MALVERN, PA — The Insurance Information Institute, in partnership with Fenix24, has released a report examining how insurers manage cybersecurity risks, finding that while investments have increased, gaps remain in key areas that could hinder responses to cyber threats.
The report, Cybersecurity for Insurers: Squaring Safety with Service, identifies weaknesses in patching frequency, authentication practices, and recovery testing, based on discussions with insurance industry executives aligned with regulatory and underwriting standards.
Sean Kevelighan, CEO of the Insurance Information Institute, said insurers face dual responsibilities in assessing risk for policyholders while maintaining their own cybersecurity posture.
“They assess cyber risk for policyholders and establish security requirements as conditions of coverage, yet they also need to demonstrate their own cybersecurity practices meet or exceed evolving standards,” Kevelighan said.
Mark Grazman, CEO of Fenix24, said many organizations are not adequately prepared for ransomware scenarios.
“Most organizations have tested their recovery plans for natural disasters or standard IT outages, but not for ransomware attacks,” Grazman said, adding that attackers often target core infrastructure including identity systems, virtual machines, and communications platforms.
The report notes the cyber insurance market reached $15.3 billion in net premiums written in 2024 and is projected to grow to $16.3 billion in 2025, according to Munich Re.
Ransomware accounted for 19% of cyber claims in 2023, while business email compromise and funds transfer fraud represented 56% of claims, according to the report.
Business interruption contributes to roughly half of the $1 million average cost of ransomware incidents, based on data from NetDiligence.
Among key findings, most insurers have implemented immutable backups and report meeting recovery time objectives for critical systems, but testing is often limited to isolated systems rather than full network recovery.
All surveyed insurers use password vaults and require multi-factor authentication for administrative accounts, though some still rely on less secure methods such as SMS or email-based verification.
Many insurers employ DNS filtering and restrict peer-to-peer file transfers, but some allow split tunneling, which can expose users to phishing and other cyber risks.
The report also found all participants conduct penetration testing, including social engineering scenarios, but only about half deploy security patches on a monthly basis despite faster exploitation timelines for new vulnerabilities.
The study concludes that preparedness, including tested recovery capabilities and faster patch cycles, is more critical than attempting to achieve complete prevention.
“The difference between resilience and disaster lies not in perfect prevention but in systematic preparation, validated recovery capabilities and organizational commitment to continuous security improvement,” the report states.
The full report is available at https://www.iii.org/white-paper/cybersecurity-for-insurers-squaring-safety-with-service-040126.
For the latest news on everything happening in Chester County and the surrounding area, be sure to follow MyChesCo on Google News.