The hidden cyber risks in insurance partner networks

Enjoy complimentary access to top ideas and insights — selected by our editors.

It's no secret that cybersecurity is one of the top three priorities across the financial services industries in 2025, least of all for insurance. But with artificial intelligence empowering threat actors to quickly pierce insurers' defenses, what more can be done to build up cyber defenses?

Many firms already have solid firewalls in place already, as per new data from SecurityScorecard, but vulnerabilities through application security and other areas leave insurers open to attack.

Of the top 150 insurance companies across the globe, a majority were rated 80 out of a 100 or higher on overall security measures. Insurance carriers had the highest median score at 90, while agencies, brokers and insurance-specific software providers were tied at the low end with a median security score of 85.

The problem is, while insurers' internal cybersecurity protocols are generally well tuned, weaknesses in third-party partners and their integrations can lead to a false sense of security.

Both vendor and in-house compromises of MOVEit file transfer software were top products enabling third-party data breaches at 7% and 5% respectively. Ranking a close third was the third-party administration of employee benefit programs at 4%.

Other noteworthy vulnerabilities included law firms, outsourced insurance claim processing, administrative services for healthcare providers and many others.

Read more: Generative AI and evolving threats are reshaping the insurance industry

AI, generative models in particular, have become a double-edged sword in the insurance industry. While the technology promises to bring increased worker efficiency through handling monotonous tasks, it can also lead to significant compliance and data privacy headaches.

Chris Corrado, chief executive of the Americas for the Switzerland-based generative AI provider Squirro, told Digital Insurance that while AI usage "within an insurer's own tech stack" keeps customer information within the jurisdiction of the firm, the same can't be said for models in "a multi-tenant public cloud such as AWS and Google Cloud Platform."

"While these options offer scalable and cost-effective ways for deploying Gen AI, they can not only raise issues with security, but can often lead to insurance organizations having limited visibility as to where customers' sensitive information may travel." Corrado said.

Recommendations from Corrado to minimize the risk of a leak include anonymizing customer personally identifiable information, signing strong data processing agreements and using enterprise large language models.

Read more: Developing strategies to bridge commercial & personal cyber risks

Learn more about how insurers can better protect themselves and their customers from hacking attempts below.

Chris Ratcliffe/Bloomberg

How can insurers get a better grasp on managing third-party breaches?

When it comes to data breaches, the biggest ones aren't always the worst. Large breaches might generate eye-catching headlines, but it's not the number of victims that matters. Rather, it's the severity of the breach — which is determined by the type of data compromised and how it can be used to devastate lives and disrupt businesses.

For cyber insurers and policyholders, increased breach severity adds layers of complexity to an already difficult risk management landscape. TransUnion's State of Omnichannel Fraud Report notes breach severity increased 34% last year — marking the greatest severity level since TransUnion began tracking in 2020.

Individual organizations must think about third-party risk as a double-edged threat. Most entities can be either the point of failure or a downstream victim. Any time an organization relies on another to conduct business — for payroll, recruiting, legal help, web services, etc. — it can potentially be exposed by a vendor's breach. Or it can be the cause of the breach when providing services to other companies.

Read more: Creating a strategy for managing third-party cyber breaches, opinion by Matt Cullina, head of TransUnion's global cyber insurance business

Prostock-studio - stock.adobe.co

Retirement accounts are prime hacking targets. What can be done to fix that?

For Richard Clarke, chief insurance officer at Colonial Surety, the time is now for small and medium size retirement plan sponsor businesses to reinforce their cybersecurity defenses and ward off AI-powered breaches.

"Plan sponsors, particularly those SMBs who have fewer resources, are facing mounting pressure to educate participants on recognizing cyber risks, and implementing safeguards to protect against potential cyber attacks, all while managing their ERISA compliance requirements to avoid an alleged fiduciary breach," Clarke told Digital Insurance.

Elderly retirement account holders are often the target of choice for threat actors, as SMBs are vulnerable to hacks through third-party partnerships that can be exploited using hacking and phishing attempts, password breaches and more.

Read more: Small retirement plans need stronger cybersecurity to insure accounts

Chris Ratcliffe/Bloomberg

How a solid cyber governance framework can bolster companies of all sizes

Cyber insurance enables global commerce in the wake of cyber risk. Maturing into this imperfect aspect of the global economy in real-time has been turbulent, impacting the processes of both underwriting and claims.

The 2024 NAIC Cyber Insurance Report demonstrates the cost of inadequate cyber risk management.  For the top 20 cyber insurers by market share, $274 million was collected in policy premiums and $107 million was paid out in claims.

Security solution efficacy aka catch-rate is a key component to understanding the cost of risk. Even mediocre security solutions can be better fortified if the organization has a strong governance, risk and compliance (GRC) program.

Read more: Why GRC programs could benefit cyber insurance, opinion by Keely Wilkins, global program manager for Insurance Partnerships

kenchiro168 - stock.adobe.com

When it comes to misinformation, trust has to be earned before verification

Technological advancements have rapidly outpaced our human ability to adapt. That presents an opportunity for malignant actors to easily present false information in increasingly credible ways. These hackers and privacy thieves exploit our struggle to adapt to a world that's changing faster than our minds can respond.

But that doesn't mean we're helpless or hopeless.

In this environment, business leaders can take steps to ensure that they, and their employees, have the tools and resources to judge what's true or what's false.

Below we take a look at five pillars of effective fact-checking—opportunities for staff at all levels of the organization to authenticate the information being consumed and the sources that information comes from.

Read more: Combating misinformation strategy: Verify, then trust, opinion by Erich Kron, a security awareness advocate for KnowBe4

Richard A. Brooks/Photographer: Richard A. Brooks/

Ransomware is still an expensive problem, but costs are stabilizing

Ransomware pricetags are a growing worry for insurers of all sizes, as threat actors hold proprietary data hostage for multimillion-dollar sums. But new data from Coalition concludes that the price tag and frequency of ransoms are cooling off.

The firm's 2025 Cyber Claims Report stated that ransom demands fell by 22% to $1.1 million on average, with 44% of policyholders electing to pay the ransom. Global claims frequency decreased slightly by 7% and ransomware claims frequency also dropped by 3%.

"While overall claims have stabilized, cyber attackers, and ransomware actors in particular, still pose a tremendous threat to businesses, with the average demand still in the millions of dollars. Unfortunately, ransomware is already back with a vengeance in 2025, as March held the highest volume of public ransomware cases of all time," Robert Jones, global head of claims at Coalition, said in a press release.

Read more: Ransomware claims costly but stabilized in 2024, Coalition