Why insurance agencies cannot afford to ignore cybersecurity anymore

Insurance agencies that handle data for fewer than 500 employees face average breach costs of 3.31 million dollars. That is not a hypothetical risk for someone else.

Three major insurance companies got hit within five days in 2025. Erie Insurance shut down customer portals for nearly a month. Aflac disclosed unauthorized network access from social engineering attacks. Philadelphia Insurance Companies joined the list.

The pattern is clear. Agencies hold exactly what attackers want - social security numbers, medical records, financial data, driving histories. All neatly organized in your agency management system. That is why insurance agency cybersecurity has become the top concern for independent agencies in 2024.

The laws that already apply to you

Most agency owners think cybersecurity is optional until something goes wrong.

Wrong.

The Gramm-Leach-Bliley Act has required insurance agencies to protect customer data since 2000. Not suggested. Required. GLBA applies to anyone who is significantly engaged in insuring, guaranteeing, or indemnifying against loss, and to anyone acting as principal, agent, or broker. That includes your agency.

Here is what GLBA actually requires. You must provide every customer with a privacy notice describing how you collect, maintain, and share their nonpublic personal information. You must explain their right to opt out if they do not want information shared with third parties. You must maintain security measures to protect the confidentiality and integrity of customer information.

State insurance regulators enforce GLBA through state laws. Most states based their regulations on the NAIC Insurance Data Security Model Law, which 23 states have adopted. The model requires agencies to develop and maintain an information security program based on risk assessment, with a designated employee responsible for security.

Penalties start at 50 dollars per record for HIPAA violations and reach up to 500,000 dollars for state law violations. But regulatory fines are the least of your problems when a breach happens.

The real cost of getting breached

Let me show you real numbers from real breaches.

MCNA Insurance Company lost data for nine million patients in a 2023 cyber incident. Keenan and Associates notified 1.5 million clients that their personal information was compromised. The MOVEit file transfer attacks hit multiple insurance companies - Prudential with more than 320,000 customer accounts affected, New York Life Insurance Company with 25,700 accounts, Genworth Financial with up to 2.7 million individuals impacted.

Those are the big names that made headlines. Small agencies get hit harder because they lack the resources to recover.

Ransomware attacks jumped in severity by 68 percent in the first half of 2024, with average losses hitting 353,000 dollars. Ransomware groups reduced their initial demands to 1.1 million dollars, and 44 percent of victims paid. Only 18 percent of victims who paid the ransom fully recovered their data.

Think about that. Nearly half the victims pay, and less than one in five gets everything back.

The financial hit is immediate and brutal. Your agency management system goes dark. Customer service stops. Renewals cannot process. Certificates cannot be issued. Revenue drops to zero while fixed costs keep running.

But the real damage shows up later. Research shows that customer trust takes years to rebuild after a breach. Agencies lose accounts not just from the breach itself, but from carriers who refuse to do business with agencies that have demonstrated poor security practices.

Forget the Hollywood hacker breaking through firewalls. That is not how insurance agencies get compromised.

Business email compromise attacks hit finance and insurance harder than other sectors, accounting for 26.5 percent of BEC cases. The FBI estimates 2.9 billion dollars in losses from business email compromise in 2023 alone.

Here is how it works. Someone in your agency gets an email that looks like it came from a carrier, a client, or your agency management system vendor. The email asks them to verify account information, reset a password, or download an attachment. They click. Game over.

Insurance and retail employees show high susceptibility, with 39.2 percent falling for phishing attempts. Training can reduce breach risk by more than 70 percent, but most agencies either skip training entirely or do it once during onboarding and never again.

Social engineering gets more sophisticated every month. Attackers spent time researching your agency before they send that email. They know your carriers, your agency management system, your vendors. By mid-2024, 40 percent of business email compromise attacks used AI-generated content, making emails harder to spot as fake.

The second common entry point is weak access controls. How many people in your agency can access your entire customer database? How many former employees still have active logins to your systems? When was the last time you reviewed who has access to what?

Third-party vendors create risk most agencies never consider. When Landmark Admin got hit with a cyberattack in May 2024, they exposed personal information for over 800,000 individuals. If your vendors have access to your data, their security problems become your security problems.

The security measures that work

Stop thinking about cybersecurity as buying expensive tools and hoping for the best.

