Cybersecurity for Insurance Agencies
Insurance agencies handle exactly the kind of data cybercriminals want: names, addresses, Social Security numbers, dates of birth, health information, driver’s license numbers, and often bank account information for auto-pay. They also process wire transfers for premium payments and settlement funds. And they operate under a state-by-state regulatory patchwork that’s tightened dramatically in the last five years. This is the security playbook for small insurance agencies.
The regulatory landscape
Insurance agencies face state-level regulation from each state’s Department of Insurance (DOI), plus federal baseline requirements:
- Gramm-Leach-Bliley Act (GLBA) Safeguards Rule — federal baseline, requires a Written Information Security Program (WISP) and periodic risk assessments. The 2023 amendments raised the bar substantially.
- NAIC Insurance Data Security Model Law — adopted (in some form) by 20+ states as of 2026. Requires written cybersecurity program, incident response plan, and 72-hour breach notification to the state.
- New York DFS Regulation 23 NYCRR 500 — the strictest state framework; applies to any agency licensed in NY. Explicit MFA requirements, annual CISO certification, and prompt breach reporting.
- State breach notification laws — every state has one; timelines and thresholds vary.
The practical implication: if you operate in multiple states, you need to comply with the strictest applicable framework — usually NY DFS.
The threat model agencies actually face
- Ransomware and data exfiltration. Insurance agency data resells for high value on criminal markets. Attackers routinely target agencies for both encryption and exfiltration.
- Business Email Compromise (BEC). Attackers intercept premium payment flows or claim settlement wires. Insurance-specific BEC often impersonates carrier or MGA communications.
- Client impersonation for policy changes. An attacker with stolen credentials can log into carrier portals, change beneficiaries, redirect settlement checks, or issue policy changes.
- Employee/producer phishing. Producers are often mobile with less controlled devices, making them a prime target.
Practical controls for a small agency
The GLBA + NAIC baseline
- Written Information Security Program (WISP) — documented, reviewed annually, board or ownership-signed
- Designated qualified individual responsible for the security program (this is a specific GLBA requirement)
- Written incident response plan with named responsibilities
- Annual risk assessment (documented)
- Written vendor management policy with security requirements in every carrier and vendor contract
- Annual security awareness training with completion records
Technical controls
- MFA on email, agency management system, all carrier portals, and any system with client data — no exceptions
- Endpoint protection with cloud management (Microsoft Defender for Business, SentinelOne, or similar)
- Encrypted devices firmware-up (BitLocker, FileVault)
- Password manager firm-wide
- Immutable backup of the agency management system data + email + any client documents
- Network segmentation between guest Wi-Fi and business systems
Wire and payment controls
- Written wire authorization policy: two-person approval on wires above a threshold ($10K is common)
- Callback verification on any wire request received by email, using a phone number NOT from the email
- Never process a wire based only on emailed instructions — regardless of who the sender appears to be
Carrier portal security
- MFA on every carrier portal (most now require it)
- Unique credentials per user, never shared
- Quarterly access review — who has access to which carriers
- Immediate access revocation for departing producers or staff
Documentation for state exams and audits
State insurance regulators can and do audit agencies for cybersecurity compliance. What they typically ask for:
- WISP with review dates
- Risk assessment (most recent)
- Incident response plan with any tested-tabletop records
- Employee training records
- Vendor list with security assessments
- Any incident history and how it was handled
- MFA implementation evidence across all systems with client data
Agencies that produce these documents cleanly usually pass audits. Agencies that don’t get findings and remediation timelines that eat into the practice.
Cyber insurance for agencies
Cyber insurance for insurance agencies (a strange loop, we know) has become both more expensive and more restrictive. Carriers now require the same controls agencies require of their own clients: MFA everywhere, EDR, documented WISP, tested backups, and incident response plan. See our cyber insurance guide and the WISP explainer for the pre-underwriting checklist.
Common gaps we see in small agencies
- No MFA on the agency management system. Applied Systems, HawkSoft, EZLynx, AgencyMatrix — all support MFA. Many agencies never enabled it.
- Shared logins for carrier portals. Ubiquitous and terrible practice; regulators specifically look for this.
- No incident response plan. “We’ll figure it out” isn’t a plan. An IRP takes a day to draft and pays for itself the first time you need it.
- Backup not tested. Backup that’s never been restored isn’t backup — it’s file storage that might work.
- No vendor security reviews. The insurance industry runs on integrated third-party systems; each is a potential entry point.
Producer and staff lifecycle management
Insurance agencies have unusually high turnover for producers, plus a mix of licensed and unlicensed support staff with varying data access needs. The lifecycle needs a written process:
- Onboarding. Documented checklist: agency management system account creation with role-appropriate access, carrier portal access request submitted to each carrier separately (some carriers require agency principal approval), MFA setup, password manager account creation, email account, security awareness training completion before first client access.
- Role changes. Movement from support to producer, from personal lines to commercial, or from customer service to underwriting all change data access requirements. Access review at each change.
- Offboarding. Documented same-day checklist: agency management system access disabled, all carrier portal access revoked (each carrier must be notified separately), email forwarded and account disabled, MFA tokens revoked, password manager access revoked, physical access items collected (keys, badge). A departing producer with continued carrier portal access is a real risk — they can log in and pull book information for weeks after leaving if you don’t run the offboarding.
- Contractor/independent producer access. Separate agreements addressing data handling; time-limited access with periodic renewal; no shared logins.
The bottom line
For a small insurance agency, the security priorities are: MFA everywhere (especially the agency management system and every carrier portal), a written WISP, tested backups, wire authorization discipline, and annual training. Meeting the GLBA + NAIC baseline is achievable for a 5–20 person agency without a full-time IT staff. The Gumroad WISP + FTC Safeguards Pack covers the documentation; implementation is your daily work.
Need help implementing a security program in your business? Veteran Forge Strategies works with small businesses on IT operations, cybersecurity, and federal contracting.