MFA & What you Represent, or Misrepresentation?

By

As an agent or agency, why does this matter to you?

ID Federation recently surveyed: Agents said that only 53% of carrier logon passwords expire. Some 51% maintain passwords on a spreadsheet, 5% use sticky notes on their desks or computers to store passwords.

When you’re complacent, it signals that you’re a prime target for any hacker to break into your computer system. For anyone that may have access to your office, you’ve left the passwords on your desk for them to access your computer or server.

Global Small Business Multi-Factor Authentication Study released by the Cyber Readiness Institute in July found that:

  • 55% of SMEs reported not being “very aware” of MFA and its security benefits.
  • 54% of survey respondents said they do not use it for business.
  • 47% of those businesses that have yet to implement MFA noted they either didn’t understand it or didn’t see its value.
  • 60% of small and medium-sized business owners reported not discussing MFA with their employees.

These are jarring statistics! Are you contributing to the problem or proactively addressing the situation? There are solutions and best practices, and cyber protections that can benefit your clients and your agency.

Background of MFA:

Large companies report success in defending against common hacking attacks by moving their user base from single factor to multi-factor authentication. MFA solutions, by default, are supported in the most popular operating systems, and hundreds of third-party vendors offer additional MFA solutions.

Multi-factor authentication was previously used for organizations and websites needing the highest security assurance. Today, MFA tokens are being offered or operated by ordinary agencies, organizations, and websites.

HOW DOES MFA WORK? MFA requires users to present two or more authentication factors at login to verify their identity before granted access. Each additional authentication factor added to the login process increases security. (“Multi-Factor Authentication Fact Sheet – CISA”) A typical MFA login would require the user to present some combination of the following:

  • Something you know: like a password or Personal Identification Number (PIN).
  • Something you have: like a smart card, mobile token, or hardware token.
  • Some biometric factors (fingerprint, palm print, or voice recognition).

For example, MFA could require users to insert a smart card or a bank card into a card reader (first factor) and then enter a password or a PIN (second factor). An unauthorized user in possession of the card would be unable to log in without knowing the password; likewise, the password is useless without physical access to the card. Consider enforcing MFA on Internet-facing systems like email, remote desktops, and Virtual Private Networks (VPNs). Implementation schedules, costs, adoption willingness, and the degree of protection provided vary depending on the solutions selected and the platforms to be protected, so match the capability to the need.

The adoption of MFA is a positive development for computer defenses. MFA solutions should be used rather than single-factor authentication solutions to protect sensitive data.

The misunderstanding is that the application of MFA means all attacks that were successful against single-factor authentication cannot be successful against multi-factor authentication. All multi-factor authentication mechanisms can be compromised by someone opening a phishing email. Phishing threatens every organization, and 90% of hacks and data breaches begin with phishing scams. KnowBe4, a provider of security awareness training and simulated phishing platform, its newest SecurityCoach product has revealed the top 10 risky behaviors employees have engaged in on their work devices.  These are some of the top 10 risky behaviors that organizations have detected by integrating existing security solutions.

Click to view: Top 10 Risky Behaviors of Employees Uncovered by KnowBe4’s.

Attacks against single-factor authentication methods, like login names and passwords, drive a growing large-scale movement to more secure, multi-factor authentication solutions everywhere in corporate environments and websites. Websites and services, including those owned by Google, Microsoft, Facebook, and Twitter, have offered MFA solutions to their customers. Many internet sites and services now provide traditional login name/password solutions and more secure multi-factor authentication options.

Get the information you need to prevent attacks.

ID Federation for a Multi-Factor Authentication Response:

Carriers, vendors, agents, and industry organizations such as ACT are dedicated to solving a top pain point in user ID/password issues, industry volunteers from ID Federation reported.

The nonprofit coalition is addressing the expanded multi-factor authentication, or MFA, cyber regulations that will be adopted in more states.

How SignOn Once Works

The founding organizations of the ID Federation developed SignOn Once, a solution that allows one password for access to multiple sites. It meets the security needs of all segments of the insurance industry. It consists of a set of business, legal and technical standards.

SignOn Once allows single, secure sign-on through federated identity management. Users log in once and have access to multiple carrier systems. A unique identity token for each user is certified for authenticity and used for access to each participating organization (e.g., carrier). For agents, it’s free, easy, and secure. Carriers and agents save time and cost for password resets. When an agency staffer leaves the firm, de-provisioning that user is instant. 

The process is seamless for the user, although multiple checkpoints and verifications are happening “behind the scenes”. ID Federation is also updating its Trust Framework to reference newer technologies, such as replacing SSL with TLS. It also is confirming that SignOn Once meets the MFA requirements.

