A Guide to Cybersecurity Compliance in the Insurance Industry

Insurance organizations operate under some of the most demanding regulatory requirements of any industry. As their digital services expand, third-party ecosystems grow, and the volume of personally identifiable information increases, compliance has become both more complex and more essential to business resilience.

The challenges of meeting cybersecurity compliance

Many insurance organizations operate decades-old legacy systems alongside newly acquired platforms and modern cloud tools, creating inconsistent authentication environments where password policies vary and multi-factor authentication (MFA) may not be enforced to the same standard.

High communication demands across claims, underwriting, and customer service make it difficult to spot phishing and social engineering attempts. At the same time, reliance on extensive third-party ecosystems increases exposure to breaches that originate outside the insurer’s direct control. Threat groups such as Scattered Spider have shown how easily weaknesses in MFA and service desk procedures can be exploited, underscoring the need for stronger identity verification, password hygiene and access management.

These operational realities make compliance with frameworks such as General Data Protection Regulation (GDPR), Digital Operational Resilience Act (DORA), Health Insurance Portability and Accountability Act (HIPAA), National Association of Insurance Commissioners (NAIC) and Department of Financial Services (DFS) both essential and challenging for insurers seeking to protect sensitive data and maintain resilience.

Key regulations to be aware of

When it comes to the specific regulations in the insurance sector, requirements can vary significantly by region, so it’s essential for organizations to understand which rules apply to them. Below is a breakdown of the key regulations region by region, that organizations should know and understand.

United States

NAIC Insurance Data Security Model Law : Insurance organizations must implement a comprehensive information security program, which includes strong access controls, remote-access MFA and compromised-password detection. The Model Law also establishes requirements for incident investigation, third-party oversight and breach reporting to state regulators.

New York DFS Cybersecurity Regulation (23 NYCRR 500): Insurers and DFS-regulated entities must enforce MFA or equivalent controls, conduct annual risk assessments and implement measures to mitigate password-related risks. The regulation also requires:
 • A formal cybersecurity program
 • Written security policies
 • Governance and reporting obligations
 • Incident response planning

HIPAA: Where health data is involved, insurance organizations must comply with HIPAA’s technical safeguards. These include unique user IDs, secure authentication, access controls and mechanisms to block unauthorised access. Audit logging and monitoring are also required.

United Kingdom

PRA Supervisory Statement SS1/21: This statement sets the PRA’s expectations for insurers’ operational resilience, highlighting the importance of well-governed identity and access controls that safeguard important business services and sustain security throughout disruptive events.

ICO Guidance under UK GDPR : Under the UK GDPR, insurers must implement strong password policies, secure hashing, MFA where appropriate, and timely breach reporting.

European Union

GDPR: GDPR requires insurers to ensure secure processing of personal data, strong authentication and risk-based security controls. Organizations must be able to demonstrate that identity and access governance is robust and that breach notifications are handled within required timelines.

Digital Operational Resilience Act (DORA): DORA sets detailed expectations for operational resilience across the financial sector. For insurers, key requirements includes:
 • Strict governance of identity and access management
 • ICT and cyber risk management
 • Third-party and supply chain oversight
 • Incident reporting and continuity planning

Core compliance expectations

Achieving compliance can be challenging, even for well-resourced security teams. However, many of these regulations share core themes, and regulators across jurisdictions expect organizations to demonstrate the following:

• Passwords are strong, unique and never known to be compromised
•  Authentication is consistently applied and resistant to attack
•  Users are verified before password resets or access changes
•  Privileged accounts and remote access are tightly controlled
•  Audit logs are complete and can demonstrate compliance
•  Third-party access is controlled and monitored

Taken together, these regulations make one point clear: identity controls are now fundamental to cybersecurity in the insurance sector. They reduce credential-driven threats, contain phishing attacks, and keep insurers compliant. Specops provides the critical capabilities needed to achieve this.

How Specops helps insurance organizations meet compliance requirements

To address these regulatory expectations, Specops equips insurers with a comprehensive identity security platform that fortifies access controls, elevates password hygiene, and makes compliance with US, UK, and EU frameworks significantly easier..

Eliminating weak and enforcing strong and consistent password policies

 Specops Password Policy continuously checks Active Directory passwords against a database of over 4.5 billion  known unique compromised passwords, which includes passwords from Specops’ real-time attack monitoring system that monitors live brute force attacks and malware-stolen data. This supports compliance with NAIC requirements for compromised-password detection and aligns with NYDFS, GDPR and DORA expectations for strong credential hygiene.

Additionally, with Specops Password Policy insurers can enforce modern passphrase-based rules across legacy systems, AD and cloud services. This removes inconsistencies caused by decades of system accumulation and ensures that all authentication environments meet regulatory expectations for secure and predictable access controls.

Delivery of phishing-resistant MFA

Specops Secure Access offers MFA methods designed to withstand modern threats such as real-time phishing and MFA fatigue. This is particularly important for high-risk insurance roles such as adjusters, underwriters and customer service teams. The solution supports compliance with MFA requirements under 23 NYCRR 500 and strengthens resilience under DORA and PRA guidance.

Enabling secure self-service password resets

Specops uReset allows users to securely reset passwords from any device, including remote locations, while enforcing strong identity verification. A bonus of this solution is that it reduces the burden on your helpdesk burden, thereby saving both time and cost.

Protecting the service desk from social engineering

Service desks are a known target for attackers who impersonate brokers, agents or employees. Specops Secure Service Desk ensures that all password resets and account actions made via the helpdesk follow rigorous and auditable identity verification. This reinforces compliance with regulatory expectations for access control oversight and detailed logging.

To learn how Specops can support your identity and authentication strategy, whether by strengthening password security, enforcing stronger policies, or enabling secure password resets, our team is here to help. To explore how we can support your security goals, contact us or visit the Specops blog for further insights.