The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has a list of bad cyber practices, all of which are common among insurance agencies:
- Use of unsupported or end-of-life software
- Use of known, fixed or default passwords and credentials
- Use of single-factor authentication for remote or administrative access to networked systems
Carriers and agencies cite competing priorities, expense and problems with operational interruptions as reasons for not implementing crucial cybersecurity measures. These objections can be short-sighted in view of the high severity of a breach.
IBM’s “Cost of a Data Breach Report: 2023” says, “Organizations with fewer than 500 employees reported that the average impact of a data breach increased from $2.9 million to $3.3 million,” a 13% increase from 2022. Organizations of more than 25,000 employees saw a 2.5% decrease in average losses from a data breach, to $5.4 million in 2023, the report states. Still, the financial hits for large companies are painful, with regulatory and reputational consequences, as well.
The risk of system shutdown from ransomware attacks and the potential costs of liability for the dissemination of proprietary information far outweigh the expense of protection. Happily, there are steps carriers and agencies can take that are comparatively inexpensive that will also improve efficiency in transactions.
Unsupported software
An average agency does business with 10 to 12 carriers, and a large agency could have as many as 30 carrier partners. It is very likely that each carrier has a different update cycle for its software. A breach to the weakest link, maybe because a security patch was not applied, could affect all the other carriers an agency is doing business with.
Each carrier will say it has a robust authentication process. However, do all the carriers the agency connects to have an equally strong process? A common and secure method to authenticate system access can reduce the breach risk for all participants.
See also: Risks, Trends, Challenges for Cyber Insurance
Use of known, fixed or default passwords and credentials
It is difficult to remember even one complex password. How many 15-character passwords with uppercase, lowercase, numeric and symbols requirements can you remember? It’s not surprising that agency representatives use the same password across multiple carriers to increase efficiency. It makes sense if convenience is the primary concern.
Independent agents may log in to each carrier multiple times in a day. This requires switching between authentication credentials – ID, password, multifactor authentication (MFA) – with each access request. As CISA indicates, using a fixed or default credential across accounts increases the breach risk. Once one carrier is compromised, use of a common password also puts the other agency carrier partners at risk.
Even worse, in some agencies, there is a single, shared login for all users to simplify access. Use of this practice means a cybercriminal has to gain the credentials of only one user for all account data to be compromised, and potentially open a gateway to carrier systems.
To solve the cybersecurity issue and improve efficiency, carriers, technology partners and agents must work together. MFA will help the entire independent agent channel be more secure. For example, our SignOn Once makes it operationally easy to enable the agency management system to be a single authentication point. The agency management system generates a unique token for a user at login, and that acts like a key to unlock entry into carrier agent portals. It isn’t shared, and it changes every day. Cost for carriers is about $1 for each of their agencies for the year.
Use of single-factor authentication
Multifactor authentication – where login with an ID and password is verified by input of a secondary piece of information – is becoming an industry standard. This additional information can be a code or clicking on a link delivered to a secondary device, such as a cell phone. With the rise in cyberattacks, both regulators and cyber insurers are advocating for or, in some instances, mandating its use. MFA prevents a bad actor from entering a system with just a stolen ID and password. It’s an incredibly important deterrent to cybercrime.
Crowdstrike says that “80% of all breaches use compromised identities.” Because totally preventing access to user IDs – and even associated passwords – may be impossible, especially with the burgeoning abilities of artificial intelligence, having that second layer of protection provided by MFA is essential.
See also: How to Combat the Surge in Ransomware
Carriers can lead the way on cybersecurity
With the increasing threat of cybercriminals, taking the simple step to protect access to systems at the agency level would seem to be a no-brainer. Moreover, the impending threat of AI-generated audio and email fakes that replicate the voice or tone of a trusted source suggests hackers may gain even greater access to login credentials. Affordable cybersecurity measures are needed ASAP.
Carriers can, and should, take the lead by working together to protect all industry stakeholders. Security is not an area for carriers to compete. Ask your carrier partners to invest $1 in your agency each year to strengthen your security posture and increase operational efficiency.
