“We are currently experiencing a network outage and investigating a network security event.”
As an insurance company, imagine having to run that banner message on the top of your website for more than a week. Or worse, picture this notice appearing on your “Get a Quote” page:
“A network outage is currently impacting [your company name] systems. All available resources are working to restore functionality as soon as possible. Please check back later to access this feature.” Only, day after day, the message is still the same.
Unfortunately, that’s exactly the situation that Erie Insurance, a Pennsylvania-based insurer, has today. The company is now deep into its second week of a serious cybersecurity crisis that began on June 7, when its information security team detected unusual network activity – a sign of a potential cyberattack on insurance infrastructure.
Since then, Erie has wrestled with a widespread outage that has taken core systems and customer-facing services offline. As part of its incident response protocol, Erie shut down key systems to contain the threat and prevent further spread — an essential step but one that has caused extended service disruptions. Customers remain unable to log into the portal, file claims, get quotes, or access critical documents. Email and document workflows have also been impacted.
Erie Indemnity Company, which manages operations for Erie Insurance Group, reported the incident in a mandatory Form 8-K submission to the U.S. Securities and Exchange Commission (SEC):
“On June 7, 2025, Erie Indemnity Company (the “Company”) identified unusual network activity, which the Company determined to be the result of an information security event. Upon learning of this activity, the Company activated its incident response protocols and took immediate action to respond to the situation to safeguard our systems. The Company also notified and is working with law enforcement.
The Company continues to take protective measures, and is conducting forensic analysis with the assistance of leading third-party cybersecurity experts to gain a full understanding of this event.
Given the recency of the event, the Company’s investigation and response are ongoing, and the full scope, nature, and ultimate impact on the Company are not yet known.”
More Than Half of Insurance Sector Breaches Linked to Third Parties
The situation at Erie is not an isolated incident. Rather, it reflects a growing trend across the insurance industry. Insurance companies are a top target for cyberattacks and experience a higher rate of breaches compared to many other industries. Why? Insurance agencies hold vast amounts of sensitive, personally identifiable information (PII) and financial data, making them attractive targets for cybercriminals seeking to profit from identity theft or fraud.
Interestingly, a February 2025 report from SecurityScorecard reveals that nearly six in ten data breaches at major insurance companies can be traced back to third-party sources, pointing to serious cybersecurity vulnerabilities across the insurance industry’s supply chain.
The analysis, focused on the top 150 insurance companies, found that 59 percent of breaches involved third-party attack vectors — a record high and more than double the global industry average rate of 29 percent. These incidents frequently stemmed from external software vendors and IT service providers, which were responsible for half of the third-party breaches.
From carriers and reinsurers to brokers, claims administrators, and niche tech vendors, the insurance sector’s deep interdependence on information technology makes it both highly efficient and highly exposed. This complexity has become a cybersecurity liability, especially as reliance on digital systems continues to grow faster than the sector’s ability to secure them. Cyber risks now stretch beyond insurers’ internal systems and deep into their vendor networks. Managing third-party security has become a critical challenge for insurance companies – one that the industry can no longer overlook.
An Insurance Industry Example
Here’s a personal example. Just a few years ago, I was exhibiting for AIS Network at a couple of regional insurance industry conferences. We offered a free penetration test — a service worth thousands of dollars — as part of our conference giveaway, and a number of agency owners won. But when we followed up, most never returned our calls. Others delayed scheduling for so long that they eventually forgot about it altogether. In the end, not a single free penetration test was performed — even though we were ready and willing to deliver. It just wasn’t seen as urgent. They did not care.
That whole story is unfortunate, because penetration testing is one of the most effective ways for insurance companies to identify weaknesses before attackers do — whether those vulnerabilities exist in their own systems or in the broader supply chain. In a sector as interconnected as insurance, every weak link matters. If even one partner neglects routine security assessments, the risk can ripple across the entire network.
Impact of Cybersecurity Incidents on the Insurance Industry
Cybersecurity incidents can have far-reaching consequences for insurance companies, threatening not only operational continuity but also financial stability, regulatory compliance, reputation, and customer trust. A single breach can expose vast amounts of sensitive policyholder data, result in millions of dollars in remediation and legal costs, trigger regulatory investigations or fines, and lead to reputational damage that may take years to rebuild. Because the insurance industry manages highly confidential financial and personal information, it remains a high-value target for cybercriminals, and breaches can erode the very trust that underpins its business model.
Cybersecurity Guidance for the Insurance Industry
As insurance companies face rising threats — particularly through third-party vendors — strengthening cybersecurity across the supply chain has become an urgent priority. Here are six actionable recommendations that can help insurers bolster their defenses, reduce regulatory exposure, and build greater resilience against increasingly sophisticated cyberattacks.
- Prioritize third-party risk oversight.
Insurance carriers are particularly exposed due to their dependence on external supply chain partners, especially IT vendors, brokers, and service providers that may lack mature cybersecurity practices. Strengthen risk oversight by identifying which partners pose the greatest exposure and ensuring that those vendors meet industry-recognized security benchmarks. Give preference to vendors that undergo regular third-party audits (g., HIPAA, SOC 2 Type II), aligning with NIST standards, since these validations offer greater assurance of cybersecurity readiness and regulatory compliance. - Confirm that your vendors also have robust supply chain security.
Don’t just vet your vendors; vet your fourth-party risk as well. Ensure that your vendors are also assessing their own suppliers. Gaps in your vendors’ third-party risk management (TPRM) programs can leave you exposed to downstream attacks like the widespread MOVEit vulnerability. - Refuse to pay ransomware attackers.
Paying off ransomware demands rarely guarantees data recovery and may expose your organization to legal liabilities. It also emboldens cybercriminals to keep attacking. Instead, invest in prevention and recovery strategies that reduce your reliance on ransom payments. - Implement continual monitoring of third-party cyber risk.
Use monitoring tools to track vendors’ cybersecurity performance over time. Static assessments are no longer enough in a fast-moving threat landscape. - Conduct regular incident response drills across the supply chain.
Coordinate tabletop exercises with key vendors to test how well your partners can detect, contain, and recover from a breach. These drills help identify weaknesses in response coordination before a real incident occurs. - Align your cybersecurity efforts with regulatory frameworks.
Last but not least, ensure that your cybersecurity policies and vendor oversight processes align with industry regulations like NYDFS 500, NAIC Model Law, and state-specific privacy laws. Demonstrating compliance can mitigate penalties and build resilience during audits or breach investigations.
Turn Risk Into Readiness
Cybersecurity is no longer just an IT issue; it’s a business-critical risk that demands board-level attention, especially in the insurance industry, where trust and continuity are everything.
The Erie Insurance breach is a sobering reminder of how quickly operations can grind to a halt and how deeply third-party vulnerabilities can ripple through an organization. If you’re relying on outdated assessments or assuming your vendors have it handled, it’s time to think again. Prioritize third-party risk management, invest in proactive testing, and choose partners who can prove their security posture with independent audits. The cost of inaction is far higher than the investment in prevention. Don’t wait for a breach to force the conversation.
Take the lead now by contacting our cybersecurity team for a comprehensive insurance cybersecurity assessment, third-party risk review, or penetration test. Whether you’re looking to strengthen vendor oversight, validate compliance, or uncover hidden vulnerabilities, our experts will help you reduce risk, meet regulatory requirements, and protect your most valuable assets — before a breach forces your hand.