Newsletters
Risk Central
Digital EditionInsurers Face the Same Cyber Threats They Underwrite — and Gaps Remain
Insurance carriers occupy an unusual position in the cybersecurity ecosystem. They evaluate cyber risk, set security requirements as conditions of coverage, and respond when incidents strike — yet they remain high-value targets for threat actors due to the sensitive data they hold and their systemic economic importance.
A new report from the Insurance Information Institute and breach recovery firm Fenix24 found that while insurers generally follow strong security practices, notable gaps persist in areas such as credential management, backup definitions, and patch deployment cycles.
The cyber insurance market reached $15.3 billion in gross written premiums in 2024 and was projected to hit $16.3 billion in 2025, according to Munich Re. While ransomware remains the leading driver of insured cyber losses, it accounted for only 19% of reported cyber claims in 2023, with 56% originating from business email compromise or funds transfer fraud, the report said.
Backup and Recovery Readiness
Immutable backups — files that cannot be altered, protecting data against human error or malicious action — are a cornerstone of cyber resilience, the report said. Most insurers interviewed reported implementing immutable backups across critical system categories, including cloud data repositories, databases, email systems, file servers, and network configurations.
However, the report flagged a significant concern: there is no universally accepted definition for an immutable backup, which can create problems for both insurers and their policyholders. Risk managers evaluating vendor or carrier security postures should be aware that what one organization calls “immutable” may not meet another’s standards, the report noted.
Most participants also reported meeting their established recovery time objectives for their highest-priority systems. RTO is the overall length of time an information system’s components can be in the recovery phase after a disruption before causing significant damage to the organization.
But the report noted that RTO tests are often performed under ideal circumstances and calibrated to a single system, whereas best practices recommend testing across full network recovery scenarios. This distinction matters, as a carrier’s ability to recover one system in isolation may not reflect its resilience during a large-scale attack.
Credential Vulnerabilities and Access Controls
All insurers in the discussions reported using corporate password vaults and strong password complexity practices, with user passwords averaging more than 13 characters, according to the report. Yet several implement domain-joined software-as-a-service accounts, creating single-point-of-failure vulnerabilities. The report noted that best practice favors segmented identity architectures to reduce systemwide exposure.
On multi-factor authentication, all respondents said they require authenticator applications or hardware tokens for administrative accounts. Some insurers, however, still allow less secure confirmation methods such as SMS messages, phone calls, email, and device push prompts. While these methods are significantly stronger than not requiring MFA at all, the report said, each has inherent limitations that threat actors frequently exploit.
Patching, Testing, and the Human Element
All participants reported conducting penetration testing, including Help Desk social engineering scenarios designed to prevent cybercrime groups like Scattered Spider from manipulating employees into granting password resets, according to the report. This reflects growing recognition that testing human defenses is as critical as testing technical ones — a consideration equally relevant for policyholders designing their own security programs.
Automated patch-deployment systems were universal among participants, but only about half deploy security patches monthly. The report warned that modern adversaries often exploit newly disclosed vulnerabilities within hours or days.
The report also found that some insurers use split tunneling, which routes employee internet browsing outside VPN encryption to improve performance. While this enhances user experience, it can expose employees to phishing, malware, and man-in-the-middle attacks and reduce the accuracy of post-incident forensic investigations, the report said.
“The difference between resilience and disaster lies not in perfect prevention but in systematic preparation, validated recovery capabilities and organizational commitment to continuous security improvement,” the report concluded.
Obtain the full report here. &
