The Significance of Data Security in the Insurance Industry

Insurers occupy a unique position in the realm of data security, as they handle a combination of healthcare-grade sensitive data, financial-services-grade data, and high-trust identity data within a single customer or policyholder record. This amalgamation of information makes insurance data particularly valuable for identity fraud, account takeover, and extortion.

What sets insurers apart is their need for operational continuity. Processes such as claims handling, customer service, broker and adjuster workflows, and payment processing are constantly in motion. Any disruption can quickly escalate into regulatory and reputational crises, a fact that attackers are keenly aware of.

Recent years have seen a shift in attacker tactics from perimeter exploitation to identity-led intrusion, often involving a combination of human deception and technical abuse. Threat actors like Scattered Spider have been known to target insurers through social engineering tactics in helpdesk and call-center settings.

As cybercriminal tradecraft has evolved, the theft of session tokens and cookies has surged, rendering traditional security measures like multi-factor authentication (MFA) and passwordless technology less effective on their own. Insurers now face the challenge of not only verifying who is logging in but also assessing the device used, its trustworthiness, and its security posture at the time of access.

The Strategic Tactics Employed by Ransomware Groups

Ransomware groups strategically target aspects of insurers’ operations that cannot be halted, such as claims intake, adjudication, and payments. By gaining access to systems crucial for business continuity, attackers can disrupt key workflows without necessarily encrypting all data. Compromised credentials and access from poorly managed devices enable adversaries to masquerade as legitimate users while extracting sensitive claims and policy information.

When attackers can determine an organization’s cyber insurance coverage or incident response capabilities, ransom demands are tailored to remain just below the threshold of unbearable consequences. This underscores the growing importance of rapid, identity-focused containment measures over traditional recovery methods.

The Risks Associated with Third-Party Involvement

Many vendor-risk programs primarily focus on static compliance measures like questionnaires and periodic audits, overlooking live access pathways that attackers exploit. The prevalence of third-party vectors in insurance breaches, as highlighted by SecurityScorecard’s findings, underscores the vulnerability introduced by shared identities, integrations, and support processes.

A critical gap lies in the enforcement of device trust and security posture for third parties accessing insurers’ systems. Vendors, brokers, and service providers often utilize unmanaged endpoints or personal devices that may not meet the insurer’s security standards, yet are granted significant access based solely on user credentials.

The incident involving Allianz Life, where a third-party cloud-based CRM was compromised through social engineering, serves as a poignant example of the risks associated with third-party involvement.

Challenges Faced by Insurers: Inconsistent Identity Controls and MFA Fatigue

Attackers capitalize on inconsistencies within the digital ecosystem, exploiting varying levels of security controls across different systems. Weaknesses such as legacy authentication methods, inadequate MFA measures, and broad device exceptions create opportunities for credential stuffing, password reuse attacks, and unauthorized access from non-compliant devices.

These gaps pave the way for credential theft, a prevalent initial access vector for breaches, as highlighted in Verizon’s 2025 Data Breach Investigations Report. Without uniform enforcement of device trust and security posture across cloud and legacy systems, insurers inadvertently maintain vulnerabilities that threat actors can exploit.

Moreover, many organizations implement MFA as a superficial security measure, failing to integrate it into a comprehensive trust strategy. While push-based approvals and one-time codes mitigate some risks, they remain susceptible to MFA fatigue, phishing attacks, SIM swapping, and helpdesk-related vulnerabilities that threat groups specializing in social engineering can exploit.

Essential Changes for Insurers

Reducing cyber risk in the insurance sector necessitates both tactical and pragmatic adjustments. Organizations should adopt phishing-resistant MFA solutions for sensitive access, leveraging technologies like FIDO2/WebAuthn and robust challenge-response methods. Binding authentication to trusted devices ensures that credentials alone are insufficient for access, emphasizing the importance of device authentication and security posture validation.

Insurers must also bolster identity proofing processes, particularly for MFA resets, device enrollment, and account recovery, within helpdesk and service desk operations. Cyber risk is no longer a mere technical concern for insurers; it is a critical business risk that impacts operations, regulatory compliance, and reputation. Enhancing identity and access controls should be a foundational aspect of daily operations, not merely a secondary security consideration.

Darren James, a Senior Product Manager at Specops Software, brings over 20 years of cybersecurity expertise to the table. With a background in identity and access management, Active Directory, and Azure AD, Darren’s insights have been instrumental in developing top-tier password security and authentication solutions at Specops Software for more than a decade.