Why carriers should prioritize tech security in 2025

Cybersecurity threats are immediate; their harm is real

Why carriers should prioritize technology security, including multifactor authentication, in 2025

Insurance carriers handle some of the most sensitive financial and personal data in the world, making them both a prime target for attackers and the subject of new regulation necessitated by the escalating threat of cyberattacks. Carriers that fail to comply with state requirements meant to strengthen their technology security could risk both financial penalties and their market reputation.

The cybersecurity threats facing insurers

When hackers gain access to the valuable consumer data collected by carriers, the costs quickly start compounding. Beyond the cost of system restoration, carriers must contend with regulatory fines, lawsuits, and reputational harm. A single data breach can break consumers’ trust.

A 2024 Munich Re global risk and insurance survey found that 87% of C-level executives believe their technology security to be inadequate against cyberattacks. Additionally, 47% reported their organizations already have been impacted by data breaches. This growing universality of cyber threats only drives up the cyber insurance market—predicted to reach $29 billion by 2027—but it will prove challenging for insurers to grow their share of the market when their own security practices come into question.

One hacking group known as “Scattered Spider” recently turned its focus to the insurance industry, specifically hitting carriers such as Erie Insurance, Philadelphia Insurance Companies, and Aflac, according to Google’s Threat Intelligence Group. Why were they targeted? Because insurance records are a high-value source of exploitable consumer data, rich with personal identifiers, medical billing details, and financial transactions. To criminals, it doesn’t hurt that the insurance industry as a whole has been somewhat slower to embrace new, more secure technology.

As insurance continues to modernize and individual carriers grow their digital ecosystems—adding brokers, claims processors, and third-party vendors—the exposure to potential cybersecurity threats grows, too. An industry study cited recently in Insurance Journal showed that 59% of the 150 most significant insurance data breaches involved third-party service providers.

As of 2025, MFA is functionally required

To help counter these threats, regulatory changes are underway that will impact insurers, most notably any carriers subject to New York State law.

What’s changing? By the end of 2025, the New York Cybersecurity Regulation (23 NYCRR 500)—first issued by the State Department of Financial Services in 2017 and amended in 2023—will be fully in force. Widely regarded as one of the most stringent cybersecurity rules for financial services, it requires covered entities including insurance carriers to implement core safeguards, including multifactor authentication (MFA), in order to better protect consumer data.

What is multifactor authentication (MFA)?

Multifactor authentication is a security measure that requires users to submit two or more different forms of identity verification to access a digital system, making it more difficult for unauthorized users to gain access to sensitive data.

Many of the regulation’s measures around access monitoring and security training became mandatory effective May 1, 2025, with further enhanced user MFA requirements that must be in place prior to Nov. 1, 2025. As a result, carriers operating in New York must certify their compliance with the regulation or face enforcement actions, but the impact extends beyond state lines. Given the number of carriers operating in New York, whether headquartered there or not, MFA for insurance carriers’ digital ecosystems will likely become the norm elsewhere in the country.

Prior to this rule’s full implementation, hackers in New York notably gained access to two major carriers, GEICO and Travelers, resulting in financial penalties totaling $11.3M.

Read also: Quishing, vishing, and phishing: Is your agency protected?

For carriers with more complex operations, new MFA requirements must also extend beyond internal staff: Broker portals, third-party administrators, and claims processors all fall under the same access-control portion of the regulation meant to address the third-party vulnerabilities at fault in recent data breaches.

Along with MFA, carriers need a proactive security strategy

Technology security requires more than meeting minimum regulatory requirements. Munich Re’s report highlights the need for layered risk management, continuous monitoring, and proactive scenario planning, because systemic risks can’t be addressed with reactive measures alone.

What carriers can do now

To protect their customers and their own standing in the industry, carriers should:

  • Mandate MFA universally in core operations: Require MFA for all employees, contractors, and third-party vendors with access to sensitive data.
  • Expand security within third-party vendor agreements: Include explicit MFA and monitoring requirements in contracts and conduct regular security audits.
  • Invest in digital ecosystem monitoring: Use continuous validation tools to detect and contain threats before they spread.
  • Routinely run scenario-based exercises: Prepare for large-scale events—outages, affiliate breaches—through live-response simulations.

Advanced security controls—such as zero-trust frameworks or AI-driven anomaly detection—are important, but MFA remains one of the highest-impact and lowest-cost safeguards against cyberattacks.

Precaution defines the insurance industry, and technology security can no longer be treated as a back-office concern.

Learn more about current topics in compliance

Posted July 28, 2025 in Blog

Share on