The insurance industry faces a complex cybersecurity landscape, balancing strong security scores with significant vulnerabilities. This blog will explore the key findings from SecurityScorecard‘s recent report, A Cybersecurity Assessment of the Insurance Industry Supply Chain, highlighting the industry’s top cyber risks, the impact of third-party breaches, the growing threat of ransomware, and geographic variations in risk. It will also provide actionable insights for insurance carriers on how to strengthen their cybersecurity posture.
According to the assessment, insurance companies maintain an average security score of 86/88, aligning with most industries. However, only 77% of companies earned A or B grades, compared to at least 81% in other sectors. This discrepancy raises concerns about the remaining 23% of underperforming companies and their potential risks.
Top Cyber Risk Factors
The assessment identified three key cyber risk factors affecting the industry:
- Application Security (40%) – Weaknesses in software security create significant vulnerabilities.
- DNS Health (29%) – A higher-than-usual ranking for this factor suggests potential systemic issues.
- Network Security (20%) – Gaps in network protection further expose organizations to cyber threats.
Additionally, the most common security flaws involve weak or missing encryption, including:
- Outdated SSL/TLS protocols
- Unencrypted redirect chains
- Unencrypted cookies
Breach and Compromise Trends
The report highlights a troubling rate of breaches and compromised credentials:
- 56% of insurance companies had at least one compromised credential in the past two years, with U.S. insurance carriers leading in volume (median: 15; mean: 433).
- 28% of companies reported breaches, surpassing the S&P 500 (21%) and doubling the U.S. energy industry (14%), though still lower than U.S. federal contractors (35%).
- 17% of companies experienced malware infections and device compromises, though the overall severity was lower than the percentage implies.
Implications for Insurance Carriers
Insurance carriers and reinsurance providers scored the highest in security ratings, while agencies, brokers, and insurance-specific IT vendors scored the lowest. This gap poses an increasing third-party risk for carriers, as they rely on lower-scoring partners for essential services.
The study also found:
- Breach rates were highest in the U.S. insurance sector, affecting both carriers and agencies/brokers.
- 42 companies experienced breaches, and 12 suffered multiple breaches—primarily U.S.-based carriers and agencies.
Third-Party Breaches and Supply Chain Exploits
The report underscores third-party risk as a critical issue, with 59% of breaches stemming from external partners—more than double the global cross-industry average (29%).
Key findings include:
- Many companies affected by third-party breaches had above-average security scores (mean: 88, median: 89), indicating attackers are targeting well-defended firms through their weaker suppliers.
- Third-party software & IT vendors were responsible for 50% of breaches, while cross-industry software & IT contributed 37%—far more than insurance-specific IT (13%).
- The 2023 MOVEit file transfer software breach significantly contributed to third-party security incidents, demonstrating how vulnerabilities in widely used software can have far-reaching consequences.
The Growing Threat of Ransomware
The assessment reveals that ransomware remains the most significant cybersecurity threat to the insurance industry, with attacks occurring at higher rates than in most other industries. Every attack tied to a known threat actor involved ransomware.
Notably:
- There is a strong correlation between ransomware and third-party breaches, as supply chain vulnerabilities allow attackers to infect multiple targets simultaneously.
- The insurance industry’s reliance on vendors with weaker security measures amplifies ransomware risks.
Geographic Variations in Cyber Risk
The study also highlights key regional trends:
- Chinese insurance companies had the lowest security scores (79/79), contributing to third-party risk for foreign partners.
- U.S. insurance companies reported the highest breach rates, particularly among carriers and agencies.
- The U.S. remains a top target for cybercriminals, driven by:
- The size and influence of the U.S. economy
- The geopolitical role of the U.S. government
- The widespread use of English in global business operations
Key Takeaways for the Insurance Industry
1. Address Third-Party Risk
- Carriers must closely monitor and vet vendors, ensuring that agencies, brokers, and IT partners meet stringent cybersecurity standards.
- Strengthening contractual security requirements for third-party providers can help mitigate exposure.
2. Improve Encryption and Application Security
- Companies should update SSL/TLS protocols, eliminate unencrypted redirect chains, and enforce strong encryption for cookies.
- Enhancing application security can reduce vulnerabilities that attackers frequently exploit.
3. Strengthen Ransomware Defenses
- Given ransomware’s dominance, companies must invest in incident response plans and employee training.
- Using advanced threat detection tools can help identify and block ransomware before it spreads.
4. Monitor Global Cyber Trends
- U.S.-based insurance companies should prepare for higher breach attempts, while companies partnering with Chinese firms should be aware of lower security scores and heightened third-party risks.
The insurance industry can fortify its cybersecurity defenses and reduce exposure to costly breaches by proactively addressing encryption gaps, third-party risks, and ransomware threats.