A new report from SecurityScorecard highlights how cybersecurity gaps threaten critical services and policyholder trust.

Among the top 150 insurance companies involved third-party attack vectors, 59 percent exposed critical vulnerabilities in the sector’s supply chain, more than double the global cross-industry average of 29 percent. Third-party software and IT caused 50 percent of these breaches.

The research organized the supply chain into five main segments: insurance carriers; reinsurance companies; agencies and brokers; third-party claims processors and administrators; and insurance-specific software and IT products and services.

The findings underscore the systemic risks posed by cyber threats to an industry responsible for safeguarding sensitive financial and personal information.

The insurance industry’s interconnected network of carriers and reinsurers to brokers, claims processors and specialized IT providers is essential for delivering services to hundreds of millions introduces significant cyber risks.

“Insurance companies’ reliance on technology to manage daily operations has outpaced their ability to secure it,” said Andrew Correll, senior director of Cyber Insurability. “Cyber risks don’t stop at the first layer of defense—they extend deep into the supply chain, where vulnerabilities are harder to detect and even harder to mitigate. Addressing these risks requires a shift in how the industry prioritizes third-party security.”

A reported 28 percent of companies experienced breaches—higher than the S&P 500 (21 percent) and double the U.S. energy industry (14 percent).

Insurance carriers were disproportionately affected by third-party breaches. Although carriers made up about 27 percent of the total sample, they represented 50 percent of the companies hit by third-party incidents.

More than half (56 percent) of insurance companies had at least one compromised credential in the past two years, the report found.

Malware infections and device compromises affected 17 percent of insurance companies last year.

Insurer had particularly poor marks to application security, Domain Name System health and network security. DNS health rarely ranks among these factors.

Some actionable insights for the insurance sector to strengthen its supply chain:

• Strengthen third-party risk management (TPRM). Carriers face elevated third-party risks due to dependencies on low-scoring industry segments, including IT vendors and brokers. Focus on high-risk partners to reduce vulnerabilities and address frequent breaches and credential compromises.
• Ensure vendors have their own effective TPRM programs. Fourth-party risks from vendors’ suppliers are critical but often missed. Ensure vendors have strong TPRM processes to close supply chain gaps and prevent breaches like the MOVEit campaign.
• Avoid paying ransomware demands. Paying ransoms encourages attacks, risks legal issues and doesn’t ensure recovery. Avoiding payments helps deter criminals and protects the broader ecosystem.