It’s time for the insurance sector to ramp up its cyber defenses

Insurance companies know all about assessing and managing risk for their customers, but they also must be capable of identifying the most urgent risks to themselves.

One such risk is the growing threat of cyberattacks, which are increasingly directed at the insurance sector to steal highly sensitive information collected during underwriting and claims processes. When insurance companies suffer cyberattacks, they don’t only confront significant financial and operational consequences — they also face the reputational damage that comes with the failure to manage risk effectively for their own organizations.

Insurance companies must apply the principles of their business to their own operations. This means understanding their unique vulnerabilities, as well as the latest cybercriminal tactics for taking advantage of those vulnerabilities. For example, insurance companies are far more digitized — from online policy applications and claim filing to the collection of health data via fitness trackers for incentives like wellness premiums. Although digitization offers more convenience and a greater range of services, it also increases the number of attack vectors for cybercriminals to exploit.

The digital transformation is a competitive necessity for insurance companies, which is why cybersecurity is so vital for the industry. It’s time for insurance companies to adopt more robust policies and processes to guard against cyberattacks, from zero-trust security infrastructure to cybersecurity training for employees. When insurance companies protect themselves, they will be in a stronger position to focus on their core mission of protecting customers.

Cybercriminals are targeting the insurance sector

In February 2024, Change Healthcare was hit by a major cyberattack that compromised the data of as many as 100 million Americans. This was one of the largest breaches ever recorded, and it caused severe disruptions for healthcare providers, cost Change Healthcare at least $2.5 billion, and interrupted patient care. Change Healthcare is a payments platform owned by UnitedHealth Group, a major health insurance provider.

The cyberattack on Change Healthcare is a reminder that the insurance industry spans many domains. According to IBM, the financial sector, which includes insurance companies, had the second-highest average cost of a data breach in 2024: over $6 million. However, the health care sector — which overlaps with the insurance industry — was at the top of the list at nearly $10 million. Insurance companies don’t only operate in a wide array of fields — they also collect and protect many different types of data, from financial and health records to intellectual property.

Insurance companies also face regulatory and compliance risks when they suffer a cyberattack. In November 2024, auto insurance companies Geico and Travelers were fined $11.3 million by New York state for cybersecurity failures that led to stolen customer data. All these attacks are part of a broader trend. Allianz reports that cyber incidents constituted the top global business risk in 2024 “for the first time by a clear margin,” and it’s clear that insurance companies should be focused on addressing this risk.

How cybercriminals are attacking insurance companies

The insurance industry is in the middle of a sweeping digital transformation. Customers want accessible and powerful digital platforms to manage their policies, check updates and receive 24-hour support. They also increasingly expect personalization, such as policies that reflect their individual behavior and meet their unique needs more effectively. While these services are drastically improving customer experiences, they also create a whole new landscape of attack vectors for cybercriminals.

Insurance companies are increasingly reliant upon digital internal processes, from automated workflows to data analysis. They can use artificial intelligence for actuarial analysis, underwriting and claims automation, and they have access to a much larger universe of data about their customers than ever before. For example, auto insurance customers are increasingly willing to share telemetrics data to receive safe driver discounts. But the digital transformation has a dark side. As Deloitte explains, cyberattacks on the industry are “growing exponentially as insurance companies migrate toward digital channels in an effort to create tighter customer relationships, offer new products and expand their share of customers’ financial portfolios.”

It has never been more critical for insurance companies to protect their networks and safeguard the data they collect. Doing so won’t just ensure the integrity of their operations and shield sensitive customer information from cybercriminals — it will also build the trust necessary to continue offering digital services that improve customer satisfaction and retention.

Building up cyber defenses in the insurance industry

As cybercriminals continue to target insurance companies and the digitization of the sector accelerates, cybersecurity must become a core priority. This means implementing security technology such as data encryption, threat monitoring systems and zero-trust architecture. It also means addressing third-party risks, which are especially relevant because insurance interacts with many other sectors. Finally, insurance companies must focus their cybersecurity efforts on the workforce — from the development of an incident response plan and reporting procedures to employee awareness training at every level.

IBM found that the two most frequently exploited initial attack vectors are phishing and compromised credentials. These methods stem from social engineering, which is why employee training is the top factor that reduces the average cost of a data breach. One key aspect of cybersecurity awareness training is personalization — the most effective training programs account for different learning styles, psychological traits and behaviors, vulnerabilities, and levels of knowledge. These programs must also consider different roles within the organization, from analysts who evaluate actuarial data to agents who work directly with customers.

The cybercriminals who infiltrated Travelers deployed stolen credentials to access an online quoting tool used by agents — a tool that wasn’t protected by multifactor authentication. The Change Healthcare hackers were able to execute one of the largest data breaches in U.S. history by stealing the username and password of a “low-level customer support employee” who also wasn’t using multifactor authentication. It’s difficult to think of clearer examples that insurance companies should make cybersecurity awareness a higher priority.

The digital transformation in the insurance industry will only gain momentum in the coming years. The companies that make this transition while making cybersecurity a core strategic priority will keep their networks and systems safe — a prerequisite for maintaining the hard-earned trust of their customers.

© Entire contents copyright 2025 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.

Matt Lindley is chief innovation and information security officer at NINJIO. Contact him at [email protected].