Federation, the Solution for Cyber Security, Efficiency: Part 1

Posted: 7/6/2021

A panel of two carrier representatives and two agency owners conveyed one collective message to NetVU members at an Accelerate webinar: As cyber risks increase, agencies and carriers must unite to federate.

The discussion, “SignOn Once: Increase Efficiency and Protect Customer Data,” was moderated by Nellie Massoni of Vertafore on June 8, 2021. Agency panelists were Steve Aronson of Aronson Insurance and Mike Foy of Foy Insurance. Carrier panelists were Jim Rogers of The Hartford and Toby Plummer of MMG Insurance.

Danger, danger, Will Robinson

“The state of ransomware and other attacks around the world has me even more concerned [about cyber security] than I was before,” said Aronson. He recommended listening to the New York Times June 8, 2021, podcast, “Who Is Hacking the U.S. Economy,” for a better understanding of the risks being faced by the insurance industry, along with other major industries. “It’s scary,” he said, observing that the Colonial Pipeline hack was the result of one leaked password. He and the panelists agreed that credential management is the No. 1 vulnerability for agencies and carriers. One leaked password could spell a disaster of the same order for an agency or carrier.

But ”it’s a nightmare that can easily be avoided,” said Massoni. The solution is unified federation through SignOn Once by ID Federation, which is a nonprofit federation system dedicated to the independent channel.

What is federation?

Too many insurance professionals do not understand what federation means or the security and increased efficiency that it will afford them, panelists said.

Many are already using federation personally without realizing it, said Aronson — “when you use your Apple or Google logon to get access to other systems and other sites, that’s federation. It’s becoming a more frequent opportunity.“

Massoni offered a layman’s explanation as it applies to independent insurance agents using SignOn Once by ID Federation: “What we mean by federation is not having to use and maintain user IDs and passwords that you currently have with all the carriers that you represent.” Instead, users have just one login through their ID Federation-certified management system provider that enables them to conduct all insurance business with participating carriers.

How does federation work?
“The carriers on this panel trust Vertafore,” because it is a certified federation provider for SignOn Once, said Massoni. “With federation, your VSSO login to the Vertafore system becomes your login to all participating carriers’ sites.” All transactions adhere to the SignOn Once trust framework.

Why is federation so important?  “If you’re a 10-person agency and represent 10 carriers, that’s a minimum of 100 credentials, expiring every 30, 45, 60 days. It grows exponentially,” said Massoni.

“As an individual, running one of our offices — I have approximately a thousand user IDs and passwords I have to personally maintain,” said Foy. “That gets chaotic, and when it’s chaotic, it becomes unsecure.”

Current state of password security?

“It’s chaotic because it seems like every carrier, vendor that we have — if they have a solution, it’s a different solution,” which compounds credential maintenance complications for agencies, said Foy. “If they don’t have a solution — well, I have carriers who’ve had the same user ID and password for 20 years. I expect carriers to address that issue.”

But they sometimes don’t. “We just learned today that we had a user who had not worked for us for two-and-a-half years but still had a working ID and password,” Foy said. “The carrier confirmed that we had notified them to remove it, and they had not.”

Some carriers have implemented MFA (multi-factor authentication) to increase security, but they also increase inefficiency, Foy said: ”All of these things slow down access to the carrier website.” He noted that it can take him five minutes to access a carrier website when MFA is required. Multiply that by every user, by every carrier, then by every working day, and the inefficiency becomes costly. With SignOn Once, a user can go through multi-factor authentication just one time when they log into their management system. Behind the scenes, a flag is sent to any carrier that user accesses, indicating they’ve already been “MFA’ed” and have no need to go through the carrier’s MFA process.

“And how disruptive is it if someone forgets an ID and password?” Foy said. Not only does it cost the agency time and money, but carriers report that the majority of their help-desk calls are requests for user ID and password help. With SignOn Once, those issues are nonexistent.

The risks and inefficiency of credential management have intersected with increased hacking activity and the pandemic, creating a crisis point for the industry. “During the pandemic, everyone working remotely has added additional layers of challenge,“ said Aronson.

Panelists shared that recently one major carrier paid $40 million in ransom to regain control of its network after a ransomware attack. They urged their colleagues to turn to SignOn Once for increased efficiency and better security.

(Part two of this article, shares the advice and perspectives of the carrier panelists, more observations from Foy and Aronson, as well as information for proceeding from here.)