 Survey Results

The ID Federation recently conducted a survey of independent agents regarding passwords. Agents said that only 53% of carrier logon passwords expire. Some 51% maintain passwords on a spreadsheet, and 5% use sticky notes on their desks or computers to store passwords.

You are at risk if you can’t sign on securely, logging into your management system, you log in securely via a token. It’s a trusted sign-on.

Agents encourage their technology providers and carriers to join the ID Federation. Vertafore and Applied are already certified; any size vendor can also go through the process. The number of carriers getting involved is growing.

Are You Using MFA Correctly?

The 2022 Advisen Cyber Risk Insights Conference urged underwriters to raise the stakes when assessing insureds’ cyber exposure. An area of cybersecurity that has garnered attention is multi-factor authentication or MFA. But experts said most underwriters need to ask the right questions.

“When we ask people, how’s your MFA?’ We also ask about exceptions. ‘Who is exempt from this?'” Executives frequently say, ‘Oh, I don’t want the inconvenience.’ Of course, they’re the ones who need it the most. So, with these broad questions in the insurance questionnaires asking, ‘Do you have MFA? Yes, or no?’ we found there was a whole big gray area in between the yeses and the nos.”

MFA means that a technology user needs to have two methods of verifying their identity before gaining access to a system—a password, a biometric scan, a code texted to another device, or something else. A number one security recommendation that insureds should enable Internet-accessible accounts, many are not implementing it correctly, said Preston Miller, director of Unit 42 at Palo Alto Networks.

Part of the problem could be a lack of understanding, particularly in the small and medium-sized enterprise space, as a Global Small Business Multi-Factor Authentication Study released by the Cyber Readiness Institute in July found that:

  • 55% of SMEs reported not being “very aware” of MFA and its security benefits.
  • 54% of survey respondents said they do not use it for business.
  • 47% of those businesses that have yet to implement MFA noted they either didn’t understand it or didn’t see its value.
  • 60% of small and medium-sized business owners reported not discussing MFA with their employees.

As insureds work to improve their cybersecurity and ensure they’re using systems like MFA correctly, it’s also essential for them to ensure that IT staff has a seat at the table with leadership, Werth Fekkas said.

“I think that’s something we’ve seen change in the past couple of years as the cyber insurance market hardened. You saw more conversation about IT—budgets going up, more questions on our side about cyber governance and how far up does that trickle with what software you have in place, what offices you have, what controls, what risk management,” she said. “I think we’re going to see more of that. I think we’ll see more partnership between vendors and the carriers on the insurance side as well.”

Panelists cautioned that as cyber risks constantly evolve, insureds and insurers will need to grow with them. “It becomes education and diligence,” Werth Fekkas said. “You know, we help them educate, we become partners, and then we and the insured become more diligent. Those are the two key pieces for us: education and diligence.”

“Cybersecurity is constantly evolving, so you as defenders or organizations can’t just sit and say, ‘Yes, I have a solution I deployed. I configured it well. We’re good to go there,'” he said. “You must continually revisit it and ensure it’s still meeting your needs and hasn’t devolved. Otherwise, you’re not protecting yourself.”

Read the Complete Article:  What Cyber Underwriters Miss:  Small Businesses Aren’t Using MFA Correctly

www.insurancejournal.com/news/national/2022/10/31/692327.htm

The importance of MFA and What You Represent or Misrepresentation:

Travelers, Policyholder Agree to Void Current Cyber Policy

Travelers and a policyholder jointly filed a stipulation to have a federal court rescind an active cyber insurance policy that the insurer claimed was void due to the insured’s misrepresentation of multi-factor authentication use.

 Furthermore, Travelers and company agree to have the court rescind the policy and declare it “null and void, from its inception,” according to the latest filing signed by the insurer’s representation and, who also signed the application for cyber insurance and multi-factor authentication (MFA) attestation in March, court records showed.

Read the Complete Article:  Travelers, Policyholder Agree to Void Current Cyber Policy

https://www.insurancejournal.com/news/national/2022/08/30/682564.htm

Travelers’ original motion to rescind the policy was thought to be one of the first court filings of its kind over an insured’s use of MFA, which has become a requirement by most insurers to get cyber insurance. (“Travelers, Policyholder Agree to Void Current Cyber Policy”)

Contact the OIA Team:

Do you have an Agency Cyber Plan and IT Security Plan in place? The security of your agency and protection of your client information and data on your files, servers, or cloud base platforms an agency should periodically review. Check your Agency’s Cyber and IT Security Plan throughout the year and if there are or have been any changes.

