Are AI-Powered Cyber Threats Reshaping Insurance Risks?

Today’s cyber threat landscape is defined by speed, deception and AI-driven precision – a combination with serious implications for the insurance sector.

For insurers and insurtechs, identity has become a critical battleground. From digital distribution and embedded insurance to real-time claims automation, every interaction relies on trusted identities and secure access to highly sensitive policyholder and partner data.

As adversaries such as SCATTERED SPIDER adapt and refine their tactics to exploit both human and systemic vulnerabilities, the attack surface for digital insurance platforms continues to expand.

Criminals can now weaponise AI to scale social engineering, compromise identities and move laterally across cloud-native environments that underpin modern insurance offerings.

To keep pace, organisations must rethink how they detect, respond to and outpace these attacks, says Zeki Turedi, Field CTO for Europe at CrowdStrike.

For insurance and insurtech leaders, this means embracing AI-native defence, investing in end-to-end visibility across the AI and data lifecycle and treating identity as the new security perimeter.

In this Q&A with InsurTech Digital, Zeki explores the rise of agentic defence, the development of AI Detection and Response (AIDR) and how cross-sector collaboration is transforming the fight against modern cybercrime. He also touches on what this means for the future of digital insurance.

What made SCATTERED SPIDER’s tactics unique among eCrime groups?

SCATTERED SPIDER became known for its aggressive, identity-focused tradecraft that set them apart from other eCrime groups. 

After a relatively quiet period, the group re-emerged in 2025, with campaigns targeting aviation, insurance and retail. 

Their hallmark technique is to voice phish – or vish – help desk employees via social engineering, where they impersonate employees, provide accurate identity details and convince support staff to reset passwords or MFA. 

Within minutes, the adversary is typically able to register their own devices for authentication, access Microsoft 365 and other SaaS applications, cover their tracks by deleting alerts and move laterally across corporate networks.

What makes them unique is both the speed and precision of these operations. Help desks are often targeted to gain access to accounts belonging to IT and security staff, as they typically have permissions to documentation on network architecture, security tooling and incident response procedures. 

The group has also gone after C-suite executives' accounts, likely due to their access to sensitive data, communications and other resources that may support data theft and extortion. 

Once inside, they pivot quickly, use identity compromise to exfiltrate large volumes of data, escalate privileges and, in some cases, move from account takeover to ransomware deployment in as little as 24 hours.

Their ability to combine social engineering, hands-on-keyboard tactics and identity abuse allows them to bypass heavily monitored endpoints and disrupt critical sectors more effectively than most eCrime peers.

Which industries suffered most from their attacks and why?

In 2025, SCATTERED SPIDER focused on industries where disruption has immediate, high-impact consequences. 

The aviation industry is attractive to the group because of its reliance on continuous operations, interconnected systems and the sensitive information involved. 

Insurers are valuable targets due to the sensitivity of the data they hold and their critical role in financial services. 

Retailers, meanwhile, are often exposed due to large workforces, distributed IT environments and the potential for maximum pressure through downtime. 

By combining social engineering with rapid privilege escalation, SCATTERED SPIDER was able to exploit identity and process weaknesses in these sectors and turn them into leverage for extortion and ransomware.

How did public-private collaboration shape this law enforcement response?

When law enforcement and private industry share critical threat intelligence and act decisively, cyber operations that inflict real damage on global businesses can be disrupted, such as in the case of the arrests of two members of SCATTERED SPIDER.

What shifts do you anticipate in ransomware operations after these arrests?

The arrests represent a significant blow and will likely degrade SCATTERED SPIDER’s operations in the near term.

More importantly, they send a message: cybercriminals who aggressively extort and disrupt are not beyond reach. 

What immediate actions should businesses take to defend against similar threats?

Defending against adversaries like SCATTERED SPIDER starts with identity. Companies should enforce phishing-resistant MFA and lock down help desk processes so attackers cannot use them to reset credentials or enrol new devices.

Just as important is detection and monitoring.

Organisations need to understand their key technology stacks, whether a virtual cluster running critical applications or a SaaS CRM holding sensitive information and make sure they are logging and monitoring for authentication anomalies, administrative changes and unusual behaviour to critical systems. 

Comprehensive logging and solutions that provide cross-domain analytics such as a next-gen SIEM solution are key, alongside close scrutiny of suspicious application usage, search terms and data access patterns that often reveal malicious activity.

Infrastructure security adds another layer of resilience. 

Segmenting networks, securing VMware environments, applying least-privilege access across cloud systems and disabling outdated authentication methods all limit how far an adversary can move once inside. 

Businesses should also ensure readiness with isolated backups, rehearsed incident response playbooks and help desk and IT staff trained to recognise social engineering attempts.

By strengthening identity, improving visibility and preparing to act quickly, organisations can close the gaps adversaries exploit and stop breaches before they escalate.