How Exposed to Cyber Risks are Insurance Supply Chains?
Cybersecurity risks in the insurance industry are growing, as a new report from SecurityScorecard highlights the weaknesses in its supply chain.
The study evaluates 150 top insurance firms worldwide, using breach data and cybersecurity ratings to assess the industry's security health.
The findings point to a significant issue: insurance companies are deeply reliant on third-party vendors and these external partners are a major source of cyber risk.
The insurance sector relies on an extensive network of third-party providers, including claims processors, IT vendors, agencies, brokers and reinsurers.
SecurityScorecard’s report reveals that 59% of breaches stem from these external partners—double the global average of 29%. The weakest areas include application security (40%), DNS health (29%) and network security (20%).
Andrew Correll, Senior Director of Cyber Insurability at SecurityScorecard, stresses the growing complexity of cyber threats. “Insurance companies’ reliance on technology to manage daily operations has outpaced their ability to secure it,” he explains.
“Cyber risks don’t stop at the first layer of defense—they extend deep into the supply chain, where vulnerabilities are harder to detect and even harder to mitigate.”
While insurers typically maintain strong internal security measures, their reliance on external vendors weakens their overall cybersecurity posture. Many of these vendors use outdated IT systems with insufficient security protections, making them prime targets for cybercriminals.
Once a vendor’s system is compromised, attackers can use it as a gateway to access sensitive customer data and disrupt operations.
The cost of cyber weaknesses
At a glance, the insurance sector appears to maintain a solid security position, with an average cybersecurity score of 86/88—comparable to other industries.
However, a closer look at breach data tells a different story. The report shows that 28% of insurance firms have reported breaches, a rate double that of the US energy sector (14%).
SecurityScorecard’s research highlights the specific risks different insurance entities face:
- Agencies, brokers and IT vendors have the weakest security ratings
- Insurance carriers and reinsurers are the most frequently breached
- Third-party software and IT providers are responsible for 50% of breaches
- Malware infections and device compromises affect 17% of insurance firms
The US insurance industry records the highest number of breaches, but the issue extends globally.
Outsourced services and third-party claims processors create frequent entry points for attackers, increasing exposure to financial, operational and reputational risks.
With insurance companies holding vast amounts of sensitive customer data, the stakes are high. Breaches can lead to regulatory penalties, financial losses and damage to customer trust. Companies must address these supply chain risks to prevent cascading cyber incidents.
Strengthening security in insurance supply chains
SecurityScorecard’s report outlines key recommendations to help insurers reduce cyber risk and strengthen third-party security.
Enhance third-party risk management (TPRM)
Insurers must conduct thorough security assessments of partners, particularly agencies, brokers, IT vendors and claims processors. Ensuring compliance with regulatory standards will help reduce financial and operational risks.Avoid paying ransoms
SecurityScorecard warns against paying cybercriminals after ransomware attacks, as doing so may fund sanctioned entities and encourage further attacks. There is also no guarantee that data will be restored after payment. Reducing the profitability of ransomware attacks helps lower overall threat levels across the industry.Increase security oversight for vendors
US and China-based insurance firms are urged to implement stricter third-party risk management programmes. Vendors must demonstrate robust security practices to prevent breaches from spreading through the supply chain.
As insurers navigate evolving cyber threats, taking proactive security measures is essential.
Strengthening third-party risk management, enforcing strict security standards for vendors and resisting ransomware payments will help insurers build resilience and protect sensitive customer data. The industry must act now to close the cybersecurity gaps in its supply chain.
Explore the latest edition of Supply Chain Digital and be part of the conversation at our global conference series, Procurement & Supply Chain LIVE.
Discover all our upcoming events and secure your tickets today.
Supply Chain Digital is a BizClik brand.