The Insurance Industry Is Under Siege. It’s Time to Act Like It

As a security professional at Armis, I’ve observed how cyber threats evolve across sectors. But what we’re witnessing in the insurance industry today is unlike anything we’ve seen before. It’s not just opportunistic hacking. It’s targeted, personal, and escalating at speed.

Recent breaches at Aflac, Erie Insurance, and Philadelphia Insurance Companies are not isolated incidents. They are coordinated, strategic incursions led by threat actors like Scattered Spider, a group that fuses the precision of nation-state operations with the unpredictable, fast-moving nature of cyber chaos.

Why Insurance Is in the Crosshairs

1. Data Rich, Trust Heavy
   Insurers are custodians of an enormous volume of personal and financial data that include Social Security numbers, healthcare claims, banking information; all of which is highly monetizable on the black market.
2. A Distributed Attack Surface
   Insurance companies operate in complex digital environments that include sprawling IT and OT infrastructure, legacy systems, hybrid workforces, third-party dependencies, and public-facing portals. This makes lateral movement by adversaries easier and faster.
3. A Soft Shell Around a Hard Center
   While many insurers have invested in firewalls and endpoint protection, attackers are bypassing these with ease and are targeting people through sophisticated social engineering campaigns.
4. Lagging Cyber Maturity
   Compared to finance or healthcare, the insurance sector has traditionally underinvested in cybersecurity. Many organizations still rely on fragmented visibility, legacy patching cycles, and reactive controls.

Why Scattered Spider Is So Dangerous

Scattered Spider represents a new breed of threat actor:

• They use highly targeted social engineering, often posing as IT support.
• They exploit domain impersonation to mimic internal portals and trick users.
• Their operations are lightning fast, with infiltration to impact often occurring in just hours.
• They are industry-agnostic, pivoting between sectors like casinos, insurance, and retail with ease.

This group isn’t just exploiting technology; they’re exploiting human trust at scale.

How the Insurance Sector Must Respond

To counter these threats, insurance organizations must move beyond traditional perimeter defenses and adopt a modern, layered security approach grounded in continuous visibility, contextual understanding, and intelligent automation.

1. Conduct Continuous Exposure Assessments

• Launch a Cyber Threat Exposure Management (CTEM) program for real-time visibility of all digital and physical assets.
• Use platforms like Armis Centrix™ to map your entire attack surface, assess risk dynamically, and prioritize based on business impact and not just CVSS scores.

2. Assume Compromise and Harden Identity

• Embrace a Zero Trust mindset that verifies every user and device, every time.
• Leverage behavioral analytics to detect anomalies like unexpected logins or unusual access patterns.
• Monitor for domain spoofing, regularly rotate privileged credentials, and implement just-in-time access controls.

3. Focus on AI-Powered Detection and Early Warning

• Use machine learning to identify lateral movement, anomalous authentication, and unusual device communication.
• Detect socially engineered attacks that traditional SIEM or EDR tools often miss.
• Deploy AI-driven early warning systems to surface threats before they escalate.

4. Lock Down the Help Desk Channel

• Conduct red-team exercises simulating phishing, vishing, and help desk impersonation attacks.
• Implement biometric verification for high-risk help desk activities.
• Continuously educate employees on the new wave of social engineering.

5. Align Incident Response with Business Continuity

• Understand your assets and their business context to outpace attackers by mounting a meaningful response.
• Build automated response playbooks, enable dynamic isolation of compromised devices, and ensure real-time coordination across teams.
• Resilience is no longer a choice, rather it’s a core business capability.

The Metrics That Matter

To measure effectiveness, insurers should focus on the KPIs that signal real readiness:

• Mean Time to Detect (MTTD): Less than 1 hour
• Mean Time to Respond (MTTR): Within 4 hours
• Unknown-to-known asset ratio: Under 5%
• Phishing resilience: >85% pass rate in quarterly simulations
• Lateral movement alerts: Near-zero false positives via correlation-based detection

Final Thoughts

At Armis, we’re helping insurers pivot from reactive containment to proactive exposure management. Because in today’s landscape, it’s not enough to know you’ve been breached, you need to take action before it happens.

Prevention starts with visibility. Resilience starts with readiness.
And both start now.