By Don Okolie and Deepti Chauhan
Last year’s global IT outage due to CrowdStrike’s faulty update disrupted hundreds of businesses and essential services across multiple countries, pointedly illustrating a growing threat to organizations worldwide. Cyber threats are rapidly outpacing the ability of traditional insurance and risk management strategies to mitigate them, with two of the world’s largest participants in the insurance carrier and broker market–Zurich and Marsh McLennan–stating that they are worried about the future.
This stark warning highlights an urgent issue: Verizon’s 2025 Data Breach Investigations Report indicates the dependence on third-party service providers increases an organization’s vulnerability to cyberattacks. Sharing sensitive customer data, including personally identifiable information (PII), with third-party vendors exposes organizations to significant risks, from reputational damage to regulatory penalties and operational disruptions.
The Scope of the Challenge
Within the insurance sector, cybersecurity has evolved from a peripheral concern to a core business priority for both insurers and their clients. As claims processing becomes more complex and critical functions like data management, underwriting, and customer service are outsourced, insurers are exposed to a broader cyber threat landscape.
Data breaches affecting insurers have been known in some instances to originate from their third-party service providers, each of which presents an entry point for malicious actors to exploit weaknesses in the supply chain.
A study by Security Scorecard Research indicates that up to 59% of breaches among the top 150 insurance companies involved third-party attack vectors.
These cyber threats not only reveal critical vulnerabilities within the sector’s supply chain, but they also come at significant financial cost. In 2023, according to IBM Security the global average cost of a data breach reached $4.45 million, with sectors such as insurance experiencing even higher costs due to the sensitive nature of data involved.
Importantly, this is not just an insurance carrier issue–it affects everyday consumers, as well. To absorb the costs of compromised data and increased security measures, insurers might have little recourse but to increase premiums, shifting or sharing the cost burden with their customers. Additionally, these cyberattacks compromise consumers’ sensitive personal information, undermining the trust place they in insurers.
The Broker’s Role in Mitigating Cybersecurity Risks
In today’s evolving landscape, brokers play an important role that extends far beyond policy placement–they are critical in ongoing risk management. While traditional insurance models solely focus on coverage, modern risk management requires continuous engagement to address evolving cybersecurity threats. Brokers can offer crucial guidance during the pre-placement stage and throughout the policy lifecycle, helping to protect both carriers and their customers from third-party risks.
Here are a few ways brokers can mitigate cybersecurity risks for their customers related to third-party providers.
Pre-Placement Advisory: Conducting Rigorous Due Diligence
Before selecting a third-party provider or vendor, brokers can assist clients in evaluating the cybersecurity posture of potential vendors (directly or through proficient consultants).
Some key considerations include:
1.
Assess which third parties require in-depth cybersecurity due diligence, so as to focus commensurate efforts on vendors that do pose a real risk. Some parameters to consider:
•
If a vendor or subcontractor accesses the client’s network using own devices/ infrastructure (i.e., non-client owned and/or managed devices).
•
Where the client is procuring applications, software, IT products (non-consumables), or cloud services (including APIs) which will integrate or have a touch point with client’s network.
•
Where client data (non-public/ PII/PHI/SPII/PCI/Client Confidential, as per client’s Data Classification Policy) is exported out of the client network and shared with vendor.
2.
Verify if the vendor or subcontractors have relevant security certifications or attestations (provided by an authorized and reputed agency) for the service or product being provided. For example, ISO 27001 may be considered when vendors are providing services which are executed in client environment and there is a need to have a comprehensive ISMS, and SOC 2 may be considered for data security controls if client data–especially clients in North America–is being transferred to the vendor’s application in vendor environment.
3.
Validate if vendors have mitigated gaps identified during the due diligence and assess the residual risk. The residual risk can help in tailoring the policy and providing clarity on policy limitations.
Vendor Selection, Negotiation and Contracting
Brokers could counsel clients to integrate specific cybersecurity clauses into contracts with third-party providers and negotiate said contracts to address cybersecurity concerns identified during the due diligence phase.
Further, brokers can help businesses establish clear lines of responsibility for cyber incidents and ensure that they have the necessary legal protection.
‘In today’s evolving landscape, brokers play an important role that extends far beyond policy placement–they are critical in ongoing risk management.’
Ongoing Engagement: Ensuring Transparency and Continued Oversight
Brokers can guide insurers to achieve greater transparency through continuous monitoring and governance of their customers’ third-party providers. This can be achieved through:
•
Providing updates about emerging cyber threats and ensuring that vendor and third-party policies and practices are up to date.
•
Monitoring or auditing the security posture of the vendor or third party as per pre-defined qualifiers and frequency and providing guidance on policy changes (including validation of security certifications such as ISO, SOC, adherence to NIST, GDPR, and so on).
•
Providing guidance on cost-effective strategies for transferring cyber risks (to insurance companies or other third parties).
•
Assisting in incident simulations and testing to help the organization learn from a potential incident and improve its cybersecurity posture in the future.
Brokers may also offer broader risk management services, such as cybersecurity consulting, threat monitoring, and penetration testing. Moreover, brokers may also assist with claims related to third-party breaches, such as liability for damage caused by data breaches affecting customers or partners
Actionable Steps for Insurers and Customers
By further investing in a proactive, advisory role, brokers can help both insurers and their customers reduce cybersecurity risks associated with third-party providers. Through vigilant due diligence, continuous monitoring, and robust certifications, brokers can empower insurers to mitigate against potential data breaches.
In a continuously and rapidly evolving cybersecurity landscape, broker-driven partnerships built on trust, transparency, and a shared commitment to data protection are essential for safeguarding sensitive client information and ensuring long-term business success.
Okolie is global head of insurance underwriting practice, and Chauhan is information security leader of Genpact.
