Third-party vulnerabilities expose insurance industry risks

A report has revealed that 59% of breaches in the top 150 insurance companies worldwide were caused by third-party attacks, highlighting significant vulnerabilities in the sector's supply chain.

The report, released by the third-party risk platform SecurityScorecard, shows that the reliance of the insurance industry on a complex network of carriers, reinsurers, brokers, claims processors, and IT providers presents considerable cyber risks. It points to the systemic challenges the sector faces in safeguarding sensitive financial and personal information from escalating cyber threats.

Andrew Correll, Senior Director of Cyber Insurability at SecurityScorecard, commented on the findings, stating, "Insurance companies' reliance on technology to manage daily operations has outpaced their ability to secure it. Cyber risks don't stop at the first layer of defence — they extend deep into the supply chain, where vulnerabilities are harder to detect and even harder to mitigate. Addressing these risks requires a shift in how the industry prioritises third-party security."

The report presents several key findings. Notably, 28% of insurance companies reported breaches, a higher percentage than the 21% reported by constituents of the S&P 500 and significantly higher than the 14% rate in the US energy industry.

It further highlights that 50% of these third-party breaches were linked directly to third-party software and IT suppliers. Insurance carriers were notably impacted, representing 50% of the companies hit by third-party breaches, despite constituting just 27% of the sample.

Concerning credentials, the report found that 56% of companies had at least one compromised credential over the past two years. Additionally, malware infections and device compromises were identified in 17% of companies throughout the last year.

The report assessed the insurance sector's cyber risk posture, identifying application security, DNS health, and network security as the lowest-scoring factors in this regard. DNS health, in particular, is rarely highlighted among key risk factors.

Based on its analysis, SecurityScorecard's STRIKE team provides several recommendations to bolster the sector's cybersecurity framework. It suggests strengthening third-party risk management practices, especially for insurance carriers that depend on low-scoring industry segments such as IT vendors and brokers. This is directed at mitigating vulnerabilities and reducing frequent breaches and credential compromises.

The report also stresses the importance of ensuring that vendors have effective third-party risk management (TPRM) programmes, noting that risks from vendors' suppliers, or fourth-party risks, are critical and often overlooked.

Additionally, SecurityScorecard advises against paying ransomware demands, warning that doing so could encourage further attacks, possibly result in legal repercussions, and does not guarantee recovery. It asserts that avoiding ransomware payments can help deter future criminal activity and protect the wider digital ecosystem.

The SecurityScorecard study evaluates ratings and publicly available breach records of top insurance companies worldwide to offer insights into their cybersecurity status. The research divides the supply chain into segments including insurance carriers, reinsurance companies, agencies and brokers, third-party claims processors and administrators, and insurance-specific software and IT products and services.

The list of 150 companies examined was compiled from reputable insurance industry publications and rankings, ensuring the report's findings are both accurate and comprehensive.