The insurance industry occupies a unique and powerful position in the cybersecurity ecosystem. By setting underwriting standards, insurers effectively act as the de facto regulators of global security, defining what good looks like for everyone else.
However, a new joint report from the Insurance Information Institute (Triple-I) and Fenix24, "Cybersecurity for Insurers: Squaring Safety with Service," reveals a striking paradox: the very entities judging the world's risk are struggling to manage their own.
For cybersecurity professionals, the report is a critical look at the "circularity of risk" within the $16.3 billion cyber insurance market. Here is what the findings mean for the broader economy and the leaders advising on breach preparedness.
Insurers are high-value targets because they sit on a "triple threat" of data: sensitive PII/PHI of policyholders, proprietary financial data of global corporations, and systemic economic importance.
The report highlights that while ransomware is the headline-grabber, it only accounts for 19% of reported cyber claims. The real "silent killers" are Business Email Compromise (BEC) and Funds Transfer Fraud (FTF), which together drive 56% of claims. Despite this, insurers themselves are still working through "foundational" challenges, creating a disconnect between the security they mandate and the security they maintain.
[RELATED: 7 Tips to Prevent Business Email Compromise Scams in 2026]
"The findings reinforce that the insurance sector remains a high-value target because it sits at the intersection of sensitive data, financial transactions, third-party dependencies, and reputational exposure," said Heath Renfrow, Co-founder and CISO of Fenix24. "Threat actors understand that insurers are not just protecting their own operations—they are part of the broader response and recovery ecosystem for many other businesses. That makes disruption inside an insurer especially consequential."
Renfrow added, "What stands out most is that the challenge is no longer just about preventing intrusion. The threat landscape has evolved into one where attackers are deliberately targeting the systems that organizations rely on to respond and recover—identity infrastructure, administrative pathways, core applications, and backup environments. For insurers, that raises the stakes significantly. A compromise is no longer just an IT event; it can quickly become an operational and customer-impact event."
When the referees of risk have blind spots, the entire game changes for policyholders.
If insurers are still maturing their own defenses, there is a risk that underwriting requirements—such as MFA or EDR mandates—are being applied as "checkbox" compliance rather than deep, risk-based validation.
Foundational struggles within the insurance sector lead to unpredictable markets. There is a "tug-of-war" where rates decrease while threats evolve, suggesting that the industry is still struggling to find a stable actuarial baseline for cyber risk.
Business interruption now accounts for half of the $1 million average cost of a ransomware incident. Entities can no longer rely on insurance to just "pay the ransom"; they must prove they can restore operations independently.
For CISOs and advisors helping leadership navigate the insurance landscape, the Triple-I/Fenix24 report offers three key pivots:
Shift from "insured" to "recoverable": Don't just prepare to meet an underwriter’s checklist. Focus on cyber resilience—the ability to assure recoverability through automated infrastructure mapping and "battle-tested" recovery platforms.
Validate the "human workflow" gap: Since 56% of claims stem from BEC and transfer fraud, advise leadership that technical controls are insufficient. The "workforce identity gap" at the help desk and in funds transfer processes is where the most frequent (and insured) losses occur.
Pressure test vendor interdependency: The report notes that systemic economic importance makes insurers a target. Treat your insurer like a high-risk third-party vendor. Ask: If my insurer is breached, how does that impact my ability to trigger my own incident response and recovery?
The most provocative question raised by this research is systemic: If insurers are still navigating foundational cybersecurity challenges, can they accurately price risk for the rest of the economy?
If the surveyors of the land don't know where the sinkholes are on their own property, their maps of the broader territory are inherently suspect. This suggests that the industry may be over-relying on historical data for a threat landscape that is being fundamentally rewritten by AI-driven automation and autonomous threat agents.
Some additional thoughts from Renfrow
1. "The research suggests many organizations aren’t testing recovery in real-world ransomware scenarios. What does 'true' cyber resilience look like in practice, especially as attacks increasingly target identity systems and core infrastructure?
True cyber resilience is not a policy, a slide, or a tabletop exercise. It is the proven ability to restore business operations under real-world attack conditions, when identity is impaired, infrastructure is degraded, tools may be unavailable, and time is working against you.
In practice, that means several things. First, organizations must know what matters most to the business and in what order it must come back. Second, they need validated recovery paths for critical systems, not theoretical ones. Third, they must test recovery in conditions that resemble actual ransomware events—not clean lab scenarios. And finally, they need to assume that identity systems such as Active Directory, privileged accounts, and core management infrastructure may be compromised or unavailable during the event.
The gap we often see is that companies test whether data can be restored, but not whether the business can actually run again. Those are very different things. Recovery that is not tested against real dependencies, identity compromise, and operational pressure is not resilience—it is optimism."
2. "With cyber claims shifting toward BEC and fraud over ransomware, how should insurers and enterprises be rethinking their security and risk models?
Insurers and enterprises need to expand their thinking from pure malware defense to business process protection. Business email compromise and fraud succeed less through technical destruction and more through trust abuse, identity misuse, and control failure. That requires a different lens.
Security and risk models should place much more emphasis on identity assurance, privileged access, approval workflows, vendor payment controls, communications verification, and detection of abnormal business activity. In other words, the organization has to protect not only its systems, but also the decision-making processes that move money, authorize change, and approve transactions.
This shift also means risk models should not over-index on whether malware was involved. Some of the most damaging losses now come from attacks that exploit people, process, and identity without ever deploying ransomware. The financial and operational consequences can be just as severe."
3. "What are the potential downstream implications for policyholders if insurers themselves are still maturing in areas like recovery testing, patching speed, and identity protection?
If insurers are still maturing in these areas, the downstream implications for policyholders can be significant. At a basic level, it creates concentration risk in an industry that many organizations depend on during moments of crisis. If an insurer experiences operational disruption, delays in claims handling, communications, underwriting, or partner coordination can directly affect customers when they are most vulnerable.
There is also a broader market implication. Insurers help shape expectations around cyber maturity, coverage terms, and response readiness. If their own operational resilience lags behind the threat, the entire ecosystem can become less stable. Policyholders may face longer response timelines, more friction during claims events, or changes in underwriting and coverage assumptions driven by uncertainty.
More broadly, resilience inside insurance organizations matters because they are part of the trust backbone of cyber response. When they are strong, the system is stronger. When they are not, stress cascades outward."
4. "What needs to change for insurers to close these gaps and keep pace with the current threat environment?
Operationally, organizations need to move from control ownership to outcome ownership. It is not enough to say a tool is deployed or a policy exists. Leadership needs evidence that the company can withstand and recover from a destructive cyber event. That requires rigorous testing, clear restoration priorities, dependency mapping, identity hardening, and executive-level accountability for recovery readiness.
Culturally, there also has to be a shift away from assuming resistance alone will solve the problem. Prevention is necessary, but it is not sufficient. Every organization will eventually face control failure somewhere. The ones that perform best are those that have accepted this reality and built muscle memory around recovery.
The strongest insurers will be the ones that treat resilience as a core operating discipline—not a compliance exercise. That means making recovery readiness as measurable, repeatable, and accountable as financial controls or claims operations. In today's environment, resilience is not just a security issue. It is a business capability."