Insurance agencies hold some of the most sensitive PII in any industry — Social Security numbers, medical information, financial records, and claims histories. Attackers know it. BEC targeting carrier payments, producer account takeovers used to phish clients, and agency management system breaches are hitting independent and regional agencies every week.
Attackers compromise agency email accounts and intercept carrier payment workflows — redirecting commission checks, premium remittances, and binding deposits to fraudulent accounts. One Southeast regional agency lost $340,000 in a single wire fraud scheme targeting their carrier reconciliation process.
Once an attacker owns a producer's email account, they have an authenticated channel into every client relationship. Fraudulent policy changes, fake renewal invoices, and wire transfer requests sent from the producer's real email address are nearly impossible for clients to detect. The agency faces E&O exposure even when the fraud originates from a compromised account.
AMS360, EZLynx, and Applied Epic store SSNs, DOBs, claims histories, and medical underwriting data for every client. Credential stuffing attacks and reused passwords give attackers access to years of client PII in a single login. A breach triggers state DOI notification requirements, client notifications, and potential class-action liability.
Spoofed emails impersonating agency staff send clients fake renewal binders with updated payment instructions — redirecting premium payments to attacker-controlled accounts. The client pays, the policy lapses, and the agency faces the E&O claim when the client files and finds no coverage.
The FTC Safeguards Rule (GLBA) requires insurance agencies to implement a written information security program, conduct risk assessments, and train staff annually on data protection — non-compliance can trigger FTC enforcement actions and state AG investigations. The NAIC Insurance Data Security Model Law, adopted in approximately 30 states, adds cybersecurity event reporting obligations to your state Department of Insurance. If your agency writes health lines, HIPAA security awareness training is also a regulatory requirement. A documented security training program is no longer optional — it's a license-protection necessity.
"A carrier called us about an unusual payment change request that came from our principal's email. It wasn't him — his account had been compromised for 11 days before the carrier flagged it. We had no idea. After SecurEveryone, every producer on our team has MFA on every carrier portal and we run credential audits quarterly."
— Agency Principal, Independent P&C Agency (22 producers)
"We write commercial lines for 400+ businesses. The idea that our AMS360 credentials could hand over every client's policy data, SSNs, and claims history in one breach was the wake-up call we needed. The Business session walked every CSR and back-office team member through exactly how an attacker gets in — and how to stop them."
— Operations Director, Regional Commercial Lines Agency
"Our E&O carrier added a cybersecurity training requirement at renewal. SecurEveryone gave us the documented training records we needed to satisfy the requirement — and genuinely improved how our team handles client data. Two birds, one session."
— Compliance Officer, Multi-Branch Life & Health Agency
The FTC Safeguards Rule (GLBA) requires financial institutions — which explicitly includes insurance agencies that receive customer financial information — to implement a written information security program (WISP), conduct regular risk assessments, and train all employees who handle customer information. Annual training is the standard. Non-compliance puts your agency at risk of FTC enforcement, state AG investigations, and loss of your license to operate in states that have adopted the NAIC Model Law. Our Executive session includes a WISP template and training documentation you can present to regulators.
Credential sprawl across carrier portals is one of the top attack surfaces for insurance agencies — producers with 20+ portal logins routinely reuse passwords, share credentials with assistants, and never rotate them. Our Business session covers a carrier portal credential hygiene protocol, MFA implementation for every portal that supports it, and the secure delegation procedures that prevent credential sharing. We also cover what to do when a producer leaves the agency — credential revocation across all portals is a common gap that leaves former-employee access active for years.
Agency management systems are high-value targets because they contain every client's PII, policy data, claims history, and financial records in one place. The most common entry points are credential reuse (same password across the AMS and personal accounts), unrevoked access for former staff, and absence of MFA on the admin account. Our training covers AMS-specific credential hygiene, user permission auditing, and the monitoring protocols that detect unauthorized access before data is exported. We cover each major platform by name so your team knows exactly which settings to check.
Documented security awareness training is increasingly a requirement for both E&O and standalone cyber insurance policies at renewal. Some carriers are adding explicit training requirements to policy conditions — failure to document annual training can void coverage for social engineering losses. Beyond coverage requirements, documented training is your best defense in an E&O claim that alleges negligent handling of client data: it demonstrates reasonable precautions were in place. Our sessions produce written training completion records suitable for inclusion in your insurance documentation.
Approximately 30 states have enacted the NAIC Insurance Data Security Model Law (based on the 2017 NAIC model). It requires licensed insurance entities — including agencies — to develop and maintain a written information security program, conduct annual risk assessments, and report cybersecurity events to the state Department of Insurance within defined timeframes (typically 72 hours for a notifiable event). Failure to report triggers regulatory penalties and license risk. Our training covers the specific obligations your agency has under the Model Law, the incident response steps required for DOI notification, and the documentation you need to demonstrate compliance at examination.
Take our free Phishing IQ Quiz to benchmark your team's awareness in 5 minutes — or book a 15-minute consult with one of our instructors.