A new report from SecurityScorecard reveals some interesting details about third-party cyber risks in insurance. Among them, 59% of insurance industry breaches stem from third-party attack vectors. These findings underscore vulnerabilities in the supply chain that expose critical policyholder data to cyber threats. The study analyzed 150 top insurance firms, revealing an industry struggling with cybersecurity challenges despite maintaining an average security rating comparable to other sectors.
Carriers Most at Risk Due to Supply Chain Weaknesses
Insurance carriers comprised 27% of the study sample while accounting for 50% of third-party breaches. Carriers generally maintain stronger security postures, but their reliance on low-scoring brokers, claims processors, and IT vendors increases their exposure. Attackers exploit these weaker links to infiltrate more secure organizations.
Andrew Correll, Senior Director of Cyber Insurability at SecurityScorecard, warned that cyber risks extend far beyond a company’s immediate defenses, emphasizing the need for stronger third-party risk management (TPRM) strategies. “Insurance companies’ reliance on technology to manage daily operations has outpaced their ability to secure it. Cyber risks don’t stop at the first layer of defense,” he said.
Key Findings: Industry Faces Elevated Breach Rates and Cyber Risks
- 28% of insurance firms suffered breaches, higher than the S&P 500 (21%) and twice the rate of the U.S. energy sector (14%).
- Over half (56%) of companies had at least one compromised credential in the past two years.
- Malware infections and device compromises affected 17% of insurance firms in 2023.
- The leading security risks include weak application security (40%), DNS health issues (29%), and network security flaws (20%).
Ransomware Attacks Dominate Industry Threats
Ransomware remains the insurance industry’s most prevalent cyber threat; Every known attack attributed to a threat actor involved ransomware, with groups like LockBit and BlackCat exploiting weak vendor defenses. The 2023 MOVEit software breach, which compromised multiple companies, demonstrated how ransomware groups scale attacks by targeting supply chains.
Geographic Disparities: U.S. Companies More Likely to Be Breached
Despite having higher security ratings, U.S. insurance firms reported the most breaches. 69% of breached companies were based in the U.S., making them prime targets for cybercriminals. Chinese insurance firms scored lowest in security, raising risks for international partners.
Industry Recommendations: Strengthening Cyber Resilience
- Stronger Vendor Oversight – Insurance carriers must assess their third-party and fourth-party vendors, ensuring proper TPRM frameworks.
- Geographic Risk Awareness – Firms working with U.S. and Chinese partners should implement stricter cybersecurity controls.
- Reject Ransom Payments – Paying ransoms emboldens attackers and doesn’t guarantee data recovery.
Conclusion
Cyber risks in the industry threaten both customer trust and financial stability to address third-party cyber risks. With third-party breaches at record highs, insurers need to take proactive security measures to safeguard sensitive policyholder data.
