Third-Party breaches expose 59% of cyber incidents in global insurance sector

Joy Agwunobi

A new report has revealed that third-party cyber breaches account for 59 per cent of security incidents among the world’s top 150 insurance companies, exposing serious vulnerabilities in the sector’s supply chain.

The study, conducted by SecurityScorecard, a third-party risk management firm, underscores how the insurance industry’s reliance on an intricate web of carriers, reinsurers, brokers, claims processors, and IT service providers increases its exposure to cyber threats.

The report, titled The Insurance Industry Supply Chain Problem, highlights systemic risks that endanger the security of financial and personal data within the sector.

The findings indicate a concerning rate of breaches in the insurance industry, with 28 per cent of companies reporting security incidents, surpassing the 21 per cent recorded among S&P 500 firms and significantly exceeding the 14 per cent breach rate in the U.S. energy sector.

Third-party software and IT suppliers were identified as the primary sources of breaches, accounting for half of all third-party-related incidents. Insurance carriers emerged as the most affected group, representing 50 per cent of companies impacted, despite comprising only 27 per cent of the studied sample.

The study further uncovered alarming trends in credential security, revealing that over half of insurance firms had at least one compromised credential within the past two years. Malware infections and device compromises were also prevalent, affecting 17 per cent of firms over the last year.

SecurityScorecard’s evaluation pointed to weaknesses in key cybersecurity areas, particularly application security, DNS health, and network security, with DNS health being an often-overlooked risk factor.

SecurityScorecard’s STRIKE team recommended a reassessment of cybersecurity strategies across the industry, particularly in how insurers manage third-party risks. Strengthening oversight of IT vendors and brokers, ensuring that vendors have robust risk management frameworks, and addressing the often-ignored risks posed by fourth-party suppliers were cited as essential measures.

The report also warned against paying ransomware demands, stressing that such payments not only embolden cybercriminals but could also lead to legal consequences and offer no guarantee of data recovery.

The study analysed publicly available breach records and cybersecurity ratings of major insurance firms, categorising the industry’s supply chain into carriers, reinsurers, agencies, brokers, third-party claims processors, and insurance-specific IT providers.

Andrew Correll, Senior Director of Cyber Insurability at SecurityScorecard, emphasised the pressing need for a shift in the industry’s cybersecurity priorities, noting that insurers’ reliance on technology has outpaced their ability to protect it.

“Cyber risks don’t stop at the first layer of defence — they extend deep into the supply chain, where vulnerabilities are harder to detect and even harder to mitigate. Addressing these risks requires a shift in how the industry prioritises third-party security,” Correll added.