Start with access controls. Every person in your agency should have access only to the data they need to do their job. Your customer service reps do not need access to commission data. Your producers do not need access to HR files. When someone leaves your agency, their access should terminate that day, not whenever IT gets around to it.

Multi-factor authentication is not optional anymore. Cyber insurance providers now require it for coverage. If someone steals or guesses a password, multi-factor authentication stops them from getting in. It works.

Regular backups save agencies when ransomware hits. But backups only work if you actually test them. I found agencies that discovered their backups were corrupted or incomplete only after they needed them. Test your backup restoration process quarterly. Make sure backups are stored separately from your network so ransomware cannot encrypt them too.

Employee training needs to happen quarterly, not once. Cyber insurance providers require annual or biannual training covering phishing recognition, password security, and incident reporting. Training should include simulated phishing tests so you know who needs additional help.

Incident response planning matters more than most agencies realize. When a breach happens, you need to know exactly who does what. Who calls the cyber insurance carrier? Who notifies affected clients? Who contacts state regulators? Who handles communications with carriers? Write it down. Test it. Update it.

Vendor risk assessment should be part of every new vendor relationship. Before you give a vendor access to your data, verify they have appropriate security measures. Ask for their security certifications. Check if they have cyber insurance. Find out who is responsible if they cause a breach that affects your clients.

GLBA is federal law. The NAIC model is state law. But insurance agency cybersecurity requirements go beyond those frameworks.

If your agency handles health insurance, HIPAA applies. If you operate in California, CCPA applies. If you serve customers in Europe, GDPR applies. Each regulation adds requirements, and the penalties stack up.

The NAIC documentation spells it out clearly - agencies must conduct regular risk assessments, implement security measures based on those assessments, and designate an employee responsible for the information security program. Most small agencies do none of this.

Compliance is not about checking boxes. It is about building systems that protect client data regardless of what the law requires. But knowing the legal requirements helps you prioritize where to start.

The key requirement most agencies miss is the written information security policy. You need documentation that explains how your agency protects data, who is responsible for security, how you train employees, how you assess vendors, and how you respond to incidents. Without written policies, regulators assume you have no policies.

AI agents that handle security work agencies skip

Here is the truth about insurance agency cybersecurity - most agencies know what they should do. They just do not have time to do it.

Security monitoring takes constant attention. Access logs need review. Failed login attempts need investigation. System patches need testing and deployment. Security training needs scheduling and tracking. Vendor assessments need updating. Nobody has bandwidth for this on top of servicing clients, writing new business, and handling renewals.

AI agents built for insurance operations can handle the repetitive security tasks that agencies skip.

A compliance monitoring agent tracks when employees complete required security training, sends reminders for upcoming deadlines, and alerts you when someone falls behind. It monitors changes to regulatory requirements in your state and flags when new compliance tasks need action.

An access control agent logs who accesses what data, identifies unusual access patterns that might indicate compromised credentials, and flags when former employees still have active access. It can automatically disable accounts for departed employees and send alerts when access permissions need review.

A backup verification agent confirms backups run successfully, tests restoration processes on a schedule, and alerts you immediately if backup failures occur. It maintains the documentation auditors want to see about your backup procedures.

A vendor assessment agent tracks security certifications for your vendors, monitors for vendor breaches reported in the news, and reminds you when vendor security reviews are due. It maintains records of vendor security documentation required for compliance audits.

These agents do not replace your IT security. They augment it by handling the monitoring and tracking work that falls through the cracks when people get busy. They work around the clock, never forget to check something, and maintain perfect documentation for audits.

Pick one thing and fix it today.

If you have nothing else, implement multi-factor authentication on your agency management system and email. Most cyber insurance claims could have been prevented if the agency had multi-factor authentication enabled.

Second priority is employee training on phishing recognition. Send a test phishing email to your staff and see who clicks. Use the results to schedule targeted training for people who need it.

Third, document your current security measures. Write down what systems you use, who has access to what, how you handle backups, and what your incident response plan looks like. Even if the documentation reveals gaps, knowing what you have is the first step to improving it.

Insurance agency cybersecurity is not a one-time project. It is an ongoing process that needs attention every week. The agencies that survive breaches are the ones that treated security as essential operations, not optional IT work.

Want to see how AI agents could automate the security monitoring and compliance tracking your agency struggles to maintain? Let’s map your specific security workflows and put numbers to the solution.