Some carriers are only beginning to accelerate their MFA initiatives. (Adobe Stock)
Insurance carriers and agencies operating in New York are scrambling to meet a critical cybersecurity enforcement deadline set by the New York Department of Financial Services (NYDFS). By November 1, 2025, all covered financial and insurance entities must have multi-factor authentication (MFA) in place for any individual accessing their information systems.
This mandate, outlined in 23 NYCRR 500.12, applies to nearly all insurance carriers and the largest MGAs/ licensed agencies conducting business in the state. Unless formally exempted, they must ensure that every access point to their systems is protected. This security requirement extends to service providers used by the covered entities. For example, if using external platforms like comparative raters or tech vendors, responsibility for service provider compliance with NYDFS security requirements resides with the carrier or agency.
With the enforcement date just months away, insurers can no longer treat MFA as just another IT project. It is a business-critical compliance issue with high operational and reputational stakes.
A last-minute scramble with real consequences
Despite the long runway, some carriers are only now accelerating their MFA initiatives. Most are focused on their own login portals and internal systems, but that's just step one.
One of the most overlooked requirements is ensuring that all service providers are also compliant. For example, if a carrier relies on a comparative rater to generate real-time quotes for agents, that rater must meet the same NYDFS security standards. In many cases, these vendors have not yet upgraded their security practices, leaving carriers exposed to regulatory risk.
The financial consequences of non-compliance can be severe. In 2024, GEICO and Travelers paid a combined $11.3 million in penalties for data security failures that led to the personal information of more than 120,000 New Yorkers being compromised. In early 2025, Progressive reached a $3.25 million settlement after a breach at one of its third-party call centers compromised customer data.
These major payments signal the potential consequences insurers and the largest agencies in New York could face if they fail to implement MFA properly and experience a data breach as a result.
Agent frustration is growing
While carriers rush to comply, agents are frustrated by the friction caused by inconsistent MFA implementations. According to a 2024 survey by ID Federation, the average agency works with 10 to 15 carriers, most with their own proprietary MFA process. This forces agents to juggle various authentication tools — including text messages, emails, phone calls, authenticator apps and biometric scans — multiple times per day.
Half of agents are authenticating at least six times a day, per the survey. In a small independent agency with 12 employees, that means more than 72 total MFA workflows per day, and for many, it’s a lot more than that. More than 70% of agents said the time and effort it takes to sign on to carrier systems has gotten worse, and 37% said it’s “much worse” than in prior years.
Under this new MFA environment, shared credentials, once common in agencies, are now considered a security liability. Agencies are also under pressure to revisit how they manage user access, staff onboarding and device control to maintain compliance.
A better way: SignOn Once
To reduce this friction while improving cybersecurity, the insurance industry needs standardized solutions. That’s why the ID Federation developed SignOn Once, a federated identity framework that allows agents to authenticate their identity a single time via their agency management system (AMS) and access multiple carrier platforms securely. Here’s how it works:
- SignOn Once acts as a Trust Framework, not a product.
- It provides a set of agreed-upon security practices and uses widely adopted technology standards like SAML, OAuth, and OpenID Connect.
- The AMS verifies user identity.
- That trusted credential is passed to participating carriers.
- Access can be instantly revoked when staff leave.
- Carriers also receive technical data on the MFA method, vendor and NIST-level assurance for each session.
Beyond compliance, SignOn Once offers carriers clear business benefits. By reducing login friction, carriers improve agent satisfaction and ease of doing business. Streamlining access also accelerates quote-to-bind workflows and lowers the cost of managing credentials and support.
Perhaps most importantly, adopting a Trust Framework like SignOn Once helps improve the security posture across the entire independent agent channel. Starting with improved authentication at the AMS provides added security for all carrier partners. Working together on security practices the industry is stronger, and more efficient, than each carrier trying to define their individual proprietary methods.
Two of the industry’s largest AMS providers, Applied Systems and Vertafore, already support SignOn Once. That means the infrastructure is in place; agents just need their carriers to participate.
Some leading carriers, including The Hartford and Nationwide, have already adopted SignOn Once, and others are in the implementation process. Still, many insurers are waiting to hear more demand for this type of solution from agents in the field.
The tipping point will likely arrive when agencies have half a dozen participating carriers onboard. At that stage, non-participating insurers may face competitive pressure to join or risk alienating key distribution partners.
Industry alignment
As cybersecurity threats increase and regulations tighten, MFA is no longer a box to check. It is a core requirement for doing business securely and efficiently in a modern, connected insurance marketplace.
New York isn’t the only state tightening its rules. Since the NYDFS introduced its first cyber rules in 2017, the National Association of Insurance Commissioners (NAIC) has incorporated similar principles into its model law, which has now been adopted in 26 jurisdictions. MFA is gaining traction nationwide, and insurers that comply in New York will likely be ahead of the curve elsewhere.
Proactive investment into MFA now will save time, frustration and risk down the line. For carriers and agencies alike, it’s time to align on cybersecurity, usability and industry-wide standards.
Alvito Vaz is executive director of the ID Federation. He has had more than 30 years of leadership in the insurance industry with technology positions at Progressive and Travelers. His involvement in the agency automation space has included working with comparative rater and management system solution providers. As a member of ACORD’s Property & Casualty Steering Committee, he was engaged in the insurance standards setting process. An inaugural member of IIABA’s Agents Council for Technology (ACT), he has chaired and participated in ACT workgroups. Vaz continues to champion the use of standards to improve operational efficiency across the IA channel. Vaz can be reached at alvito@idfederation.com.
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.