There are a host of issues with how insurers approach cyber risk management.
That’s the verdict of a new report from the Insurance Information Institute (Triple-I) and cybersecurity firm Fenix24, which has identified key strengths and vulnerabilities in how insurers are managing cyber risk, as the industry faces increasingly complex and fast-evolving threats.
The report, Cybersecurity for Insurers: Squaring Safety with Service, examines internal cybersecurity practices across property/casualty insurers and finds that while firms have made significant investments in security controls, gaps remain in areas such as patch management, authentication methods, and recovery preparedness.
Insurers occupy a dual role in the cybersecurity landscape, acting both as underwriters of cyber risk and as organizations exposed to the same threats they assess. The report notes that this creates pressure for insurers to demonstrate robust internal practices that align with the standards they impose on policyholders.
Cyber risk continues to grow alongside the expansion of the cyber insurance market, which reached $15.3 billion in net premiums written in 2024 and is projected to increase to $16.3 billion in 2025. While ransomware remains a significant concern, it accounted for only 19% of cyber claims in 2023. By contrast, business email compromise and funds transfer fraud represented a majority of claims at 56%, highlighting a shift in threat patterns.
The report outlines several key findings:
The findings suggest that insurers are shifting focus from achieving perfect security to building resilience through preparation, testing, and continuous improvement.
The report emphasizes that effective cybersecurity strategies must balance protection with operational efficiency, particularly as insurers manage both internal systems and customer-facing services in an increasingly digital environment.
