Is your agency prepared for the impact of new cyber security regulations and cyber policy restrictions?
Nov. 1, 2025, is a key date when the bellwether New York Department of Financial Services cyber security regulations will take effect for Class A companies. No, your firm is not a Class A company. But every insurance carrier with which you place business probably is. Class A companies could qualify for a limited exemption as discussed in this article from PIA Northeast.
However, before your eyes glaze over and you chalk this up to “carrier security stuff” that you don’t have to worry about—and only applicable in one state—think again.
You and your staff already are spending a lot of time logging in to carrier systems. Unfortunately, due to the security updates the time you spend will increase even further while customer experience is impacted. It will be wise to stay up to date on this security and workflow issue.
The DFS was established in 2011 to be a financial regulator and to protect consumers. It has been a leading proponent of cyber security regulation, with its impact stretching beyond state boundaries. The National Association of Insurance Commissioners has published model laws based on DFS regulations and many states use these models as a basis for their requirements.
The DFS’s initial cyber security regulations, implemented in 2017, established cyber security requirements for financial services companies. These were defined in Section 500 and were amended in 2020 to strengthen the defensive posture. With changes in the threat landscape, the regulations continued to evolve with the last amendment in November 2023.
In its 2023 multifactor authentication amendment, which goes into effect Saturday, Nov. 1, 2025, the DFS took a strong stand on MFA by modifying earlier versions, which gave companies more latitude on its usage. Section 500.12 reads: “Multifactor authentication shall be utilized for any individual accessing any information systems of a covered entity, unless the covered entity qualifies for a limited exemption pursuant to section 500.19(a) of this Part in which case multi-factor authentication shall be utilized for: (1) remote access to the covered entity’s information systems; (2) remote access to third-party applications, including but not limited to those that are cloud based, from which nonpublic information is accessible; and (3) all privileged accounts other than service accounts that prohibit interactive login.”
So, limited exempt entities do have an MFA requirement, albeit a more limited one. That requirement went into effect on Nov. 1, 2024.
And yes, there is a possibility of an exception under limited circumstances with written approval from the entity’s chief information security officer. The key words are “shall,” which makes it a requirement to use MFA, and then the condition of “accessing any information systems.” The regulation does not define the type of access—web portal, real time or application program interface—so it could apply to any of these access conditions.
What does MFA mean for your agency?
ID Federation, a nonprofit industry coalition of carriers, agents and technology providers, interprets this to mean that by November 2025, an agent accessing an insurance carrier system will have to connect via MFA for the carrier to comply with the DFS. The regulation applies to individuals and businesses “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization.”
Additionally, third-party service providers—to either the carrier or the insurance agent—are required to comply with the procedures in Section 500. These are designed to ensure the security of information systems and nonpublic information. Thus, real-time transactions like a billing inquiry or quoting through comparative raters are also in scope for MFA control required by Section 500.12.
Not just a New York issue
Even carriers not writing in New York state are facing the same issue for multiple states. If a carrier must comply with MFA rules or replace or update its system for New York—even if your agency doesn’t sell business in the state—chances are the carrier is going to implement the exact same process in other states.
The outcome is unavoidable: Every carrier, every agency and every tech provider will be impacted by the regulatory environment and security systems impacted by those decisions.
As an independent agent, you likely work with 10 to 15 different carriers, perhaps more. In the future, you could be asked to use MFA with every company.
Agents cite MFA as pain point
In a 2024 survey by ID Federation, agents said they use an average of three different MFA methods: text, email or phone. Most are required to do so more than six times a day. Thus, in an agency with 12 staff members, that adds up to a total of at least 72 MFA logins a day.
At the time of the survey, only 44% of carriers were asking for MFA. However, with the law being implemented in New York state, and a strong likelihood that other states will follow suit, that number is likely to grow.
Agents should plan for two things. First, an increase in MFA requirements. And second, that each of their carrier partners could be using a different MFA process.
Some may use email. This means each representative must have their own email address with the carrier. Some may use text messages—does the agency provide phones or ask customer service representative to use their personal phones? Still other carriers will use an authenticator app. Here, the CSR will have to use a phone, and he or she also must keep an authenticator app updated on this device.
In a world in which consumers are accustomed to getting real-time information, think of this scenario: A customer calls the agency asking if the payment he mailed late has been received by the insurance company. Now the agency staff member has to get the MFA code to access the carrier website. Did the email code come through? Are the email servers slow? This is not a good experience for either the agent or the customer.
Agencies must develop new processes for connectivity to their carriers. And, these processes must change as the external threat environment changes.
Path forward
There are ways to make these changing workflows both secure and more efficient for a large majority of participants in the independent agent channel. It’s all about incremental steps in the correct direction. Forward-thinking agents, carriers and technology providers understand that:
- Integration between systems is critical for efficiency.
- Challenges are created when tools are built without focus on connecting.
- Standardization is a critical role to drive usability and security.
Carriers compete in many ways, but there is no marketplace advantage to compete on security. Working together, we can build a safer and more efficient solution for the independent agent channel as regulations evolve.
Keith Savino
Keith Savino, CPIA, (keith.savino@trucordia.com) is managing partner of Trucordia, where in leads the national cyber practice. He is past president of PIA of New Jersey, PIA National and the Network of Vertafore Users. He was a long-term board member of ACORD. He chairs the Association & User Group Information Exchange and is a founding member of ID Federation. ID Federation was founded by insurance industry peers to reduce the burden of redundant authentication processes, including multiple MFAs. ID Federation’s SignOn Once process is designed to standardize connectivity with efficiency. Using the agency management system credentials, and with MFA behind the scenes without human interaction, partners can connect without the added cyber security friction being mandated by security regulations like the DFS.
