An analysis of the insurance industry’s cybersecurity posture shows nearly a quarter of companies received unsatisfactory scores.
A recent cybersecurity report by SecurityScorecard highlighted critical insights into various risks concerning the insurance sector, indicating weaknesses in third-party relationships, the power of ransomware and geographic variations in security postures.
The report organizes the supply chain into five main segments: insurance carriers; reinsurance; agencies and brokers; third-party claims processors and administrators; insurance-specific software and IT products and services.
A key finding was that 23% of companies in the sector received poor security grades. However, in comparison to other industries, the insurance sector appears to do well, with an average score of 86 out of 100—the median is 88. It aligns with the U.S. energy industry (86/88), global aviation (85/88) and the 150 top technology vendors (84/87). The insurance industry falls behind the U.S. healthcare and pharmaceuticals industry and the S&P 500. Both average 88/89.
In the insurance sample, 77% of companies earned strong (A) or good (B) ratings, while 23% fell into weak, deficient, or bad categories (C, D, or F), according to the report.
The report advises carriers to focus on these underperformers.
“Their partners across all four other insurance segments score even lower, increasing third-party risk,” the report states. “This heightened exposure likely explains why insurance carriers are overrepresented among breached insurance companies—both in general and for third-party breaches in particular.”
The third-party breach rate in the sample (59%) was the highest that SecurityScorecard has documented so far, and more than twice the global cross-industry average. The leading cause (37%) of actual third-party breaches (general cross-industry software and IT products and service) originated outside the insurance sector, according to the report.
Primary security troubles within the insurance industry, also included unencrypted cookies, vulnerabilities in DNS health, and weak SSL/TLS protocols. More than half (56%) of companies had compromised credentials in the past two years. U.S.-based carriers had the most compromised credentials.
The implications for insurance carriers include:
- Insurance carriers and reinsurance providers have the highest average scores, while agencies and brokers and insurance-specific software and IT vendors score the lowest.
- Breach rates were highest for the U.S. insurance industry overall, including both carriers and agencies
- Of the 42 breached companies, 12 experienced multiple breaches. These multi-breach firms were mostly U.S.-based carriers or agencies & brokers.
Ransomware remained the top threat to the industry, overshadowing other threats.
“A strong correlation exists between ransomware and third-party breaches, and their overlap is significant,” the report states. “Third-party attack vectors let ransomware operators scale their operations efficiently, infecting many targets at once.”
Was this article valuable?
Here are more articles you may enjoy.