Property and casualty insurers sit in one of the most unusual positions in cybersecurity. They evaluate risk for a living. They set security requirements as conditions of coverage, and they know better than most what a breach costs.

When it comes to their own cyber defenses, however, critical gaps remain.

That’s the central finding of Cybersecurity for Insurers: Squaring Safety with Service, a new report published by the Insurance Information Institute (Triple-I) in partnership with Fenix24. The study draws on structured conversations with insurance industry executives, measuring their practices against the very best practices and security controls they require of their own policyholders.

The takeaway? Insurers have made meaningful cybersecurity investments. But meaningful isn’t the same as sufficient.

Where the Gaps Are

The report identified strengths across several domains, along with areas that could leave insurers exposed.

Recovery testing is too narrow. Most insurers implement immutable backups and report meeting recovery time objectives for their highest-tier systems. But those tests are typically run on a single system under ideal conditions, not across the full network or under the pressure of a real incident. That gap between a controlled test and a real ransomware event is where organizations get buried.

As Fenix24 CEO Mark Grazman put it, “Most organizations have tested their recovery plans for natural disasters or standard IT outages, but not for ransomware attacks. Understanding what actually happens in a ransomware scenario is critical to architecting true resiliency. It’s not just backups at risk. Attackers systematically target and destroy infrastructure including Active Directory, identity systems, virtual machines, hypervisors, and even core communications like email. Resiliency planning requires understanding backup survivability, architecture for rehydration, and integrity, along with comprehensive asset intelligence, prioritization of business-critical applications and their associated dependencies. Resiliency is achievable if you know what to architect and that is the power of Fenix24’s insights.”

Authentication still has weak links. Every participating insurer uses corporate password vaults and enforces strong password complexity. All require multi-factor authentication for administrative accounts, but some still allow SMS and email-based MFA. Those are both methods that threat actors routinely exploit. While the tools are in place, the configuration isn’t tight enough.

Patching cadence is too slow. All participants conduct penetration testing, including social engineering scenarios targeting help desk personnel. Only about half deploy security patches on a monthly basis, which falls short in an environment where adversaries exploit newly discovered vulnerabilities within hours or days of public disclosure.

Browsing controls create trade-offs. Most insurers implement DNS filtering and block peer-to-peer file transfer and web-based email. These are all effective controls, but some also use split tunneling for VPN, which routes some internet browsing outside encryption. It improves user experience while increasing exposure to phishing, malware, and interception attacks.

Preparation Over Perfection

The report drives home a point we’ve been making for years: there is no “perfect” security solution. The pursuit of one creates a false sense of safety. What separates resilient organizations from vulnerable ones is systemic preparation, validated recovery capabilities, and the organizational commitment to keep improving.

Insurers, like every other business, have to balance security with usability and operational performance. That’s reality. But the report makes clear that the gap between “we have backups” and “we can recover from a ransomware attack” is still dangerously wide, even among companies that assess this exact risk for their clients.

The Cyber Insurance Market is Growing. Threats are Growing Faster.

The cyber insurance market hit $15.3 billion in net premiums written in 2024, with projections reaching $16.3 billion in 2025. Ransomware remains a major driver of insured losses, and business interruption accounts for roughly half of the average $1 million cost associated with these incidents.

If insurers can’t recover their own systems quickly, they can’t serve the policyholders counting on them.

Recovery is the Differentiator

The findings in this report reinforce what Fenix24 sees every day on the front lines. Organizations invest in resistance. They buy the tools, run the tests, check the boxes. But when an attacker gets through (and they will), the question becomes: can you come back?

Download the full report: Cybersecurity for Insurers: Squaring Safety with Service to see where the industry stands, where the gaps are, and what it takes to close them.