Ransomware on operations. BEC on claims and premium wires. Third-party broker portals. The insurance industry is in the crosshairs — and the regulatory exposure is multiplying.
Recent incidents that defined the threat landscape
The insurance industry's threat profile extends well beyond a single attack vector. Here's where the real exposure lives.
Carriers process millions of policyholder records and claims daily. An ALPHV/BlackCat attack on a title insurer halted home closings for days — affecting not just the carrier but every policyholder, lender, and realtor in the chain. Carriers are increasingly primary targets.
$2.9B annually in FBI IC3-reported wire fraud — and insurance agencies are disproportionately targeted because they regularly move large sums via wire. Claims disbursements and premium transfers are both lucrative BEC targets.
MOVEit showed exactly how supply chain attacks work: exploit a single vendor and you own the data of every downstream insurer and agency that uses it. Broker portals, MGAs, TPAs, and comparative raters are all potential entry points.
NAIC + NYDFS + GLBA + HIPAA + state law. One incident can trigger all of them simultaneously. The compliance stack is complex, and training your team to understand what they're looking at — and when to escalate — is as important as any technical control.
Unauthorized access to systems containing 850,000 policyholder records. SEC 8-K filed. Class action settlement of $4.66M. Regulator scrutiny across multiple states.
850K Records exposed · $4.66M settlementNYDFS Part 500 enforcement action — $1M fine for failure to remediate known vulnerabilities. Second breach within weeks. First-ever Part 500 enforcement action set precedent for all insurers.
$1M NYDFS penalty · Part 500 precedentClop ransomware group's MOVEit exploit compromised TPAs and insurers. WPS Health Solutions alone exposed 3.1M Medicare beneficiaries. Broker portal vendors are prime supply chain risk vectors.
3.1M Beneficiaries exposed via WPSALPHV/BlackCat ransomware. Initial disclosure: 36K individuals affected. Revised to 2.5M after investigation. The delay in accurate breach scope created additional regulatory exposure across multiple jurisdictions.
2.5M Records (revised from 36K)One cyber incident can trigger five regulatory frameworks simultaneously. Here's how they stack up.
| Regulation | Agency | Key Requirement | Penalty |
|---|---|---|---|
| NAIC MDL-668 | State Insurance Commissioners (multistate) | Coordinated cybersecurity examination; written data security program; third-party risk management; incident notification within 72 hours | Market withdrawal + fines |
| NYDFS 23 NYCRR Part 500 | New York Dept. of Financial Services | Written cybersecurity program; CISO designation; 72-hour notification to Superintendent; annual board certification | $1,000/violation |
| GLBA Safeguards Rule | FTC + state attorneys general | Written security program; annual risk assessment; employee training; vendor due diligence; encryption of customer data | $100K/violation/day |
| HIPAA Security Rule | HHS Office for Civil Rights | PHI protection; administrative/physical/technical safeguards; breach notification within 60 days (500+ individuals) | $1.9M/violation type |
| State Breach Notification Laws | 46 states — varies by state | Notify affected individuals; notify state AG; notify consumer reporting agencies if breach exceeds state threshold | Varies by state |
Generic security awareness training doesn't address the specific attack patterns hitting insurance agencies and carriers. These three drills do.
Walk your claims and operations team through the exact BEC pattern targeting insurance wire transfers — from spoofed carrier emails to fake change-of-banking instructions on claims disbursements and premium refunds.
Insurance agents and brokers are prime targets for phishing campaigns impersonating carrier portals, E&O carriers, and comparative raters. This drill covers the exact phishing patterns and how to recognize fake carrier login pages.
Third-party portals, comparative raters, and MGA platforms are the MOVEit-style entry points for carrier breaches. This drill covers the vendor risk assessment, MFA enforcement, and quarterly review processes that stop supply chain intrusions.
No per-seat licensing. No annual contracts. Book a session, train your team, done.
Free Download
5 attack patterns, DMARC enforcement guide, out-of-band verification protocol, and 3 tabletop scenarios for insurance teams handling claims wires and premium transfers.
It varies by state, but most states require notification within 72 hours of determining a breach has occurred. NAIC MDL-668 established a model data security law that many states have adopted, calling for notification as soon as practicable but no later than 72 hours after the insurer determines the breach is likely to cause harm. NYDFS Part 500 is more specific: covered entities must notify the Superintendent within 72 hours of a cybersecurity event. Failure to notify on time can trigger penalties independent of the underlying breach.
NAIC MDL-668 is a multistate examination working group — not a law itself, but a coordinated examination framework used by state insurance regulators to assess how insurers are managing cybersecurity risk across their operations and third-party relationships. NYDFS 23 NYCRR Part 500 is New York's specific cybersecurity regulation for financial services companies, including insurance companies licensed in New York. It requires a written cybersecurity program, a designated CISO, 72-hour notification to the NYDFS Superintendent, and annual certification by senior leadership. If you write in New York, Part 500 applies regardless of MDL-668 findings.
Yes — the Gramm-Leach-Bliley Act applies to any 'financial institution' that is significantly engaged in financial activities, which includes insurance companies that are licensed as insurers. The GLBA Safeguards Rule requires written security programs, regular risk assessments, employee training, and monitoring of third-party service providers. For health insurers, HIPAA adds another layer on top of GLBA. The SEC's cybersecurity disclosure rules (March 2024) also require material cybersecurity incidents to be disclosed in 8-K filings — relevant for publicly-traded insurers.
BEC targeting insurance brokers typically starts with phishing to compromise an agent or carrier rep's email, then monitors for incoming wire requests or policy change instructions. The attacker sends updated wiring instructions from the compromised account. The defense: (1) callback verification using a known-good number — never the number in the email, (2) dual-control approval for any wire over $5,000, (3) vendor master file change controls requiring two independent approvals to change banking details, (4) monthly account reconciliation to catch anomalies, and (5) regular simulated phishing training to keep the team alert.
First American Financial was fined $1M by NYDFS in November 2023 — the first-ever Part 500 enforcement action — for failing to remediate known vulnerabilities in its title insurance platform, including an exposed database containing sensitive consumer data. The lesson: Part 500 doesn't just require a cybersecurity program — it requires that your program actually fix identified vulnerabilities. The agency suffered a second breach within weeks of the first, compounding the damage. For independent agents and agencies, this demonstrates that regulators will hold you to the same standards as carriers. A documented, active security training program is now part of the compliance record that examiners expect to see.
Health insurers and stop-loss carriers are covered entities under HIPAA. They must protect PHI (policyholder health data, claims history, biometric data) under the HIPAA Security Rule, notify HHS of breaches affecting 500+ individuals within 60 days, and in some states notify the state attorney general. Cyber incidents affecting health insurers don't just trigger HIPAA — they can trigger state insurance commissioner notification requirements, state data breach notification laws (46 states), and GLBA Safeguards Rule obligations simultaneously. The compliance stack is complex, and training your team to recognize the intersection of these obligations is as important as the technical controls.
Book a live session today. Sessions are 60–120 minutes, held over Zoom, and built around your specific carrier operations, broker portal workflows, and claims wire processes.