If you don’t have one, we have tools, templates, and information for you to create one for your agency. The Cyber Security & IT Policy ACT Cybersecuritypolicy rev 9.2020 can be downloaded and customized for your agency.

What’s Happening in the Insurance Industry?

We know from actual data that independent agents (IAs) are prime and focused targets of cyber criminals. Over 12% of all breaches are now within the financial sector, and this focus is only growing. Further, the ‘bad actors’ (hackers, cyber criminals) are thought to be working to track and collect the e-mail addresses of insurance agency employees and even targeting the IDs & passwords used by insurance agency employees on carrier portals.

Increasingly, “phishing” e-mails are sent to employees and consumers using agency and insurance company e-mail addresses and logos to collect additional information.

MFA means multi-factor authentication; a technology user must have two methods of verifying their identity before gaining access to a system—a password, a biometric scan, a code texted to another device, or something else. Although MFA has been touted more and more as a number one security recommendation that insureds should enable Internet-accessible accounts, many are not implementing it correctly. Or they have turned it on, but it’s not fully configured. Is your agency using MFA multi-factor authentication in your agency? And is it fully configured?

Work with an IT professional to evaluate your agency system & plan and offer recommendations and updates to protect your agency, client files, and records.

The ID Federation 

The ID Federation recently conducted a survey of independent agents regarding passwords. SignOn Once allows single, secure sign-on through federated identity management. Users log in once and have access to multiple carrier systems. For agents, it’s free, easy and secure. Carriers and agents save time and cost for password resets. When an agency staffer leaves the firm, de-provisioning that user is instant. Agents can encourage their technology providers and carriers to join the ID Federation. Vertafore and Applied are already certified; any size vendor can also go through the process. The number of Carriers getting involved is growing. These are time-saving features for CSRs, agents, and agencies that are already doing too much double-entry.

Talk with our Agency Services Team

Do you have a Cyber policy? As part of your Best Practices, do you offer Cyber to all your prospects and clients in your agencies? Cyber risks constantly evolve, and insureds and insurers must grow with them.

Reach out to Ashley Riley and her team for additional information.

Director of Risk Management Reach out to Ashley Riley Ashley Riley, API, PLC

 e-mail: ashleyr@ohioinsuranceagents.com or call 800-555-1742

 Cybersecurity constantly evolves, so you must continually revisit and ensure it is still meeting your needs and hasn’t devolved. Otherwise, you’re not protecting yourself or your clients!

 

References: 

 

KnowBe4

TAMPA BAY, FL  2023-06-05

Top 10 Risky Behaviors of Employees Uncovered by KnowBe4’s SecurityCoach

“SecurityCoach delivers real-time coaching in response to risky user behavior” (“Top 10 Risky Behaviors of Employees Uncovered by KnowBe4’s SecurityCoach”)

ID Federation for a Multi-Factor Authentication

BIG I Agents Council for Technology

https://www.independentagent.com/ACT/Pages/newsletter/Special%20Edition%20November%202018/ID%20Federation.aspx

 

SignOn Once 

ID Federation business manager

info@idfederation.org.

It’s Time for the Industry to Get on the Same Page About MFA

By Keith Savino | November 7, 2022

https://www.insurancejournal.com/magazines/mag-features/2022/11/07/693270.htm

 

 What Cyber Underwriters Miss: Small Businesses Aren’t Using MFA Correctly

Advisen Panel Says

By Elizabeth Blosfield | October 31, 2022

 

What Cyber Underwriters Miss: Small Businesses Aren’t Using MFA Correctly, Advisen Panel Says (insurancejournal.com)

www.insurancejournal.com/news/national/2022/10/31/692327.htm

Travelers, Policyholder Agree to Void Current Cyber Policy

By Chad Hemenway | August 30, 2022

https://www.insurancejournal.com/news/national/2022/08/30/682564.htm

 

BLOG ARCHIVE
Tags
advocacy agency merger agency nation agency ownership agency valuation agent story awards blog claims commercial insurance content marketing coronavirus coverages COVID-19 customer experience cyber insurance cyber threat data data breach digital marketing E&O e&o coverage election errors and omissions hiring & training IACON17 insurance companies insurtech legislation marketing mission matters next-gen ohio bwc ohio supreme court ohio workers' comp oia perpetuation personal lines professional development recruiting risk management social media technology valuation wahve

Success Starts Here

Sign up for our newsletter today!
  • This field is for validation purposes and should be left unchanged.