Password security for insurance agencies | Credential stuffing | Policyholder data protection | Salt Lake City
Your agents log into carrier portals dozens of times a day — Travelers, Progressive, Nationwide, and a dozen others. They access Applied Epic to pull policy details, open AMS360 to run client reports, and check DocuSign to confirm a signature came through. Every one of those logins is a door. And if your team is using the same password across multiple portals and platforms — which most people are — a breach in any one of those systems can become a master key to everything else your agency touches. That's not a hypothetical. It's happening to independent agencies right now.
The Credential Stuffing Problem No One Talks About
A 2024 Cybernews study analyzed nearly 19 billion exposed passwords and found that 94% of them were reused or duplicated. That means when credentials leak from one site — even something as mundane as a subscription service your employee signed up for years ago — cybercriminals immediately test those same username-and-password combinations against insurance carrier portals, agency management systems, and email accounts.
This attack method is called credential stuffing, and it's fully automated. Attackers don't type anything by hand. They run scripts that fire thousands of login attempts per minute against known platforms. Applied Epic, Vertafore AMS360, EZLynx, HawkSoft, AgencyZoom — all of these are known targets because attackers know what software insurance agencies use.
For your agency, the stakes are extremely high. Your carrier portals don't just contain policy information — they contain your entire book of business. Compromised credentials on a single portal can expose client names, Social Security numbers, coverage details, and payment history for every policyholder you represent with that carrier. And unlike a stolen laptop, a stolen login produces no obvious evidence until the damage is already done.
Why Insurance Agencies Are High-Value Targets
Independent insurance agencies are attractive targets for two reasons: they hold large volumes of client PII, and they often have the security posture of a small business rather than a financial institution. Your clients trust you with their most sensitive information — Social Security numbers for life insurance applications, health history for coverage underwriting, financial records for commercial policies, and banking details for premium payment processing.
State insurance departments are increasingly aware of this exposure. Regulations like the NAIC Insurance Data Security Model Law (adopted in Utah and many other states) require agencies to maintain reasonable data security controls. A breach caused by weak password practices isn't just an operational headache — it's a regulatory liability.
Beyond compliance, there's the practical threat of wire fraud. Premium payments and commission transfers are regular, expected transactions in your agency. Attackers who gain access to your email or your client communication tools can intercept payment instructions, substitute fraudulent wire details, and redirect funds before anyone notices. A single successful wire fraud event can cost an agency tens of thousands of dollars — and the client relationship that goes with it.
What Good Password Security Looks Like for an Insurance Agency
The solution isn't complicated, but it does require discipline across your entire team — from your producers to your CSRs to your part-time admin staff.
Use a Password Manager
Tools like 1Password, Bitwarden, and Dashlane generate and store unique, complex passwords for every system your team uses. Instead of your agents reusing a password they can remember, the password manager remembers it for them. Every carrier portal gets its own unique credential. Applied Epic gets a different password than AMS360. Your email is separate from DocuSign. A breach in one place doesn't cascade into the others.
Password managers also make it easy to enforce agency-wide policies. You can see which team members have weak or reused passwords and prompt them to update without a confrontational conversation.
Enable Multi-Factor Authentication (MFA) Everywhere
MFA requires a second form of verification after a password is entered — typically a time-sensitive code from an app like Google Authenticator or Microsoft Authenticator, or a push notification to a trusted device. Even if a credential is stolen through phishing or a data breach, MFA stops the attacker from completing the login without physical access to the second factor.
Most major carrier portals now support or require MFA. So do Applied Epic, Salesforce, HubSpot, and the Microsoft and Google platforms your agency likely uses for email and document storage. Enable it everywhere it's available — and document that you've done so, both for your own records and as evidence of due diligence for regulatory purposes.
Audit Your Existing Logins
When did your team last review which staff members have access to which systems? Former employees, seasonal hires, and interns who have left the agency often retain active credentials for months or years. Run an access audit across your agency management systems and carrier portals. Deactivate accounts that are no longer needed. Change shared passwords that multiple people use. Assign individual credentials wherever the platform allows.
One Breach = Master Key for Everything
This is the part that keeps IT security professionals up at night. When your agent uses the same password for their personal email, their carrier portal login, and their Applied Epic account, a breach at any one of those places gives an attacker access to all three. And the attacker's first move, once inside your email, is to look for other places that email address is registered — resetting passwords, escalating access, and moving laterally through every system tied to that address.
The damage timeline is fast. A credential stuffing attack can compromise an account within minutes of a leaked database going public. Your agency may not know anything is wrong for days or weeks, during which time an attacker could be reading client emails, copying policy documents out of Applied Epic, or setting up forwarding rules to intercept incoming carrier communications.
Protecting Your Agency's Book of Business
Your clients chose your agency because they trust you to manage their risk. That trust extends to the digital systems that hold their information. A credential breach isn't just an IT problem — it's a client relationship problem, a compliance problem, and potentially an errors-and-omissions problem if your systems were the point of failure in a fraud event.
The good news is that the right password hygiene, deployed consistently across your team, eliminates the vast majority of credential-based risk. It's one of the highest-leverage improvements you can make to your agency's security posture — and it doesn't require replacing any of the software your team already uses.
Ready to assess your agency's password security and close the gaps before a breach occurs?
We work with Salt Lake City insurance agencies to protect policyholder data and keep agency systems running. Schedule a free discovery call to talk through what's at risk and what we can do about it.
Frequently Asked Questions
Do state insurance regulations require us to have specific password policies?
Utah has adopted the NAIC Insurance Data Security Model Law, which requires licensed insurers and agencies to implement a written information security program that includes controls over access to nonpublic information. Specific password requirements may not be spelled out line by line, but regulators expect you to demonstrate reasonable controls — and weak or reused passwords would not meet that standard. Strong password policies, MFA, and documented access audits are all evidence of a reasonable security program.
Our carrier portals each have their own login systems. Does that make password management harder?
It does create more accounts to manage, which is exactly why a password manager is so valuable for agencies. With 1Password or Bitwarden, your team logs into one secure vault and the manager fills in the unique credentials for each carrier portal automatically. You get stronger security with less friction than trying to remember dozens of individual passwords.
What should we do if we suspect a credential has been compromised?
Act immediately. Change the password on the affected account and any other accounts where the same password was used. Enable MFA if it isn't already active. Check the account's recent activity logs for unauthorized access. Notify your IT support team or managed services provider. If client data may have been exposed, review your state's breach notification obligations under Utah law — and consult with legal counsel if in doubt.
