Better cybersecurity must be part of all insurance-agency plans

As agencies and carriers make significant technology investments, they must work together to mitigate new risks.

Insurance agencies also are prime targets for cybercriminals due to the amount of sensitive customer information they hold. (Credit: jirsak/Adobe Stock)

Insurance agents are adept at educating clients about the various exposures they face, both personally and professionally, and about the risk transfer and risk management options available to help them mitigate their exposures.

When it comes to addressing the industry’s ever-growing cybersecurity risk, however, many agencies are falling short.

As agencies and carriers become increasingly reliant on technology to run their businesses effectively and make significant investments in upgrading their technology systems, they must do more — and work together — to mitigate the risk that technology brings.

cyber-risk is the biggest concern for companies of all sizes across a range of industries after a “worrying resurgence in ransomware and extortion losses” in 2023 and a 50% year-on-year increase in ransomware claims activity, according to Allianz’s 2024 Risk Barometer.

It’s not only carriers or large insurance companies that are vulnerable to cyber breaches. Insurance agencies also are prime targets for cybercriminals due to the amount of sensitive customer information they hold.

Agencies should be particularly concerned as “most ransomware attacks now involve the theft of personal or sensitive commercial data for the purpose of extortion, increasing the cost and complexity of incidents, as well as bringing greater potential for reputational damage,” according to the Allianz Risk Barometer. Bad actors can easily exploit agencies’ technological vulnerabilities and gain unauthorized access to the networks, putting agencies — and their clients — at risk.

Industry cybersecurity efforts

Enhanced data security is no longer an option for insurance professionals. Although there is no uniform cybersecurity law in the U.S., there are various federal and state laws and regulations requiring companies to protect their customers’ personally identifiable information. The Federal Trade Commission’s Safeguard Rule requires financial institutions, including insurance companies and others providing financial products and services, to “maintain safeguards to protect customer information.”

Many state insurance regulators have also taken steps to ensure the industry overall is better at protecting customer data. New York, for example, enacted cybersecurity regulations for financial services companies in 2017 and amended the regulations in November 2023 to require the financial services industry to “institute stronger standards and controls to secure sensitive data,” according to New York State Superintendent of Financial Services Adrienne A. Harris. The National Association of Insurance Commissioners Insurance Data Security Model Law, which was adopted in 2017, has been implemented in 23 states and is pending in four others as of January 2024.

All of this underscores the fact that cybersecurity requirements are not going away and are, in fact, going to become tougher. That’s why, in response to these regulations, insurers have strengthened their cybersecurity, including enabling multi-step login tools like multifactor authentication (MFA), which requires someone trying to access a website or system to verify their identity via multiple methods, such as by email, text message or facial recognition. Microsoft has reported, “MFA implementation offers outstanding protection,” with the risk of compromise reduced by 99.2%.

MFA is undoubtedly an effective tool for protecting sensitive information, even though it can create some complications. Every carrier has its own MFA credential requirements, which makes doing business with multiple carriers a cumbersome process for agencies. The average agency works with about 15 different carriers. If every one of them requires different MFA credentials, that is a significant number of user IDs and passwords for agencies to keep track of. Agencies may also have MFA for their own agency management systems.

Many agencies try to simplify the situation by sharing login credentials among multiple users, attaching sticky notes with login information to computers or laptops, or writing them in a journal that sits atop someone’s desk. This is not a secure way to protect sensitive information.

The solution to these challenges is not to give up and hope that the agency never faces a cybersecurity issue, nor is it to continue the same frustrating ways of doing things. Agents need to be sure they aren’t caught in a cybersecurity nightmare by ensuring they have the right tools in place today to protect their business and customer data.

In addition to educating and training agency staff on best cybersecurity practices, agencies can help encourage the industry to adopt a single sign-on solution. ID Federation’s SignOn Once is such an option, and it’s free for agencies to use once their carrier or vendor partners have implemented it.

Brian Bartosh is a member of the board of directors of ID Federation, a nonprofit coalition of insurance industry leaders committed to improving the security and efficiency of insurance transactions. He is also president of Spire America Holdings, Inc. which operates under Top O’ Michigan Insurance and Spire Insurance Solutions, has been active in various industry organizations including Big “I” Agents Council for Technology, AUGIE, and is a past chair and board member of Applied Client Network. He can be reached at bbartosh@tomia247.com.

These opinions are the author’s own.

See also: