Insurance sector urged to sharpen up third-party risk management as attacks surge

Most breaches affecting the insurance industry come about through third-party attacks, with third-party software and IT behind half of them, according to new research.

More than a quarter of companies reported breaches last year, SecurityScorecard found, higher than the S&P 500 average and twice as many as the US energy industry.

Notably, third-party attack vectors were behind 59% of these incidents, the highest proportion companies operating in the industry have seen so far and double the global cross-industry average.

More than half the companies had at least one compromised credential in the past two years, and 17% had malware infections and device compromises.

"Insurance companies’ reliance on technology to manage daily operations has outpaced their ability to secure it," said Andrew Correll, SecurityScorecard's senior director of cyber insurability.

"Cyber risks don’t stop at the first layer of defense — they extend deep into the supply chain, where vulnerabilities are harder to detect and even harder to mitigate. Addressing these risks requires a shift in how the industry prioritizes third-party security."

In terms of overall security posture, the top cyber risk factor was application security at 40%, followed by DNS health at 29% and network security at 20%. All three involve weak or missing encryption: weak SSL/TLS protocols, unencrypted redirect chains and unencrypted cookies.

Meanwhile, ransomware was the top threat to the insurance industry - more so than in most other sectors - with every attack tied to a known threat actor involving ransomware.

The study noted that ransomware and third-party breaches frequently overlap, allowing attackers to infect multiple targets at once via supply chain vulnerabilities.

Interestingly, 30 companies - a fifth of the total sample - experienced at least one third-party breach - and these companies actually had slightly higher mean or median security scores than average.

A possible explanation for this lies in the fact that these scores reflect only the organizations' in-house security postures, and not those of vendors, researchers said.

“This suggests that threat actors deliberately targeted strong organizations through weaker third-party links," they wrote.

"An otherwise robust security program can still falter if partners in its supply chain have weaker security postures, creating opportunities for attackers."

SecurityScorecard urged insurance carriers in particular to strengthen third-party risk management.

"Carriers face elevated third-party risks due to dependencies on low-scoring industry segments, including IT vendors and brokers," said the firm, adding that they should focus on their higher-risk partners to reduce vulnerabilities and address frequent breaches and credential compromises.

Similarly, firms should make sure vendors have their own effective third-party risk management (TPRM) programs. SecurityScorecard said this is a critical risk, but one that’s often overlooked.

This means ensuring vendors have strong TPRM processes to close supply chain gaps and prevent breaches like the MOVEit campaign.