SecurityScorecard on Cyber Risks in Insurance Supply Chains

Share
SecurityScorecard explores the cybersecurity state of the insurance industry's supply chain (Credit: SecurityScorecard)
SecurityScorecard’s report assesses cybersecurity health in the insurance industry’s supply chain across 150 top insurance firms

Cybersecurity ratings company, SecurityScorecard, has released a report that dissects the insurance’s supply chain cybersecurity health to spotlight how insurers can enhance their security measures moving forward. 

The report evaluates 150 top insurance firms across the world and uses breach data and SecurityScorecard ratings to assess cybersecurity health. 

It spotlights how cybersecurity vulnerabilities were present in five core areas - insurance carriers, reinsurance providers, agencies & brokers, third-party claims processors and insurance-specific software & IT providers.

With 59% of breaches caused by third-party attack vectors, SecurityScorecard highlights a key systemic issue in the insurance industry’s cybersecurity. 

Andrew Correll, Senior Director of Cyber Insurability at SecurityScorecard, explains: “Insurance companies’ reliance on technology to manage daily operations has outpaced their ability to secure it. 

“Cyber risks don’t stop at the first layer of defense — they extend deep into the supply chain, where vulnerabilities are harder to detect and even harder to mitigate.

“Addressing these risks requires a shift in how the industry prioritises third-party security.”

Andrew Correll, Senior Director of Cyber Insurability at SecurityScorecard

Why do insurance organisations face supply chain vulnerabilities?

The vast network of third-party vendors that insurance organisations rely on for claims processing, operations and data management mean they face frequent cybersecurity vulnerabilities in their supply chains.

The insurance industry is also a key target for data breaches, ransomware attacks and fraud due to the fact it handles large amounts of sensitive customer data.

This, combined with the fact that legacy IT systems - which are often found in insurance - often lack modern security measures and that vendors have weaker security measures, mean cybercriminals can often exploit these organisations. 

Insurers must craft robust risk assessment and monitoring to avoid facing operational, financial and reputational risks from supply chain damage from cyber attacks. 

The security of the insurance industry

At first glance, the insurance industry seems to possess an efficient security position, with an average security score that matches other industries (86/88).

However, 28% of companies reported breaches - double the U.S. energy industry (14%)  - highlighting the significant vulnerability in the supply chain across the insurance industry.

Application security (40%), DNS Health (29%) and network security (20%) emerge as the most common weak points.

Key facts
  • Third-party breaches reach 59% (double the global average of 29%)
  • Third-party software & IT caused 50% of these breaches
  • Malware infections and device compromises affected 17% of companies
  • 77% of companies earned A or B grades for security scores
  • Highest breaches were found in the U.S industry overall

Across the industry, agencies & brokers and IT vendors & insurance-specific software scored the lowest and insurance carriers and reinsurance brokers were the most frequently breached.

Outsources services and third-party claims processors are frequent breach points, meaning sensitive customer data is exposed. 

By having this significant score gap, carriers increase their third-party risk and vulnerability to cyber attacks.

Youtube Placeholder

Cybersecurity recommendations for the insurance industry

SecurityScorecard highlights several recommendations for the insurance industry to help enhance security against cyber attacks, including:

Strengthen Third-Party Risk Management (TPRM)

  • Carriers should focus on vetting partners and vendors with low security scores
  • Focus on agencies, brokers, software & IT providers and third-party claims processors 

By doing so, this will ensure compliance with regulatory standards, mitigate financial risk from third-party vulnerabilities and improve operational continuity 

Do Not Pay Ransoms

  • Sending money to sanctioned entities may lead to legal risks rising
  • Encourage more attacks 
  • No guarantee of data restoration

This will reduce the profitability of ransomware attacks, lower overall threat levels and discourage cybercriminals from targeting the insurance industry. 

SecurityScorecard also emphasised the importance of heightened TPRM for U.S. and China companies and ensuring vendors have secure TPRM programs.

By doing so, this will protect sensitive customer data, mitigate financial and operational risks and prevent operational risks.

As cybersecurity risks evolve in insurer’s supply chains, they must embrace proactive security measures to enhance resilience, improve regulatory compliance and protect the long-term stability. 


Make sure you check out the latest industry news and insights at InsurTech and be part of the conversation at our global conference series, FinTech LIVE.

Discover all our upcoming events and secure your tickets today.


InsurTech is a BizClik brand

Share

Featured Articles