When Insurers Become Targets: Cyber Threats Mirror Underwritten Risks. But just one title line. Let’s output only. When Insurers Face the Same Cyber Threats They UNDERWrites—When the mirrors of Coverage

Key Takeaways

• Insurers set cybersecurity standards for policyholders but still exhibit internal weaknesses, especially in credential handling, backup definitions, and patching cadence.
• Immutable backups are widely used, yet the lack of a universal definition creates inconsistency in what qualifies as “immutable” across carriers and their clients.
• Recovery time objective (RTO) testing is often limited to ideal, single‑system scenarios, which may overstate an insurer’s true resilience during a large‑scale breach.
• While multi‑factor authentication (MFA) is enforced for admin accounts, many carriers still permit less secure methods (SMS, email, push) that threat actors routinely exploit.
• Automated patch deployment is common, but only about half of insurers apply security patches monthly, leaving windows open for rapid exploitation of newly disclosed vulnerabilities.
• Split tunneling, adopted to improve user experience, can undermine VPN protections and hinder forensic investigations.
• Human‑focused testing (e.g., Help Desk social‑engineering simulations) is recognized as essential, reflecting a broader shift toward defending both technology and people.

Overview of the Report
The Insurance Information Institute, in partnership with breach‑recovery firm Fenix24, released a joint study examining the cybersecurity posture of insurance carriers. Although insurers routinely evaluate cyber risk, impose security requirements on policyholders, and manage incident response, they remain attractive targets because of the vast amounts of sensitive data they hold and their systemic importance to the economy. The report highlights that while many carriers follow strong security fundamentals, notable gaps persist in credential management, backup definitions, and patch‑deployment practices.

Market Context and Claim Trends
In 2024 the global cyber‑insurance market generated $15.3 billion in gross written premiums, with a projected rise to $16.3 billion in 2025 (Munich Re). Ransomware continues to be the primary driver of insured cyber losses, yet it accounted for only 19 % of reported cyber claims in 2023. The majority of claims—56 %—stemmed from business‑email compromise or funds‑transfer fraud, underscoring the evolving threat landscape that insurers must address both for themselves and their policyholders.

Backup and Recovery Readiness
Immutable backups—data copies that cannot be altered or deleted—are regarded as a cornerstone of cyber resilience. Most surveyed insurers reported implementing immutable backups across critical assets such as cloud repositories, databases, email systems, file servers, and network configurations. However, the study flagged a significant concern: there is no universally accepted definition of what constitutes an “immutable” backup. Consequently, one carrier’s interpretation may fall short of another’s expectations, creating confusion for risk managers evaluating vendor or carrier security postures.

Regarding recovery time objectives (RTO), most participants claimed they meet their established RTO targets for highest‑priority systems. RTO measures the maximum tolerable duration a system can remain in recovery before inflicting substantial harm. Nevertheless, the report warns that RTO tests are frequently conducted under ideal conditions and limited to individual systems. Best practices advocate testing full‑network recovery scenarios to gauge true resilience; an insurer that can restore a single server quickly may still falter when faced with a coordinated, multinational attack.

Credential Vulnerabilities and Access Controls
All participating insurers utilize corporate password vaults and enforce strong password complexity, with average user passwords exceeding 13 characters. Despite these basics, several carriers still employ domain‑joined software‑as‑a‑service (SaaS) accounts, which introduce single‑point‑of‑failure risks. The report recommends segmented identity architectures to limit exposure if one credential set is compromised.

On multi‑factor authentication (MFA), every respondent requires authenticator apps or hardware tokens for administrative accounts—a strong baseline. However, many insurers continue to allow less secure verification channels such as SMS messages, phone calls, email, or device push notifications. While substantially better than no MFA, these methods are susceptible to SIM‑swapping, phishing, and man‑in‑the‑middle attacks, which threat actors frequently exploit.

Patching, Testing, and the Human Element
Penetration testing is universal among the surveyed carriers, including Help Desk social‑engineering simulations designed to thwart groups like Scattered Spider that manipulate employees into resetting passwords. This practice reflects an emerging acknowledgment that defending human targets is as vital as securing technical infrastructure—a lesson equally applicable to policyholders shaping their own security programs.

Automated patch‑deployment systems are in place across all participants, yet only about half deploy security patches on a monthly cadence. Given that modern adversaries often exploit newly disclosed vulnerabilities within hours or days, this interval can leave critical windows open for attack. The report urges carriers to adopt more aggressive patch cycles, ideally integrating threat‑intelligence feeds to prioritize urgent fixes.

Additionally, some insurers employ split tunneling to route employee web traffic outside the VPN for performance gains. While this improves user experience, it also exposes endpoints to phishing, malware, and man‑in‑the‑middle threats, and it can degrade the fidelity of post‑incident forensic data by bypassing VPN logging mechanisms.

Conclusion and Recommendations
The report closes with a salient observation: “The difference between resilience and disaster lies not in perfect prevention but in systematic preparation, validated recovery capabilities and organizational commitment to continuous security improvement.” Insurers are encouraged to:

1. Standardize Definitions – Adopt industry‑wide criteria for immutable backups and disclose them to policyholders.
2. Broaden RTO Testing – Conduct full‑network, multi‑system recovery drills under realistic attack conditions.
3. Tighten Credential Controls – Move away from domain‑joined SaaS accounts and enforce phishing‑resistant MFA (e.g., FIDO2 hardware keys) for all privileged access.
4. Accelerate Patching – Shift to weekly or real‑time patch deployment for critical vulnerabilities, supplemented by zero‑trust network segmentation.
5. Reevaluate Split Tunneling – Limit its use to non‑sensitive workloads or enforce equivalent security controls (e.g., browser isolation, DNS filtering) for traffic that exits the VPN.
6. Invest in Human‑Centric Testing – Regularly conduct social‑engineering exercises and security awareness training that evolve with threat tactics.

By addressing these gaps, insurers can better protect their own infrastructures while continuing to offer credible, robust cyber‑insurance coverage to their clients.