Insurers sit at a rare intersection: they hold healthcare-grade sensitive data, financial-services-grade data, and high-trust identity data — often unified within a single customer or policyholder record. This convergence makes insurance data exceptionally valuable for identity fraud, account takeover, and extortion.
What further differentiates insurers is the operational continuity requirement. Claims handling, customer service, broker and adjuster workflows, and payment processes are effectively “always on.” Attackers understand that disruption rapidly escalates into regulatory and reputational crises.
Over the last few years, attacker focus has shifted decisively from perimeter exploitation toward identity-led intrusion, increasingly combining human deception with technical abuse. Threat actors such as Scattered Spider have been explicitly observed targeting insurers via helpdesk and call-center social engineering.
As this tradecraft has matured, session token and cookie theft has increased exponentially, making MFA and passwordless technology on its own less effective. This evolution means insurers are no longer defending just who is logging in, but also what device they are logging in from, how trusted it is, and whether it meets security posture expectations at the moment of access.
The Tailored Tactics of Ransomware Groups
Ransomware groups optimize pressure against what insurers cannot pause: claims intake, adjudication, payments, etc. As a result, attackers prioritize access to systems that keep the business moving. Critically, identity systems and endpoint access are now prime targets because they enable attackers to disrupt many downstream workflows without encrypting everything. Compromised credentials combined with access from weakly governed or unmanaged devices allow adversaries to blend in as legitimate users while exfiltrating sensitive claims and policy data.
Where attackers can infer cyber-insurance coverage or incident-response maturity, ransom demands are increasingly calibrated to sit just below the perceived pain threshold for any business (not just insurers), making rapid, identity-centric containment more valuable than traditional recovery alone.
The Third-Party Risk
Many vendor-risk programs still emphasize static compliance artefacts such as questionnaires, attestations, and periodic audits while attackers focus on live access pathways such as who can authenticate, from which devices, under what trust conditions, and with what level of privilege.
SecurityScorecard’s finding that 59% of insurance breaches involve third-party vectors aligns closely with field observations that adversaries target the least mature boundary in the ecosystem, then pivot via shared identities, integrations, and support processes.
A critical but under-addressed gap is device trust and posture enforcement for third parties. Vendors, brokers, and service providers often access core systems from unmanaged endpoints, personal devices, or environments outside the insurer’s security baseline — yet those devices may still be granted high-impact access based solely on user credentials.
The Allianz Life incident (reportedly involving a third-party cloud-based CRM compromised via social engineering) illustrates this clearly.
Insurer’s Two Problems: Inconsistent Identity Controls and MFA Fatigue
Attackers exploit inconsistency. One part of the digital ecosystem may enforce modern controls while another relies on legacy authentication, weaker MFA, static VPN access, or broad device exceptions. When device authentication and posture checks are unevenly applied, stolen credentials become far more powerful.
These gaps create ideal conditions for credential stuffing and password reuse exploitation, access from unmanaged or non-compliant devices, and “access drift,” where dormant, shared, or service accounts persist long after their risk is understood.
This matters because compromised credentials remain a dominant initial access vector. Verizon’s 2025 DBIR cites 22% of breaches beginning with stolen credentials, the most common access vector. Without consistent enforcement of device trust and posture across both cloud and legacy systems, insurers unintentionally preserve “soft targets” for attackers to exploit.
Additionally, many organizations have only implemented MFA as a checkbox control, not as part of a broader trust strategy. Push-based approvals and one-time codes reduce some risk, but they remain vulnerable to MFA fatigue, adversary-in-the-middle phishing, SIM swapping, and helpdesk-driven resets. Threat groups specializing in social engineering (including Scattered Spider-style operations) routinely chain these weaknesses together.
The Necessary Changes for Insurers
Reducing cyber risk for insurers requires both tactical and pragmatic changes. Organizations should adopt phishing-resistant MFA for sensitive access, using FIDO2/WebAuthn where feasible, and stronger challenge-response methods elsewhere. Additionally, they should bind authentication to trusted devices, ensuring that possession of credentials alone is insufficient without device authentication and posture validation. Likewise, insurers must harden helpdesk and service-desk identity proofing, especially for MFA resets, device enrollment, and account recovery.
For insurers, cyber risk is no longer a technical issue that can be managed in isolation. It is now a core business risk that directly affects the ability to operate, regulatory exposure, as well as reputation. The interconnected systems that enable insurance workflows also provide attackers many footholds to exploit identity and access. Threat actors will continue to exploit the insurance industry due to its highly valuable data, but insurers can and should adapt their defenses to prevent cyber incidents. The insurers that succeed will be those that treat identity and access controls as a foundational part of daily operations, not a secondary security concern.
About the Author
Darren James is a Senior Product Manager at Specops Software, an Outpost24 company. Darren is a seasoned cybersecurity professional with more than 20 years of experience in the IT industry. He has worked as a consultant across various organizations and sectors, including central and local governments, retail and energy. His areas of specialization include identity and access management, Active Directory, and Azure AD. Darren has been with Specops Software for more than 12 years and brings his expertise to the support and development of world-class password security and authentication solutions.
