Insurance agency IT, what your carrier expects from YOU

Independent insurance agencies have spent the last 5 years adjusting to a sharp shift in how their upstream counterparties view cybersecurity. The carriers the agency places business with, the E&O carrier that underwrites the agency’s own professional liability policy and the state insurance regulators that supervise the agency have all started asking questions the agency has to answer in specific, evidenced terms.

The shift is not abstract. Agencies that cannot demonstrate credible cybersecurity controls now see slower appointments, higher E&O premiums, restricted access to carrier portals and, at the extreme, loss of carrier appointments. The practical work is understanding exactly what the counterparties want and building an IT and cybersecurity program that satisfies it without over-engineering.

Here is a working view of what the modern independent insurance agency faces and how to build the program that responds.

Who is asking, and why

Three distinct counterparties drive the requirements, and their asks overlap but are not identical.

The placement carriers

Property and casualty, life, commercial, specialty carriers. These are the companies the agency places business with, and they have the strongest direct interest in the agency’s cybersecurity posture because the agency has authenticated access to the carrier’s policy systems, customer data and often bind authority.

What placement carriers ask about:

• Multi-factor authentication on agent access to carrier portals
• Endpoint protection on agent workstations
• Email security, specifically around spoofing of carrier domains
• Employee training on phishing attempts targeting agents
• Access controls around agent departures
• Incident reporting obligations when the agency experiences a security event

Most placement carrier cybersecurity requirements now arrive as part of the appointment process or the annual agent review. Failure to comply can trigger portal access restrictions or non-renewal of the appointment.

The E&O carrier

The agency’s own professional liability carrier underwrites the agency itself. Cybersecurity posture is now part of the underwriting model.

What the E&O carrier asks about, typically at renewal:

• The same core controls (MFA, EDR, backup, training) that cyber insurance applications ask about
• Specifically, whether the agency has cyber insurance coverage and at what limits
• Data handling practices around customer PII, policy documents and financial information
• Vendor risk for systems the agency uses (AMS platforms, document management, CRM)
• Incident history

An agency with weak E&O underwriting answers sees premium increases, sublimits introduced on cyber-adjacent exposures and, at extreme, non-renewal. E&O is the single most expensive line item at many agencies, and the underwriting answer matters.

The state regulator

Every state insurance department has cybersecurity expectations, and a growing number have specific regulations. The NY DFS Part 500 framework (23 NYCRR 500) is the most comprehensive. The NAIC Insurance Data Security Model Law has been adopted in approximately 25 states as of 2026. Specific requirements vary, but the core is consistent.

What state regulators require:

• A written cybersecurity program, documented and dated
• Risk assessment against the agency’s specific operating profile
• Named cybersecurity leader (often called a CISO even at small agencies; may be fractional)
• Access controls, including MFA for privileged access and remote access
• Encryption of nonpublic information at rest and in transit
• Vendor management with due diligence on third parties with access to nonpublic information
• Incident response plan, tested
• Employee training
• Annual certification of compliance (in states that have adopted the model law)

Small agencies are sometimes exempt from parts of these rules, based on headcount or premium thresholds. The exemption landscape varies by state, and relying on exemptions is usually less defensible than building the program.

What overlaps, and where to focus

The three counterparties mostly ask the same questions. An agency that builds a real program answers most of what any counterparty asks.

The shortlist of high-leverage controls:

• MFA on everything agent-accessed. Carrier portals, AMS, email, remote access, document management. Phishing-resistant for privileged accounts.
• EDR on every agent workstation. Managed response from an MDR provider if the agency is above 15 or 20 employees.
• Email security. DMARC in enforcement mode, phishing protection, impersonation detection. Agencies are a favorite target for carrier-domain spoofing because the business relationship is email-heavy.
• Backup and recovery. Immutable backup of AMS data and document repositories, with tested restore capability.
• Offboarding discipline. Fast removal of access to carrier portals when an agent leaves. A departing agent with continuing portal access is both an E&O and a carrier-relationship problem.
• Vendor risk management. The AMS vendor, the document management vendor, the marketing automation vendor, each of which holds customer data. Due diligence documented and renewed.
• Training. Annual security awareness training with simulated phishing. Agency-specific scenarios (carrier impersonation, policy-document fraud) produce better results than generic training.
• Written program and risk assessment. The documentation the regulator asks for, refreshed annually.
• Incident response plan. A documented plan with the breach notification obligations baked in.

Most independent agencies can close the most important gaps in this list inside a 6-month engagement, without enterprise-grade tooling.

Common failure modes at agencies

Patterns we see consistently across independent insurance agencies.

• Shared credentials for carrier portals. Multiple agents use a single login to a specific carrier’s system. Defensible in 2012, indefensible in 2026.
• Legacy email addresses. Personal email or Gmail used for agency business because the agency’s own email had deliverability issues. Customer data in a personal account is both a regulatory problem and a breach risk.
• Partial backup coverage. The AMS is backed up by the AMS vendor. The document management system has its own backup. The file shares on the office server have no backup. The agency assumes everything is covered when most is, but not all.
• Unmanaged devices. Producers working from personal laptops with no security controls, accessing customer data.
• Departing producer access retention. An agent leaves, and carrier portal access stays active for weeks while the agency figures out which systems held their credentials.
• No written program. The cybersecurity practices exist in practice but have never been written down, dated or reviewed.
• E&O application inflated or understated. Either overstating controls (which surfaces at claim time) or understating them (which raises premium unnecessarily).

Most of these are solvable without material investment, but they do require someone inside the agency to own the problem.

What a working program looks like

A mid-sized independent insurance agency (25 to 100 producers, one to three offices) typically runs a program that looks like:

• Corporate identity. Microsoft 365 or Google Workspace, with MFA universal and phishing-resistant factors on agency principals and IT admin accounts
• AMS access. MFA on every agent’s AMS login, quarterly access reviews
• Endpoints. Company-owned laptops with EDR and managed response from an MDR provider
• Email. DMARC in enforcement, phishing protection with carrier-domain impersonation detection
• Backup. Immutable backup of AMS data exports, document repository and email archives. Documented restore testing
• Vendors. A maintained inventory of AMS vendor, doc management vendor, payroll vendor, CRM vendor, etc., with annual review
• Training. Annual HIPAA-adjacent and cybersecurity awareness training, quarterly simulated phishing
• Program documentation. A written information security program, annual risk assessment, documented incident response plan, named cybersecurity officer
• Cyber insurance. Current policy with adequate limits, application reflecting the actual program

Typical annual investment for an agency of this size, including MSP services and cyber insurance premium: $50,000 to $200,000 depending on scale. That investment compares favorably against the alternative, which is losing carrier appointments, losing E&O renewability or taking a material breach hit.

Where we fit

We work with insurance agencies as the IT and cybersecurity partner that builds and operates the program the carriers, E&O underwriters and state regulators now expect. The engagement model treats the agency’s counterparty landscape explicitly. Carrier cybersecurity expectations drive one workstream, E&O preparedness drives another, state regulatory compliance drives a third, and all three converge on a single documented program.

If your agency has seen cybersecurity questions from a placement carrier, an E&O underwriter or a state regulator that you were not fully prepared to answer, schedule a discovery call. We can walk through the current posture and scope the program that responds.