Table of Contents
The insurance industry is a double-edged sword. On the one hand, its interconnectedness, where agencies and carriers share systems, makes it easy to quote, sell, and manage policies quickly. On the other hand, it leaves the industry at risk of third-party data breaches. A successful attack on one business can ripple through the entire ecosystem — compromising sensitive insured data across multiple carriers at scale.
So, as an insurance company, how secure is your third-party ecosystem?
The Growing Cybersecurity Risks in the Insurance Industry
The insurance industry is a vast network of agencies, carriers, and wholesale vendors. And because you’re dealing with personally identifiable information (PII), financial data, health records, and other sensitive information, it’s already a prime target for cybercriminals.
Add in how connected the network is, and you’re in a situation where one weak link or security failure can trigger a domino effect of breaches.
A Web of Interconnectedness and Third-Party Risks
Independent insurance agencies are essentially brokers between the insured (customer) and the carriers providing the policy. A single agency might represent 20+ carriers (Think of your Travelers, Nationwide, Hanover, etc.). Similarly, these carriers have thousands of agencies selling their products. Carriers might also use third-party services to support the operation or track specific data.
What does this mean for security risk? There is a lot of data sharing and system dependencies. Agencies have access to online portals and files for each carrier. When they first engage a potential insured (either a company or individual), they collect personal information and input it into the different carrier portals. Then, if they bind the coverage, the agencies can manage the policies from these portals.
See the challenge here? If one link in that chain is compromised, the fallout can be catastrophic.
For example, let’s say an agent’s password was compromised for one carrier system. If they were recycling that password, cybercriminals could access all the carrier systems. Now, you’re dealing with exposed personal, financial, and health information and policies controlled by an adversary.
Real-World Breach Examples in Insurance
Third-party risks are a real problem in cybersecurity for insurance. One report analyzed all data breaches targeting the top 150 insurance carriers. Of those incidents, 59% were caused by a compromised third party.
One notable incident, a global MOVEit attack, exploited a vulnerability of PBI Research Services, a third party that monitors death records for life insurance policies. Genworth, an insurance provider, had over 2.5 million policyholder records compromised. The attack also trickled down to Prudential, which exposed over 320,000 customer records.
Because of the size and scope of the breach, the incident resulted in over $12.15 billion in response, regulatory fines, liability payments, and other costs.
Common Cyber Threats Targeting Insurance Companies
Cybercriminals are working smarter and not harder. They understand the upside of a successful third-party attack and how to deliver devastating blows to the insurance industry.
Ransomware and Data Theft
Ransomware is a top concern for agencies, carriers, and anyone else supporting the insurance industry.
Cybercriminals can shut down your entire operation by locking you out of records you need to sell and manage policies. They can also use stolen credentials to steal data. There’s so much financial, health, and personal information stored and the ability to go up and down the insurance supply chain. That said, it’s not surprising that credential-based attacks are now the top-ranked threat among insurers.
Supply Chain Attacks
Here’s another headache: supply chain attacks. Threat actors exploit weaknesses in third-party vendors for the “bigger fish.”
Rather than go for one insurance agency, they can target a carrier hosting information collected by thousands of agencies. Or go for one provider, such as an IT company or information resource, that supports many carriers (like you saw in the MOVEit incident).
One compromised insurance partner = A cascading impact on the whole industry.
Compliance and Regulatory Risks
The “threat” of an attack isn’t just the impact of the insurance operation. Regulators are cracking down on third-party risk management.
If you don’t secure third-party data or hold providers to a certain standard, you risk a breach, fines, and legal consequences. A growing number of states are adopting the National Association of Insurance Commissioners (NAIC) Model Law for information security. These guidelines explicitly cover third-party risks and how to mitigate them.
HIPAA compliance also outlines how to assess and manage the risk of third parties with access to patient data (such as insurance companies and their providers).
The Role of Security Gap Analysis in Mitigating Third-Party Risk
Third-party risk isn’t something to scoff at. A security gap analysis is a great starting point for companies to pinpoint weak links of providers in the insurance supply chain.
Identifying Critical Vulnerabilities
First and foremost, a security gap analysis evaluates both internal and third-party security controls.
Are vulnerabilities like outdated software or weak access controls leaving “a weak link in the chain?” Is encryption being used? What about robust endpoint protection? Is there solid governance and policies for passwords, software usage, and incident response?
Strengthening Third-Party Risk Management
Finding gaps is one thing; now, it’s time to close them.
The main goal here is achieving cyber resilience. Hence, you can use continuous monitoring to proactively find and eliminate weaknesses and periodic risk assessments to ensure you’re constantly reducing the chances (and impact) of an attack.
But there’s a catch. It’s not enough to secure your own house; agencies and carriers need to work together to enforce stronger security standards nationwide.
How CyberMaxx Helps Secure the Insurance Industry
We at CyberMaxx pride ourselves on understanding the insurance world. Its interconnectedness and complexity aren’t something any cybersecurity company can handle. Whether you’re a carrier underwriting and providing coverage, an agency selling policies, or a service provider supporting the industry, we can help:
Comprehensive Gap Analysis for Insurance Companies
You have hidden vulnerabilities. We’ll uncover them.
With a comprehensive gap analysis across your entire insurance ecosystem, we can provide a clear roadmap for strengthening your defenses.
From endpoint protection and network security to compliance and managing third-party risk, we’ll get you to cyber resilience.
Implementing Stronger Security Controls
The buck doesn’t stop there. After a security gap analysis, we’ll help you implement stronger controls and enforce better cybersecurity policies.
The goal: Mitigate third-party risks and ensure regulatory compliance for state, federal, and insurance-specific guidelines.
Our “offense fuels defense” philosophy will keep your organization ahead of the curve by staying resilient against current and evolving threats.
Cybersecurity for Insurance: It Might Not Be Your Fault, But it is Your Problem
Third-party risk isn’t going away. But the good news: you don’t have to face it alone. A proactive approach via a security gap analysis can make all the difference.
Everyone in the insurance supply chain is exposed if just one link fails. So what’s your next move? Will you help secure the entire ecosystem? Or wait for a third-party vulnerability to be exposed?