Clients look to their insurance agents for security against losses from fire, theft, accidents, and more. As leaders in an industry focused on risk mitigation and financial protection, it only makes sense for agency leaders to make sure their own houses are in order. That’s why maintaining strong security against cyberattacks, both direct and through third parties, is vital for agencies today.
My team at Oak Street Funding recently hosted a webinar and podcast with IT risk experts who walked us through the importance of maintaining a culture of protection against cyberthreats. We learned that it does more than protect an agent’s own business; it can be an opportunity to protect and educate clients and earn their trust.
The state of cybersecurity in insurance agencies
Insurance agencies have a unique set of cybersecurity demands. They must keep sensitive client information safe, follow governmental and industry regulations for data security and make sure their operational systems keep running. A fault in any one of those areas can cause tremendous harm and be expensive to mitigate.
Unfortunately, agencies consistently have the lowest cybersecurity ratings among businesses in the insurance industry. This fact alone can spur action among agents who want to follow best practices, protecting their firms and be a leading example for their clients.
The types of cyberthreats insurance agencies face
There are many different types of cyberattacks. Ransomware is one of the most common today. In ransomware, bad actors use a variety of methods to gain access to a target’s systems, then release malicious code (malware) that will prevent the user from being able to access their data. The cyberthieves then demand a ransom to be paid for the user to regain access to their systems. Ransomware has become so sophisticated that some criminal enterprises are running “ransomware as a service” operations to make it easier for less tech-savvy bad actors to launch attacks simply by buying off-the-shelf malware on the dark web.
An insurance agency hit by a ransomware attack could lose access to its client information, sales records, and internal administrative and financial tools in an instant if it doesn’t have adequate backups in place.
As AI technology develops and access becomes easier, it has driven a rise in other emerging threats, including AI-driven deepfakes, which rose an astonishing 2,137% between 2021 and 2024, according to digital security consulting firm Signicat. Using deepfakes, cybercriminals use artificial intelligence to create a fake voice and/or video of a person who is normally trusted, such as an agency owner. They then send a message from that “person” to a lower-level employee and instruct them to transfer money to an account which is controlled by the cyberthieves.
These types of misrepresentations have become highly sophisticated and can trick an employee into sharing information with, or making financial transfers to, bad actors posing as trusted contacts.
What are third-party cyber risks?
According to Ben Phillips, director of IT and risk advisory at KSM, because many agencies rely on external vendors and suppliers for their business and technology needs, one company’s cybersecurity incident can spread to others that share systems or data.
These third-party risks, where a breach in one company is used as an entry point to another, make up a staggering 59% of security breaches in the insurance sector, nearly twice the cross-industry baseline of 29%, according to 2025 research from cybersecurity ratings firm SecurityScorecard.
Third-party incidents can come from companies outside the industry as well, such as general software providers or cloud storage systems. The July 2024 CrowdStrike-Microsoft outage that caused airlines to ground flights and prevented businesses around the world from accessing their Windows computer systems is an example of how a problem with a third party can wreak havoc across industries.
How agencies can reduce third-party cyber risks
The idea of a cyberthreat coming from a third party may seem like a scary prospect, but there are some actions agency leaders can take to reduce their risk of attacks stemming from a third party or at least minimize the damage.
- Thoroughly screen vendors’ cybersecurity measures before entrusting data or systems access to them.
- Set up cybersecurity insurance for your own business.
- Establish multiple forms of backup (physical devices and more than one cloud system) to facilitate quick recovery after an incident.
- Create and regularly update a company plan for handling cybersecurity incidents with a designated person to lead the effort.
How agencies can maintain internal cybersecurity
Of course, cybersecurity risks can also come from inside the agency as well as through third parties. More than two-thirds of breaches involve a non-malicious human element, according to the Verizon 2024 Data Breach Investigations Report, so it’s essential for agencies to have processes and training in place to help reduce risks.
Here are some suggestions to help with internal data and systems security:
- Minimize turnover – The more former employees a company has, the more old passwords are floating around. Through carelessness or malice, those credentials could provide access to their former employer’s systems.
- Use security software and keep it up to date – Consider investing in a software program to continually monitor your company’s systems and provide an additional layer of protection. They must be updated regularly, however, to be effective.
- Be cautious with employee devices – When employees use personal devices for work, they can inadvertently introduce viruses, malware, and other harmful code. If employees are allowed to use their own devices for work, there should be a strict policy for what security software they must use and what networks they are allowed to access.
Maintaining cybersecurity protects an agency, its clients, and the companies with which it shares connections. Some agencies choose to manage cybersecurity in-house, while others contract with a third-party cybersecurity firm for the mechanics of day-to-day monitoring.
Phillips also maintains that regardless of the model used, every agency should have an internal person accountable for maintaining the security of its systems. That team member should have the full support of the agency’s leadership so that everyone in the agency knows that the commitment to cybersecurity comes from the top.
The bottom line
Cybersecurity must be a core competency for anyone doing business today, especially in the insurance industry. Letting clients know that their information is being carefully safeguarded can be a powerful way to earn their trust and model proactive risk management. Providing them with education on how to best manage cybersecurity in their business and personal lives is also helpful.
Direct attacks and threats from third parties are a major concern. Staying vigilant and being prepared for a quick recovery are an agency owner’s best protection against system downtime and data loss.
The views, opinions, and positions expressed herein are those of the author alone, and should not be considered to represent official positions of Liberty Mutual nor to imply any endorsement by Liberty Mutual.
