Heavy regulation is a major challenge for the insurance industry. Every state has its own rules, and companies may also need to comply with Federal Trade Commission and Department of Health and Human Services regulations. The insurance industry is also susceptible to cyber attacks and data breaches due to the significant amounts of personal information they obtain and retain. Think about all the Social Security numbers, home addresses, financial information and personal health records in the insurance industry’s databanks.
Most companies believe they have good cyber security because they use multifactor authentication, better known as MFA. According to the Crowell and Mooring law firm, a bad actor known as “Scattered Spider” is targeting large insurance companies in the U.S. Scattered Spider bypasses multifactor authentication and internal security protocols by using sophisticated social engineering and identity theft strategies. The attacks and breaches by Scattered Spider fit into a wider trend of criminal organizations that take advantage of vulnerable supply chains and third-party relationships.
You and your staff spend a large portion of their work days accessing carrier systems, logging in with different credentials for each one. It’s more than a cybersecurity issue. It impacts productivity as well as causing employee frustration and customer dissatisfaction. If an agency has 100 employees who access 65 carriers or MGAs in the course of business, that agency is responsible for protecting no fewer than 6,500 IDs.
By the numbers
According to A Cyber Security Assessment of the Insurance Industry Supply Chain, a report issued in February 2025 by SecurityScorecard, an analysis of 150 leading insurance companies found that their cybersecurity was being compromised through their supply chain partners.
The following are some surprising statistics from the report:
- Third-party breaches reached 59%, the highest rate observed so far and more than double the global cross-industry average of 29%.
- Third-party software & IT caused 50% of these breaches. Cross-industry software & IT accounted for 37%, far outpacing insurance-specific IT (13%).
- Out of 150 companies, 84 (56%) had at least one compromised credential in the past two years.
- U.S.-based companies, particularly insurance carriers and agencies and brokers, face disproportionately high breach rates.
MFA is 40 years old
Although MFA may seem new, it’s been in use in some form since the 1980s, starting with the SecurID token, which was introduced by RSA in 1986. The token generated strings of numbers that were good for a short time, then the numbers were replaced by another string. Beginning in the 2000s and 2010s, MFA adoption became more widespread. The pandemic speeded up adoption for many companies as their employees worked from home, not always on a company-owned device.
The New York State Department of Financial Services (DFS) first issued cybersecurity regulations for financial services companies on March 1, 2017, and has regularly updated the requirements. [23 NYCRR Part 500] The most current update, effective Nov. 1, 2025, requires covered entities, small businesses and Class A companies to comply with enhanced MFA regulations. As of that date, covered entities are required to use MFA for any individual accessing any of its information systems, regardless of location, type of user, and type of electronic information contained on the information system being accessed, among other things.
The definition of covered entities includes “partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.”
The text of the updated MFA regulations, Section 500.12, Multi-factor authentication, reads as follows:
(a) Multi-factor authentication shall be utilized for any individual accessing any information systems of a covered entity, unless the covered entity qualifies for a limited exemption pursuant to section 500.19(a) of this Part in which case multi-factor authentication shall be utilized for:
(1) remote access to the covered entity’s information systems;
(2) remote access to third-party applications, including but not limited to those that are cloud based, from which nonpublic information is accessible; and
(3) all privileged accounts other than service accounts that prohibit interactive login.
(b) If the covered entity has a CISO, the CISO may approve in writing the use of reasonably equivalent or more secure compensating controls. Such controls shall be reviewed periodically, but at a minimum annually.
The key here is “remote access to third-party applications.” Section 500.11, Third-party service provider security policy, mandates that covered entities implement written policies and procedures designed to ensure the security of information systems and nonpublic information accessible to or held by third-party service providers. The covered entity’s policies and procedures must include relevant guidelines for due diligence and contractual protections addressing the third-party service provider’s policies and procedures for access controls, including its use of multifactor authentication as required by Section 500.12, and the use of encryption to protect nonpublic information in transit and at rest.
In October 2025, DFS published an industry guidance letter on the responsibility covered entities have when TPSPs are utilized. The DFS regulations require compliance from covered entities and puts the onus for third-party services provider compliance on the carrier or agent using that service. Regarding authentication, the industry letter clarifies this requirement for TPSPs stating “requirements for TPSPs to develop and implement policies and procedures addressing access controls, including multi-factor authentication, that comply with requirements in Sections 500.7 and 500.12.[22).”
