Insights
Cybersecurity in insurance: Protecting sensitive data in a digital world
Prashanth Krishnamurthy, Insurance Client Partner, UST
In a digital-first world, insurers face relentless cyber threats targeting sensitive customer data. From phishing to ransomware, the stakes are higher than ever. Discover how layered defenses, regulatory compliance, and cyber insurance can protect your business and your customers against costly breaches in an evolving threat landscape.
Prashanth Krishnamurthy, Insurance Client Partner, UST
The 2025 cyber risk reality for insurers
Cyberattacks targeting the insurance sector are expected to continue accelerating in 2025. Finance and insurance remain one of the top three most-attacked industries, facing a relentless barrage of phishing, ransomware, and sophisticated AI-driven threats. With the average data breach in financial services now costing between $5.9 and $6.1 million USD—up 2.3% year-over-year—and incidents like the global CrowdStrike outage causing multi-billion-dollar ripple effects, failing to secure sensitive customer data can be catastrophic.
The July 2024 CrowdStrike incident alone led to an estimated $5.4 billion in losses across the Fortune 500, with the healthcare sector being hit hardest, but insurers and banks suffering substantial second-order impacts. Insured losses are projected to be between $0.54 billion and $1.08 billion, or 10–20% of the event's total losses. The pressure is further compounded by 65% year-over-year spikes in API and web application attacks, as well as the rapid rise of ransomware-as-a-service (RaaS) and deepfake scams.
Parametrix estimates a total loss of $5.4 billion to the Fortune 500 excluding Microsoft. The healthcare sector faces the highest losses, followed by banking and airlines. Insured losses are expected to fall between $0.54 billion $1.08 billion, representing 10-20% of the total financial loss.
DIVIDER
Why insurance is a prime cyber target
Insurance carriers store vast reservoirs of highly sensitive personal, health, and financial data, which is highly prized by cybercriminals. Legacy technology and multi-vendor ecosystems heighten the risk, as attackers exploit both direct infrastructure and supply chain weak points—45% of global organizations expect significant supply chain cyberattacks in 2025.
Outdated systems, distributed operations, and multiple communication channels make the industry especially vulnerable. Compromised vendors or service providers can create backdoors that compromise entire policyholder databases.
DIVIDER
The costs and consequences of data breaches
Breaches in insurance impact not just data confidentiality and operations, but also regulatory compliance and brand reputation. Ransomware, business email compromise (BEC), and insider threats (whether malicious or accidental) have become noticeably more expensive and operationally disruptive.
- The average financial/insurance data breach is $5.9–$6.1 million in 2025.
- 73% of cyber insurance claims are related to breach response, privacy liability, and extortion.
- 60% of incidents involve human error, highlighting the persistent risk posed by social engineering and employee mistakes.
DIVIDER
2025's most critical insurance cyber threats
- Phishing & social engineering: Financial services are the third-most attacked industry via phishing.
- Ransomware & malware: Advanced ransomware, double/triple extortion, and attacks like CNA's $40 million payout continue to climb.
- Insider threats: Accidental and malicious actors still drive a significant share of breaches, often enabled by weak access controls.
- AI-powered attacks: Growing use of AI for impersonation, vulnerability discovery, and automation of campaigns.
DIVIDER
Strategies to safeguard sensitive customer data
To effectively safeguard sensitive customer data, insurance companies must implement a multi-layered insurance cybersecurity strategy. This involves using critical tools and methods like data encryption, access controls, and robust network security measures to mitigate the risk of data breaches and cyberattacks.
Data encryption is the cornerstone of insurance data protection
By encrypting data both at rest and in transit, insurers ensure that even if data is intercepted or compromised, it remains unreadable without the proper decryption keys. Advanced encryption methods, such as AES (Advanced Encryption Standard) or RSA (Rivest-Shamir-Adleman), are commonly used to secure sensitive information like customer data, financial records, and policy details. These encryption protocols make it difficult for cybercriminals to access valuable information even if they breach the network.
Access controls to protect sensitive data
Multi-factor authentication (MFA) adds an extra layer of security by requiring users to verify their identity through multiple methods before accessing critical systems. Also, insurers should enforce role-based access control (RBAC), ensuring only authorized personnel can view or modify specific data types. This minimizes the risk of internal breaches and limits access to information on a need-to-know basis, reducing exposure to potential insider threats.
