum it up, respondents told ACT they want “SignOn Once” for MFA.
According to the ACT survey, only 4% of carriers at this point use SignOn Once, an initiative developed by nonprofit industry coalition ID Federation.
SignOn Once for MFA would do what its name implies. It would require a user to input a single authentication code to log in to the agency management system. Once logged in, the user would have access to all carrier portals and other documents as well as other applications and services within the agency management system without repeating the MFA process for each.
Most breaches are accidental
The majority of cyber breaches occur as the result of employee action, mostly accidental, such as being duped by a phishing scam. MFA puts a barrier between an unauthorized user and company systems. Even if an employee clicks on a link or sends a password to a scammer, the authentication code will not be sent to the interloper but, rather, only to the authorized user. That serves to both block the bad actor and alert the system administrator that someone is trying to hack in.
Acrisure, the parent company of my business, uses an authenticator app for access to various portals and platforms, and I thank them for it. It serves employees at 1,000 locations — all using the same authenticator tool to make sure there is just one way for people to get into all the corporate info they need to see. That’s good. I know that all the sensitive information from my agency is well protected from mistakes made by people who are in a hurry and from those with bad motives.
That is the concept for MFA as it relates to external access to carrier systems. An authenticator can be set to grant access to only those areas a person should be going into, so it conveniently ensures security. If it is done as SignOn Once, it also creates a single entrance into the overarching hallway of cyber doors. Once a user is granted access to the hallway, they can open any authorized door their MFA key has unlocked.
Beyond MFA’s value to minimize the damage from employee error, SignOn Once authentication also would allow administrators to deprovision users very quickly upon termination of employment. Turning off MFA under single sign-on stops former users from being able to access anything, even if they still have their user IDs and passwords for each carrier.
The future is arriving
The Big I’s ACT survey indicated that 71% of carriers use the same MFA solution across their platforms and for password resets. That shows that the overwhelming majority understand the value of a single sign-on for their proprietary systems. That jibes with agents’ preference for a similar system for agency MFA use across all carriers.
Since both carriers and agents see the value of using one MFA solution across platforms, it’s time to support a SignOn Once solution through ID Federation so the industry can have a coordinated, consistent, unified approach to MFA. We can do this, and we should.
Steve Aronson is principal at Aronson Insurance, an Acrisure Partner Agency, and a board member at ID Federation. He can be reached at steven@aronsoninsurance.com.
These opinions are the author’s own.
See also: