Understanding Cyber Risk in the Insurance Industry

Cyber risk is one of the most significant threats facing financial services, with insurers among the most frequently targeted organizations. Over the past year, there has been a notable increase in the number of attacks on the insurance industry, with several major insurers having reported major cybersecurity incidents, including Allianz Life Insurance, Aflac, Philadelphia Indemnity Insurance, and Erie Insurance.

In June 2025, Google Threat Intelligence Group publicly warned that the cybercriminal group Scattered Spider was launching “multiple intrusions” against US-based insurance firms. Additional threat-intelligence reporting later confirmed a broader wave of attacks on financial services organizations, underscoring increased adversary focus on the sector. These incidents underscore how aggressively threat actors are focusing on insurance companies and why identity and access security remain central to the industry’s overall risk posture.

Why do cybercriminals target insurers?

Insurers have long been lucrative targets for cybercriminals, but the scale and frequency of attacks reflects how valuable and operationally exposed the sector has become. They hold large volumes of highly sensitive data, including identity, financial, and medical records, creating a rich target for identity theft, fraud, and extortion. At the same time, insurers have a low tolerance for downtime, as disruption directly impacts claims processing, customer service, and partner operations, making them attractive targets for ransomware.

This risk is compounded by the industry’s highly interconnected ecosystem. Insurers depend on brokers, service providers, and third-party administrators to deliver core services, creating a wide attack surface with multiple potential access points. A compromise in one part of this ecosystem can quickly cascade across others, increasing both the likelihood and impact of an attack. 59% of insurance breaches involved a third-party system, underlining how dependent insurers are on external partners and the risk this dependency introduces.

How cyber attackers target the insurance industry

• Phishing and social engineering: Claims handlers, underwriters, and customer service teams communicate constantly with policyholders, providers, and partners. This high volume of legitimate interaction makes it easier for attackers to insert convincing phishing or social-engineering attempts into normal workflows. When employees are under pressure to respond quickly, malicious messages can be harder to distinguish from legitimate ones.
• Credential theft: Many insurers operate a blend of legacy systems and modern cloud platforms, often built or acquired over decades. Because authentication practices vary across these systems, password policies may be outdated or enforced inconsistently across applications. Attackers exploit these inconsistencies through credential-stuffing, reused-password attacks, or by leveraging credentials stolen from unrelated breaches.
• Weak or outdated multifactor authentication (MFA): While MFA is widely deployed in the industry, not all MFA methods provide strong protection. Push notifications and one-time passwords remain vulnerable to MFA fatigue, real-time phishing, and SIM-swapping attacks. Threat groups using Scattered Spider techniques have shown how quickly attackers can exploit these weaknesses once they engage with employees.
• Exploiting third-party ecosystems: Attackers will take the path of least resistance to reach their goal and will often attack via a less protected third-party environment. Hawkeyed attackers can gain a foothold in an insurer’s internal network through someone else’s security lapse.

Secure your Active Directory access with MFA for Windows logon, VPN & RDP.

What insurers can do now to drive stronger cybersecurity and resilience

Financial services is one of the most heavily regulated sectors, and insurers are held to a particularly high standard for compliance. Regulations including GDPR, DORA, HIPAA, NAIC, and DFS consistently emphasise the importance of strong access controls and credential hygiene. To support regulatory compliance and strengthen identity security, insurers should focus on the following five measures.

1. Eliminate weak and breached passwords

Administrators should continuously identify and block weak or previously breached passwords before they can be used. Specops Breached Password Protection automates this process by continuously scanning your Active Directory (AD) from our database of over 5.5 billion unique compromised passwords and enforcing strong password hygiene across the organization.

2. Enforce modern password policies

Longer passphrase-based passwords offer stronger protection and reduce reset frequency, but only when they are applied consistently across  AD, cloud applications, and legacy systems. Specops Password Policy enables insurers to enforce uniform password rules within AD, support modern passphrases, provide real-time feedback to users, and prevent the weak or predictable patterns frequently seen in insurance environments.

3. Implement phishing-resistant MFA

While MFA is mandated across many insurance regulatory frameworks, commonly used methods such as push notifications and one-time passcodes remain vulnerable to MFA fatigue and real-time phishing attacks. These techniques are increasingly used to compromise insurer access to claims systems, customer portals, and administrative tools. Specops Secure Access supports phishing-resistant MFA, helping insurers protect remote adjusters, call centre teams, and privileged users without increasing operational friction.

4. Expand secure self-service options

Insurance operations involve customer-facing teams, remote staff, and shift-based workers, all of whom generate high volumes of password resets. Providing secure self-service capabilities reduces helpdesk strain, improves productivity and reduces cost. Specops Self-Service Password Reset enables users to reset their Active Directory or Entra ID passwords securely from any device or location, including when offline from a company-approved VPN.

5. Strengthen the service desk against social engineering

Service desks remain a primary target for social engineering attacks, with attackers frequently impersonating employees, agents, or third parties to request credential resets. Insurers should enforce strict, auditable identity verification before any credential reset or access change. Specops Secure Service Desk applies strong identity verification controls and detailed logging to help prevent fraudulent resets while supporting compliance reporting and incident investigation.

Specops offers specialized identity security for insurers and other financial services organizations. To find out how we can help strengthen identity security and support compliance, speak to an expert or arrange a live demo to see our solutions in action.