Insurance carriers, heavily reliant on third-party service providers for claims processing, are increasingly vulnerable to cyberattacks. (Credit: Ipuwadol/Adobe Stock)

Recent cyberattacks sent shockwaves through the insurance industry, exposing a harsh truth: Third-party vendors are becoming a critical weak link. From databases surfacing on the dark web to breaches at top carriers, these incidents highlight the growing risks insurers face when sharing sensitive customer data with their third-party vendors. Personally identifiable information (PII) in the wrong hands doesn’t just threaten reputations; it invites regulatory scrutiny, operational chaos, and a loss of trust that’s hard to rebuild.

Such incidents underscore a critical reality: Insurance carriers, heavily reliant on third-party service providers for claims processing, are increasingly vulnerable to cyberattacks. Sharing sensitive customer data, including personally identifiable information, with third-party vendors exposes insurers to significant risks, from reputational damage to regulatory penalties and operational disruptions.

Insurance cybersecurity crossroads

Cybersecurity is no longer a peripheral concern; it’s a core priority. Many data breaches that impact insurers originate with third-party service providers. Today’s claims processes are powered by interconnected digital systems, but every touchpoint is a potential entryway for cyber threats. The more complex the network, the greater the opportunity for malicious actors to find a way in. Recent statistics underscore the gravity of the issue:

  • SecurityScorecard reports that 59% of breaches among the top 150 insurance companies involved third-party attack vectors, exposing critical supply chain vulnerabilities.
  • IBM’s Cost of a Data Breach Report 2023 shows the global average cost of a data breach is $4.45 million, with the costs significantly higher for industries like insurance.
  • Recent Forrester research indicates that only 30% of organizations evaluate at least half of their third-party relationships in their risk programs. This is a worrying statistic.

Real-world examples

When cybersecurity works: A success story...

A regional insurance carrier partnered with a third-party claims service provider that embraced a "defense-in-depth" strategy. By deploying a layered security framework, including encryption, real-time monitoring, and robust access controls, the provider successfully thwarted a ransomware attack. Their incident response team identified and contained the threat within hours, preventing any breach of client data and avoiding reputational damage and financial losses. This case underscores the importance of investing in proactive security measures.

When cybersecurity fails: A cautionary tale...

In 2021, a life insurance company faced a devastating data breach after one of its third-party vendors was compromised. The breach exposed over 500,000 records, including sensitive policyholder information such as Social Security numbers and medical data. The fallout was severe and included regulatory fines, lawsuits and a significant loss of customer trust. This incident serves as a stark reminder of the importance of thorough due diligence when selecting service providers and enforcing strict data-sharing protocols.

Practical steps for insurers

To mitigate cybersecurity risks associated with third-party claims service providers, insurers can take the following actionable steps:

No. 1: Conduct rigorous due diligence. Before engaging a third-party provider, assess the following to evaluate their cybersecurity readiness across these critical areas:

  • Culture of cybersecurity. Review policies and procedures; training and awareness programs; and the credentials of their security team.
  • Proactive approach to cybersecurity. Look for risk-based and adaptive strategies including security risk-management programs, continuous threat exposure management, control validations, and robust metrics programs.
  • Cyber hygiene: Ensure hardened on-premises and cloud infrastructure and endpoints. Constantly focus on AV-EDR, DLP, encryption, vulnerability, patching, and mandatory MFA. Also, make sure privileged access management, mobile device management, and dedicated remediation programs are in place.
  • Cyber defense and resilience. Assess their advance logging and SOC operations, incident response triggers, incident management, threat intelligence monitoring, simulation exercises and frequency of testing. Also, review the vendor’s history of security incidents and breaches.
  • External validation, certifications, and collaboration. Check for security frameworks and certifications (ISO 27001/ ISO 27701/ GDPR/ PIPL/ CCPA/ POPIA/ ISAE 3402 / NIST/ PCI-DSS and so on), industry collaborations to improve program maturity, and use of posture management tools like SecurityScoreCard and BitSight. Assess the vendor’s credibility in the industry via awards and accolades.
  • Governance. Confirm they have a mature governance with clear, independent lines of defense responsibilities.

Another essential component of due diligence is gaining a clear understanding of the service provider's operating model, including the involvement of any subcontractors, to ensure data security considerations are thoroughly addressed.

No. 2: Mandate contractual security requirements. Create and enforce an Information Security Exhibit (ISE) for all vendor contracts. Include specific cybersecurity expectations in contracts (aligned with insurance-sector regulatory requirements) such as:

  • Data protection and compliance mandates;
  • Regular audits and risk assessments;
  • Immediate incident reporting and breach management protocols; and
  • Comprehensive security controls tailored for various modes of service delivery/ types of data/ technologies used (i.e., clauses / sections become applicable, as and when services are modified — thereby preventing repeated changes to the ISE or inadvertent omissions during contact changes or renewals).
No. 3: Develop a continuous monitoring program. Cybersecurity is not a one-and-done process. Implement ongoing monitoring to ensure compliance including:

  • Scheduled reviews of security controls and posture;
  • Tracking of service providers’ adherence to cybersecurity standards and contractual commitments;
  • Periodic evaluation of incident response and cyber resiliency (including cyber simulation collaborations); and
  • Seeking external intelligence about reported day-zero vulnerabilities, actionable intelligence based on CVE score, monitoring changes to supplier’s security posture etc.
No. 4: Create a robust incident response plan. Collaborate with service providers to align incident response plans focusing on:

  • Coordinated communication in the event of a security incident and protocols in case of a breach;
  • Clearly defined roles and responsibilities; and
  • Regular tabletop exercises to test and refine response capabilities.

A call to action

Vasu Srinivasan, Genpact

Deepti Chauhan, Genpact

To mitigate risks, insurance carriers must ensure third-party providers uphold strong cybersecurity standards. By asking the right (and timely) questions, demanding robust certifications, and maintaining vigilant oversight, insurers can significantly reduce the threat of data breaches.

In today’s evolving and volatile cybersecurity landscape, partnerships built on trust, transparency and a shared commitment to data protection are essential for safeguarding sensitive information and preserving customer confidence.

Strong partnerships and sharper vigilance are your best defense in a world where data security is non-negotiable.

Vasu Srinivasan is global head of Claims at Genpact, and Deepti Chauhan is information security leader at Genpact.

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.