Recognizing how breaches start is the first step toward fewer cyber incidents.

Phishing and business email compromise (BEC)

Phishing has long been a go-to tool for bad threat actorsto gain a foothold in networks. AI has made these messages even more convincing. Insurers are especially at risk for phishing because of the high volume of emails teams field between policyholders, providers, and vendors. Attackers may pose as an executive or trusted partner to trick an employee into revealing sensitive information or clicking on a malicious link, often leading to malware installation or unauthorized access.

Credential reuse

Roughly 75% of people use the same password for multiple websites. When an insurer’s employees or customers reuse passwords, they allow attackers to employ automated credential stuffing tools to test stolen passwords in bulk. Reused passwords are also frequently easy to remember (and therefore easy to guess), inviting further risk.

Misconfigured cloud storage

With the insurance industry’s ever-growing bank of documentation and customer data, cloud storage services like AWS and Azure are increasingly necessary. While these services have their own security controls, simple configuration errors can allow hackers in without the need for sophisticated techniques. Setting buckets to public access, granting excessive permissions, or letting systems and software go unpatched can all expose sensitive data.

Third-party access

Insurers rely on third-party vendors for claims processing, analytics, customer service, and other services. That means granting these vendors access to the insurer’s systems. Unfortunately, vendor security posture is often not as strong as the insurer’s. A single vendor breach can expose numerous downstream customers, disrupting operations and compromising data for countless policyholders. Almost one-third of data breaches in 2025 involved a third party.

Insider error

Human error remains the top cause of breaches, playing a role in 60% of incidents. Unfortunately, with the insurance industry’s data-heavy nature, mistakes can have serious costs. Simply sending files to the wrong recipient or using public Wi-Fi can expose sensitive records and leave the door open to attacks.

Legacy systems

It’s not uncommon for insurers to use older software or hardware that is incompatible with modern security features like the latest encryption standards and multi-factor authentication. Regulatory lock-in, actuarial continuity, and the high cost of re-certification all contribute to these systems going unpatched and unsupported, leaving them vulnerable.

While insurance companies have made progress by educating teams on tactics like phishing, the industry also has underlying structures that allow some of these vulnerabilities to persist.

Fragmented identity control

Within insurance companies, identity management is often siloed across departments, leading to inconsistent access controls. Business unit apps and data ownership, department-specific regulatory requirements, mergers and acquisitions, and legacy systems create a lack of unified oversight of who accesses what data. This fragmentation allows credential reuse and insider errors to go unchecked.

Low visibility

Legacy “black box” systems, business units guarding performance, unmonitored third-party and agent ecosystems, and rigid regulatory constraints make real-time, end-to-end visibility rare—often leaving anomalies undetected until it’s too late.

Shadow IT

Employees adopting unapproved software or devices for efficiency creates more blind spots. Bypassing security protocols allows misconfigurations and legacy vulnerabilities to creep in.

Weak review cycles

Insurance companies’ fragmented controls, complex data ecosystems, and reliance on external partners make regular audits a challenge. Failing to assess access rights, configurations, and vendor security regularly means issues like misconfigured cloud storage or legacy systems aren't addressed promptly.

No business can guarantee safety from hackers, but adopting proactive controls and monitoring can help limit the most common causes of insurance cyber breaches and contain their impact.

Conditional access

Conditional access (CA) is a gatekeeper policy that uses context to grant or deny access. Taking into account factors like device health and location, CA guards against stolen credentials and phishing by requiring additional verification for sensitive data access.

Least privilege

The principle of least privilege means that users are only given the permissions necessary to do their jobs—and no more. This contains the damage that any single insider error or compromised account can inflict.

EDR coverage

Endpoint detection and response (EDR) tools monitor the devices on your network for suspicious behavior, detecting malware from phishing or legacy exploits in real-time and enabling quick isolation. Huntress’s Managed EDR platform provides a 24/7 AI-assisted, expert-led SOC to detect and respond to potential threats.

SIEM detections

A complementary layer to EDR, Security Information and Event Management (SIEM) systems aggregate logs from across the network, using rules to spot anomalies like unusual data access. SIEM aids in the early detection of misconfigurations or third-party intrusions.

DLP policies

Data Loss Prevention (DLP) tools scan and block unauthorized data transfers, preventing leaks from insider errors or cloud misconfigurations through content inspection and encryption enforcement.

Security awareness training

Managed Security Awareness Training (SAT) educates your team on how to recognize phishing and reduce insider errors. Simulations and modules help build a security-conscious culture that can guard against the top cause of insurance data breaches: human error.

How do you know your mitigation efforts are working? Key metrics to track include:

Identity incident rate

Strictly speaking, identity incident rate is the frequency of breaches tied to identity compromises (e.g., credential theft). However, we can make this metric more actionable by expanding it to account for other identity-related risk events. These may include policy violations (e.g., password reuse, MFA bypass) or compromised credentials (e.g., phished, leaked on the dark web). This metric should be measured quarterly to gauge improvements in access controls. Leverage ITDR to target a 20-30% reduction annually.

MTTD/MTTR

Mean Time to Detect (MTTD) tracks how quickly threats are identified, while Mean Time to Respond (MTTR) measures how long it takes to investigate, contain, and remediate once an alert fires. Huntress, for example, has reported an average MTTR of just 8 minutes from alert to incident report or closure.

Lower MTTD and MTTR generally indicate more effective EDR and SIEM operations. Many mature security teams target sub‑hour detection and response for critical incidents—for example, triaging critical alerts within about 15 minutes and containing or clearly escalating high‑severity incidents within roughly an hour—rather than letting threats linger for hours or days.

Phish report rate

This metric measures the percentage of employees who report suspicious emails, reflecting SAT success in building a security-conscious culture. Ongoing simulated phishing allows for consistent progress tracking. Aim for an 80%+ report rate.

Control coverage

Control coverage is the percentage of systems protected by ITDR, EDR, SIEM, and DLP, ensuring comprehensive protection against legacy and third-party risks. Other metrics like patching cadence and unfilled security positions provide broader insights. Target 95%+ of systems for EDR/SIEM.

Managed Identity Threat Detection and Response (ITDR) focuses on protecting identity systems like Active Directory from attacks such as credential theft or session hijacking. Combined with EDR (for endpoint monitoring), SIEM (for log analysis), and SAT (for human training), this stack addresses root causes holistically and produces measurable improvements.

Discover Huntress’s integrated security solutions, backed by a 24/7 AI-assisted, human-led SOC today.