The Industry Shouldn’t Compete on Cybersecurity

With cyber risk growing for small businesses, the insurance industry should cooperate on cybersecurity.

The National Cybersecurity Alliance reports that small and midsize businesses are “easy targets” for cybercriminals. Small firms represent 58% of cybercrime victims, according to SCORE, a business mentoring group funded in part by the U.S. Small Business Administration. And, according to SCORE, “60% of small and medium businesses are forced to suspend operations and, in many cases, never reopen” after they experience a cyberattack.

That’s why it’s critical that all industries prioritize effective cybersecurity — and the insurance business is no exception.

Our industry’s reputation is grounded in client trust. Besides its people, trust may be an insurance agency’s most important asset. Trust is key to maintaining client relationships, which drive an agency’s value. A data breach that compromises our clients’ proprietary and personal information could erode that trust and prove to be debilitating to our business.

Collectively, carriers, agents and technology partners should work together to improve cyber security and efficiency. Let’s cooperate and not compete on security.

The industry has taken many steps to improve cybersecurity and protect consumer information through both secure and efficient processes and tools, such as multifactor authentication (MFA).

State regulators also are increasingly requiring the industry to enhance its cybersecurity practices for external connections, which includes employing MFA. For example, the New York Department of Financial Services, which regulates insurers operating in the state, instituted cybersecurity regulations in 2017 that require companies to establish information security programs to protect information systems. Entities covered by the regulation are required to use MFA. DFS noted in a 2021 guidance that MFA is “an essential part of cybersecurity hygiene,” and a “lack of effective MFA has been the most frequently exploited cybersecurity gap in the Cybersecurity Events reported to the Department.”

The National Association of Insurance Commissioners also has developed a model cybersecurity law that is being adopted by state departments of insurance.

These are positive steps toward better cybersecurity for the industry overall. But they also have created a more confusing and cumbersome process for agents, who typically work with an average of 16 different carrier partners. Because there are no consistent cybersecurity best practices or systems, each insurer has its own cybersecurity requirements and MFA systems.

Something as important as cybersecurity shouldn’t be complicated or cumbersome for an industry that manages personal client data every single day. Organizations like ID Federation, a nonprofit alliance formed by industry leaders, recognized this challenge and knew the industry needed a better way to efficiently do business and protect our clients’ data. Working together with agencies, carriers and technology providers, ID Federation developed SignOn Once, which eliminates the need for multiple IDs and passwords, thus simplifying the authentication process.

ID Federation maintains a “trust framework” that members agree to and abide by to become trusted partners in the SignOn Once system. Agents can access their participating carrier partners through a single MFA entry point, which for most agencies is their agency management system. There is no software or service to purchase. No one makes a profit from using SignOn Once, but everyone benefits.

Multiple carriers and technology partners are members of ID Federation and are SignOn Once trusted partners, including Vertafore and Applied Systems, the two management system providers covering more than 80% of U.S. agencies.

I have been using SignOn Once with The Hartford for many years, as this was the first carrier to implement. Now, Nationwide is the first carrier to implement with both Applied Systems and Vertafore, and more companies are coming on board. The more industry partners who participate in the SignOn Once system, the greater the independent agent channel benefits.

We as an industry already compete on many different fronts: price, product, service, coverage and underwriting. But cybersecurity is not something we should compete on. We have a responsibility to improve security across industry partners. We can do this by working together to drive common, efficient practices to enhance security.

Topics Cyber