BLOG POST

Insurance Cybersecurity Incidents: Why Operational Disruption Lasts Months Beyond Recovery

Why enterprise resilience requires cross-functional cybersecurity preparedness beyond IT recovery

Since Mitch Wein’s blog, “Scattered Spider Attacks: Why Insurance Companies Need Robust Security Architecture,” more insurance incidents have been linked to the notorious Scattered Spider ransomware group, including attacks on Aflac and the First Insurance Company of Hawaii.

According to Astra, a cyberattack happens roughly 2,200 times daily—approximately every 39 seconds. Each data breach costs U.S. companies nearly US$9.5 million on average, with global incidents in 2024 estimated at US$9.5 trillion.

For insurance executives, these numbers represent more than financial losses. Cybersecurity incidents create lasting operational disruptions that extend beyond the recovery of the systems. For both IT and business leaders, understanding the full extent and duration of disruptions—plus complete restoration requirements—is critical to developing resilient response strategies that protect immediate operations and maintain a long-term competitive edge.

The importance of retaining customer and distribution partner trust cannot be underestimated. While not specific to insurers, Hiscox reported that in 2024, the difficulty of attracting new customers after a cyber-attack had more than doubled to 47% compared to 20% in 2023. Customer attrition rose from 21% to 43% during the same period.

Recent cybersecurity incidents in the insurance industry reveal a harsh truth: the impact of cyber events can persist for months after systems are restored, creating ripple effects across all aspects of carrier operations—from claims processing to regulatory compliance, financial reporting, and customer retention.

Insurance Cybersecurity Vulnerabilities: Unique Operational Risks for Carriers

The insurance industry faces unique operational challenges during cybersecurity events that distinguish it from other industries:

24/7 Claims Obligations: Unlike many businesses that can temporarily suspend operations, insurance carriers have regulatory and contractual obligations to provide continuous claims reporting and emergency services. System outages don’t excuse carriers from these fundamental obligations.

State-by-State Regulatory Complexity: Operating multiple states requires managing various regulatory notification requirements, reporting standards, and compliance obligations simultaneously during crises. Cybersecurity incident notification requirements vary by state, with 26 states implementing a version of the NAIC Insurance Data Security Model Law. Additionally, states have enacted security breach notification laws that apply to businesses in general.

Catastrophe Response Preparedness: Cybersecurity events can coincide with natural disasters, creating dual operational challenges when carriers require full system capacity for catastrophe response. Both catastrophic climate and cybersecurity events continue rising.

Reinsurance Reporting Requirements: Staying on top of reinsurance reporting and communication remains essential, but system outages complicate this process and may impact coverage or relationships.

Enterprise Resilience Demands Comprehensive Planning Beyond Technology Recovery

Integrated Planning Requirements

Effective cybersecurity preparedness requires integrating Disaster Recovery Plans (DRP) and Business Continuity Plans (BCP), including and going beyond traditional IT recovery, while anticipating prolonged restoration periods.

Business Process Mapping: Document every critical business process and its technology dependencies, including manual workarounds for each system component. Identify the weekly, monthly, quarterly, and annual activities. Verify business and IT owners at least twice a year to prevent gaps in these key roles.

Regulatory Communication Protocols: Develop pre-approved communication templates and notification procedures for state insurance departments, including specific timelines and escalation procedures for various incident types.

Customer Communication Strategies: Create multi-channel communication plans that operate independently of compromised systems, including partnerships with external communication providers and pre-drafted customer notifications. Make sure all team members have access to the approved messaging and understand where to direct media or other public inquiries.

Financial Operations Continuity: Establish manual processes for critical financial operations—premium collection, claim payments, treasury activities, and regulatory reporting—that function independently of primary systems. As with the business process documentation, assume a worst-case scenario in terms of the duration of a full or partial systems outage.

Comprehensive Testing: Traditional disaster recovery testing focuses primarily on technical system recovery, but cybersecurity events require comprehensive business operations testing. This includes end-to-end testing of manual processes, regulatory scenarios, customer service, and detailed financial operations.

Cross-Functional Coordination: Cybersecurity events demand unprecedented coordination between traditionally separate organizational functions – IT, business operations, legal, public affairs and communications.

Insurance Cybersecurity Strategy: Leadership Recommendations for Cyber Resilience

1. Invest in CISOs and Specialized Cyber Expertise

Modern cybersecurity represents complex risks and defenses requiring strong CISOs and elevated strategies beyond most fractional CISOs. The Datos Insights Cybersecurity Practice is uniquely positioned to help carriers meet these urgent challenges.

2. Elevate Cybersecurity to Strategic Business Risk

Align cybersecurity planning with enterprise risk management, with board-level oversight and integration with overall business strategy.

3. Invest in Comprehensive Testing Programs

Implement quarterly business continuity exercises that test operational processes, encompassing both technical recovery and coordination with external partners and regulatory bodies.

4. Develop Detailed Manual Process Documentation

Create and maintain detailed procedures for operating critical business functions without primary systems, including resource requirements and performance expectations.

5. Establish Industry Partnerships

Build relationships with other carriers, vendors, and service providers to share resources and coordinate response efforts in the event of industry-wide threats.

6. Prioritize Regulatory Relationship Management

Maintain ongoing communication with state insurance departments about cybersecurity preparedness and incident response capabilities to foster trust before incidents occur.

Insurance Cyber Preparedness: Why Cross-Functional Action Can’t Wait

The cybersecurity threat landscape will continue to evolve, but the fundamental business operations and IT challenges remain consistent: maintaining essential services, meeting regulatory obligations, and protecting customer relationships while restoring systems over extended periods of time.

Recent incidents demonstrate that recovering systems is only the first (albeit complex) step in cybersecurity incident response. Successful organizations view cybersecurity preparedness as an enterprise capability that combines technology, operations, communications, and strategic planning.

The moment for thorough preparation is now. Organizations that delay comprehensive cybersecurity planning risk operational disruption, regulatory penalties, and permanent customer loss when—not if—incidents occur.

The experts at Datos Insights help insurance companies build comprehensive cybersecurity preparedness programs that integrate technical recovery with business operations continuity. Email me at [email protected] or John Horn, Head of our Cybersecurity Practice, at [email protected] to discuss enhancing your organization’s cybersecurity operational resilience.