Cybercriminals are relentlessly targeting the insurance sector with advanced social engineering attacks and AI-powered schemes, according to a new report by cybersecurity awareness and human risk management leader NINJIO. The report, titled “Managing Risk: Human Cybersecurity & The Insurance Industry,” highlights how digitization has increased the attack surface for insurers — and why employee behavior and awareness now represent a critical front in cyber defense.
As insurers digitize policy management, claims processing, and customer communications, threat actors are exploiting every touchpoint — from compromised third-party platforms to low-level employee accounts — to launch wide-reaching, high-cost cyberattacks.
“Some of the largest breaches in recent history have stemmed from a single stolen password,” said Matt Lindley, Chief Innovation and Information Security Officer at NINJIO. “The insurance industry is experiencing a perfect storm: rapid digital transformation, AI-enhanced cybercrime, and an expanding web of third-party risk. The common thread is the human element — and that’s where we have to intervene.”
Key Findings from the Report:
- Cyberattacks are now ranked as the top global business risk by insurance executives, according to PwC and Allianz.
- The Change Healthcare breach alone affected 190 million Americans and cost over $2.5 billion — a result of compromised employee credentials.
- Third-party breaches are surging — with supply chain incidents increasing 68% year-over-year across the financial and insurance sectors.
- Social engineering, phishing, and credential theft are the leading causes of successful breaches.
The report explores how AI and automation are fueling increasingly sophisticated phishing campaigns, fake documentation, and deepfake-based identity fraud — all of which are weaponizing the human vulnerabilities inside insurance organizations.
“AI now lets bad actors clone internal emails, generate synthetic policyholders, and impersonate third-party vendors with chilling accuracy,” said Lindley. “Many insurers are accelerating digital onboarding, but haven’t prepared employees for this level of deception.”
Case studies featured include:
- Change Healthcare: $2.5B breach from a single MFA-less login
- Travelers & GEICO: credential-based attacks leading to mass data exposure and regulatory fines
- MOVEit breach: third-party software compromise affecting insurers like Prudential and Delta Dental
“Insurers aren’t just protecting data, they’re protecting trust,” said Joshua Ray, CEO of Blackwire Labs and former U.S. Department of Defense cybersecurity lead. “Cyberattacks don’t just steal information, they destabilize business relationships, disrupt operations, and erode customer confidence.”
To counteract rising threats, NINJIO’s report calls on CISOs and security teams to prioritize:
- Relevant and personalized cybersecurity awareness training
- Phishing simulations and behavioral risk assessments
- Zero-trust architecture and AI threat monitoring
- Vendor vetting and supply chain security audits
“AI can now create phishing emails and fake documents that look more real than the originals,” said Lindley. “In this environment, traditional security tools won’t be enough. Cybersecurity awareness is no longer optional — it’s a business imperative.”
Download the Full Report by visiting NINJIO’s website.
NINJIO is a human risk management solution that reduces cybersecurity risk through personalized and engaging awareness training and phishing simulations. The NINJIO platform uses data on individuals' emotional vulnerabilities, learning styles, and security behavior to develop personalized learning plans that help organizations improve cybersecurity behavior. Our multi-pronged approach to training focuses on the latest attack vectors to build employee knowledge and the behavioral science behind social engineering to coach users' cybersecurity behavior.