Network security for advanced detection
To protect the organization's network infrastructure, insurers should deploy advanced firewalls and intrusion detection systems (IDS). Firewalls act as the first line of defense, filtering traffic and blocking unauthorized access, while IDS continuously monitors the network for suspicious activities. These tools detect anomalies and alert security teams in real time, allowing quick responses to potential threats. Firewalls and IDS help secure the insurance company's network, ensuring that malicious actors are kept at bay and that data integrity is maintained.
By combining these critical cybersecurity measures—data encryption, access controls, and network security—insurance companies can better protect their sensitive customer data and reduce the risk of costly cyberattacks.
DIVIDER
Complying with regulatory requirements
Regulations like GDPR, CCPA, and New York's cybersecurity laws have set high standards for data protection in the insurance industry. These regulations mandate strict security protocols, such as the appointment of a Chief Information Security Officer (CISO), data encryption, access controls, and regular risk assessments. Insurers are required to adopt comprehensive cybersecurity measures to avoid penalties, maintain compliance, and ensure customer trust in a highly regulated market.
Frameworks like the NIST Cybersecurity Framework and ISO 27001 offer essential guidelines for managing cyber risks. The NIST Framework breaks down security management into five core functions: identify, protect, detect, respond, and recover. It helps insurers assess vulnerabilities, safeguard infrastructure, and streamline their response to cyber incidents. The ISO 27001 standard focuses on creating a documented Information Security Management System (ISMS) that outlines risk assessments, security policies, and regular audits. Adopting these frameworks not only ensures compliance with regulations but also strengthens operational resilience and provides a competitive advantage by signaling high security standards to customers and regulators.
DIVIDER
Cybersecurity best practices for insurance companies
Risk assessment and management
Regular risk assessments are crucial to identifying vulnerabilities specific to these industries, such as safeguarding vast amounts of personal financial and claims data. By conducting these assessments, insurers can prioritize critical areas like customer data storage and third-party vendor access, ensuring that risks are mitigated before they evolve into significant threats. Effective risk management strategies tailored to these sectors reduce the likelihood of breaches that could disrupt critical claims and payment operations, ensuring continuity in high-stakes environments.
Incident response planning
A robust incident response plan is essential for insurers to handle cyberattacks effectively. These plans must outline swift actions to contain threats, protect sensitive policyholder data, and restore claims processing systems. With the heavy reliance on real-time customer transactions and long-term contract management, insurers need a well-orchestrated response to minimize operational disruptions, prevent financial loss, and uphold customer trust. A defined protocol also helps reduce regulatory risks and legal liabilities associated with delayed or insufficient responses.
Employee training and awareness
Employees are on the front lines of protecting sensitive client information such as policy details, financial records, and claims histories. Insurers must invest in regular cybersecurity training programs focused on educating staff about potential threats like phishing, ransomware, and social engineering scams. Ensuring that employees are vigilant and knowledgeable in identifying risks will significantly reduce the chances of accidental breaches. Training also fosters a culture of security awareness, empowering employees to uphold the high standards necessary to protect policyholder data.
DIVIDER
The role of cyber insurance
Cyber insurance is a crucial safeguard for insurance companies, protecting against financial losses stemming from cyberattacks or data breaches. These policies cover everything from data recovery to regulatory fines and customer notifications. The Cybersecurity Insurance Market size is estimated at USD 16.09 billion in 2024, and is expected to reach USD 39.58 billion by 2029, growing at a CAGR of 19.72% during the forecast period (2024-2029).
Key coverages in cyber insurance policies include:
- First-party coverage: Covers business interruption, ransomware payments, and data recovery costs.
- Third-party liability: Covers legal claims and lawsuits from affected third parties.
- Data breach response costs: Covers expenses for notification, credit monitoring, and forensic investigation.
- Regulatory fines & penalties help cover fines or penalties imposed by regulatory bodies for failing to protect sensitive data in compliance with laws like GDPR or CCPA.
- Cyber extortion provides coverage for ransom payments and other costs associated with extortion attempts, including negotiations with hackers.
- Reputation management covers the cost of public relations and communication efforts needed to restore a company’s reputation after a cyber incident.
DIVIDER
Final word
Cybersecurity is now non-negotiable for insurance firms. With cybercrime forecasted to cost businesses up to $10.5 trillion by 2025 and attacks growing increasingly sophisticated, only a layered approach—integrating robust controls, employee education, strong vendor oversight, and cyber insurance—can ensure resilience.
See how UST's solutions are powering next-gen data security and compliance for insurance: