For more insights into cybersecurity for the financial sector, check out our Guide.

Initial access

Social engineering and stolen credentials are two of the most common ways hackers gain a foothold in insurance companies’ networks. Business email compromise (BEC) costs organizations $2.8 billion in 2024. In insurance company phishing attacks, hackers impersonate an executive or IT help desk to steal login credentials. Increasingly, attackers use AI to craft hyper-personalized messages that trick employees into installing fake updates, for example.

Exposed remote services (RDP/VPN) and vulnerable internet-facing applications are other frequent entry points.

Privilege escalation

Once inside networks, attackers use stolen credentials to move deeper. They exploit unpatched vulnerabilities or leftover administrative accounts to gain domain admin rights. Microsoft research shows 99% of password-spray attacks use legacy (IMAP/POP/SMTP) logins.

Lateral movement

After swiping admin privileges, hackers move laterally through an insurer’s network. They exploit trust relationships (e.g., SMB shares, admin tools like PsExec) to reach high-value claims databases, document repositories, and other offices (via remote agents). The recent LockBit attack on Managed Care of North America (a large dental insurer) exposed 8.9 million patient records after lateral network penetration.

Data theft

The usual ransomware playbook involves double extortion. First, they copy valuable data (claim files, policyholder records, and PII). Because of its sensitive nature, insurance industry data is particularly lucrative for resale on the dark web, giving hackers additional leverage for extortion.

Encryption

In the final stage, attackers deploy the ransomware, encrypting insurers’ files and systems. Ransomware attacks happen quickly: from initial compromise to ransom typically takes 17 hours. By this point, attackers have usually disabled backup processes and deleted logs, forcing insurers to pay to unlock their systems unless they have taken proper precautions.

The insurance industry’s reliance on interconnected systems and vendors introduces various potential vulnerabilities that attackers can exploit.

Third-Party Vendors

Insurers often rely on third-party vendors for claims processing, IT support, and customer relations, increasing operational and security risks. In 2025, 30% of data breaches involved a third party (up from ~15%).

In 2025, Allianz Life’s breach began with social engineering on a cloud CRM, and BCBS of Montana’s large breach stemmed from a hack of backend operations provider Conduent Business Services.

Even if a vendor breach doesn’t compromise an insurer’s systems, an incident like Change Healthcare’s can cripple an insurer’s claims operations, affecting cash flow, policyholder experience, and reputation. Change Healthcare processes 15 billion claims annually, showing how a single vendor breach can disrupt countless downstream insurers and policyholders.

Document management systems

Insurance companies accumulate massive amounts of underwriting files, claims forms, policy scans, and other documents. Many are stored in shared drives or ECM systems that are prime targets for attackers looking to exploit unencrypted files, weak access controls, and insufficient monitoring tools.

Shared mailboxes

Insurers frequently use shared mailboxes (e.g., claims@company.com) for department communication. Many of these accounts used web-based login (e.g., Outlook Web Access) with no multi-factor authentication (MFA)—a common entry point for attackers. If a shared mailbox is compromised, such as through a phishing-captured password, it can be used to launch further attacks or deploy malware.

Remote workforce

Insurance agencies often have field agents and remote offices that connect over VPN or RDP. Home and branch office PCs may not be as rigorously managed as corporate HQ machines. An attacker may first compromise an agent’s credentials (through personal email or malicious download) and use them to pivot into the insurer’s network.

Guarding against ransomware attacks requires strengthening security protocols at each stage of the kill chain so that if attackers do gain a foothold, they are unable to cause real harm.

Initial access

Limiting hackers’ ability to get a foothold is the first step. Harden identities throughout your networks by enforcing multi-factor authentication on all mail, VPN, and remote logins. Block legacy auth protocols (IMAP/POP) that bypass MFA.

Hold regular phishing simulations to train staff and reduce human risk. Seventeen percent of breaches originate from social engineering (down from 22%, due to increased awareness). Deploy advanced email filtering (ATP/DMARC) for an extra layer of protection.

For exposed services, disable unused RDP or publish RDP only through a secure jump-host or VPN. Keep all edge systems and VPN appliances patched and up-to-date.

Privilege escalation

Apply the principle of least privilege, giving each user or account only the access they absolutely need to do their job. This limits the damage hackers can do if they compromise regular user accounts. Use jump servers or Just-In-Time admin access to limit standing admin credentials. Privileged account use should be continuously monitored—a managed ITDR can flag unusual privilege-grants or atypical sign-ins in real time.

Lateral movement

Network segmentation is crucial for containing breaches so attackers can’t reach across core systems, such as claims databases, policy servers, and finance. Keep these systems on separate subnets with strict firewall rules. Disable unnecessary admin shares, and limit service accounts to the minimal required scopes. Use host-based firewalls or Network Access Control (NAC) to prevent one machine from freely reaching others. Managed EDR solutions provide agent-based monitoring across all endpoints, so abnormal lateral activities trigger an alert and containment.

Data exfiltration

Use managed SIEM to monitor for large or unusual data transfers to external connections. Implement data loss prevention (DLP) rules on sensitive file stores to guard against improper access and ensure they are encrypted. Also, consider geofencing: block outbound traffic to suspicious countries or blacklist known file-sharing domains.

Encryption and disruption

In the big picture, the best way to fight the ransomware industry is to stop paying ransoms. Maintaining immutable offline backups of all critical systems allows you to do that. Store backups offline or in an isolated vault so they cannot be encrypted. Have a playbook to isolate infected machines instantly and run your incident response, and practice restoring key business services from backups.

Ransomware attacks move fast, and so must your response. Your organization’s ability to take swift, coordinated action hinges on having an effective, practiced incident response plan. Here’s what to include:

Isolation

Immediately disconnect affected systems from the network and Internet. Quarantine the segment to prevent spread (e.g., block access to file servers and disable wireless/VPN on infected machines). Contain first, investigate later.

Identity reset

Reset or revoke all potentially compromised credentials. This includes user passwords, privileged accounts, service accounts, API keys, and any active sessions/tokens.

Communications plan

Notify key stakeholders (CISO, CEO, Board, PR/legal) immediately. Alert your cyber insurance carrier and incident response partners. Have a pre-approved public communications plan to allow for proactive, transparent communication with affected customers and regulators. For insurers, regulators like state insurance commissioners, the FTC, and (if PHI is involved) HHS often have to be notified.

External coordination

Contact law enforcement (FBI/CISA) and the insurer-provided incident responders. Cyber policies usually require prompt notification. The insurer’s breach coaches can provide forensic and legal teams to manage ransom negotiations and regulatory work.

Documentation and Recovery

Log every step taken and evidence collected—this is vital for legal compliance and potential lawsuits. Use your EDR/MDR logs and SIEM event data to create a timeline of the attack. As you recover systems, verify their integrity before rejoining them to production. Restore data from clean backups wherever possible.

Huntress offers a unified managed security platform designed for these threat scenarios, backed by a 24/7 AI-assisted SOC. Managed EDR + Managed ITDR + Managed SIEM + Managed SAT helps insurance companies detect, contain, and document response. Together, these services—backed by Huntress’s 24/7 SOC of expert analysts—provide layered defenses tuned for insurance operations.