The October industry letter includes definitions for “covered entity,” “third party service provider,” “information system,” and “nonpublic information.” With as much as 80% of the personal lines comparative quoting using TPSPs and the amount of non-public information in these transactions this feels like a significant compliance risk across the industry.
The DFS has been more aggressive in compliance breach actions, securing more than $19 million in fines from eight auto insurance companies. However, ID Federation carriers and service providers can utilize SignOn Once, which includes MFA capability, to reduce cyber and regulatory risk exposure.
Why should carriers and agents be paying careful attention to this regulation? Because many other states have been known to follow New York’s lead when it comes to regulating the insurance industry. That means carriers and agents soon may have to comply with stricter MFA regulations in all the states in which they are licensed to operate.
Carrier and agent accountability
All insurance industry participants are accountable for protecting policyholder information to some degree, especially the carrier that maintains the largest databank of that information. Additionally, the insurance agencies that sell the insurance products access the databank most, often more than the carrier’s employees.
The agency management system (AMS) constitutes a critical doorway for efficiency in managing the day-to-day business, but convenience and efficiency come with increased risk and obligation. Reasonable care requires carriers and agents to manage identity responsibly, effectively and efficiently. Federating identity at the AMS level and adding the convenience of SignOn Once increases the overall security of the system and shows the carrier’s commitment to protecting policyholders by restricting access responsibly. The agency gains the efficiency of having a simplified login but also benefits from association with carriers that demonstrate responsible management of consumer data.
ID Federation is working towards an ideal state for the industry in which implementing SignOn Once simplifies incorporating MFA. The agency administrator adds a new user to their agency management system, and they check the MFA box. Then, a flag is sent during the logon process if the carrier is participating in SignOn Once. This indicates the user went through MFA as they logged into their AMS. Users only need to remember login credentials for their own AMS, not for all their participating carrier partners.
This is a huge benefit. If an agency management system user connects to 10 carriers and all have implemented SignOn Once, those users only need to manage MFA once when logging into the system, not for every participating carrier. The time saving is enormous.
Here’s what that means for the insurance agency:
- One secure login across participating systems: Sticky notes on bulletin boards or computer monitors full of passwords will be eliminated.
- Fewer MFA interruptions: Employees won’t need their personal smartphones available at all times even as security requirements become more stringent.
- A smoother, more efficient workflow: Productivity and employee satisfaction will increase while frustration and mistakes decrease.
How can ID Federation help?
ID Federation is the nonprofit organization formed to develop a single sign-on technology for the property-casualty industry. That technology — called SignOn Once — has been in place for about 10 years and continues to show positive results.
What are the advantages of SignOn Once?
- Trustworthy security. ID Federation developed a trust framework (downloadable here on the site) to protect the security of its federated partners. By using individual credentials and tokens, and certifying identity providers (vendors such as Vertafore and Applied Systems), SignOn Once ensures logins are safe and eliminates many of the issues associated with poor password protection.
- Ease of doing business. SignOn Once allows carriers and agencies to do what they do best: Sell insurance and serve clients. With a seamless, secure connection to insurance carriers and solution providers, users can spend more time collaborating and less time worrying about passwords.
- Reduced independent agent channel cost. Eliminate the operation time and cost to maintain and use multiple user IDs, passwords and MFA processes. Direct and captive agents don’t incur this cost with a single carrier partner. This also reduces the cost related to password resets and cyber breach by requiring fewer credentials.
SignOn Once won’t eliminate the additional layer of authentication required by New York State’s updated cybersecurity rules, but it will reduce the number of times carrier and agency staff have to log into systems each day. As long as they remain logged in to their management system, they are able to seamlessly and securely access other federated partners.
Learn more about becoming an ID Federation member and engaging your carriers at https://idfederation.org/engage-your-carriers/.
About the author
Alvito Vaz is executive director of the ID Federation. He has had over 30 years of leadership in the insurance industry with technology positions at Progressive and Travelers. His involvement in the agency automation space has included working with comparative rater and management system solution providers. As a member of ACORD’s Property & Casualty Steering Committee, he was engaged in the insurance standards setting process. An inaugural member of IIABA’s Agents Council for Technology (ACT), he has chaired and participated in ACT workgroups. Alvito continues to champion the use of standards to improve operational efficiency across the IA channel.
Sponsored by: SignOn Once
