Triple-I/Fenix24 Report Identifies Emerging Cybersecurity Priorities for Insurers

MALVERN, Pa., April 2, 2026 — The Insurance Information Institute (Triple-I), in partnership with Fenix24, today published Cybersecurity for Insurers: Squaring Safety with Service, a report examining how insurance companies are managing their own cybersecurity risks and where critical vulnerabilities remain.

The report found that while property/casualty insurers have made impactful cybersecurity investments, gaps remain in areas including patching cadence, authentication practices, and recovery testing, which are all weaknesses that could complicate responses to today’s threat environment. The report draws on a series of conversations with insurance industry executives, with questions aligned to best practices, regulatory requirements and security controls commonly required in cyber insurance underwriting.

“Insurers occupy a paradoxical position in the cybersecurity landscape,” said Sean Kevelighan, CEO, Triple-I. “They assess cyber risk for policyholders and establish security requirements as conditions of coverage, yet they also need to demonstrate their own cybersecurity practices meet or exceed evolving standards.”

“Most organizations have tested their recovery plans for natural disasters or standard IT outages, but not for ransomware attacks,” said Mark Grazman, CEO of Fenix24. “Understanding what actually happens in a ransomware scenario is critical to architecting true resiliency. It’s not just backups at risk, attackers systematically target and destroy infrastructure including Active Directory, identity systems, virtual machines, hypervisors, and even core communications like email. Resiliency planning requires understanding backup survivability, architecture for rehydration, and integrity, along with comprehensive asset intelligence, prioritization of business-critical applications and their associated dependencies.  Resiliency is achievable if you know what to architect and that is the power of Fenix24's insights."

A Growing Market Facing Evolving Threats

The cyber insurance market reached $15.3 billion in net premiums written in 2024 and is projected to grow to $16.3 billion in 2025, according to Munich Re. While ransomware remains a major driver of insured cyber losses, it accounted for only 19% of cyber claims in 2023. Business email compromise and funds transfer fraud represented a far larger share, generating 56% of reported claims. Business interruption accounts for roughly half of the $1 million average cost associated with ransomware incidents, according to NetDiligence.

Key Findings

The report identified strengths and areas for improvement across several critical cybersecurity domains:

• Immutable Backups and Recovery: Most insurers implement immutable backups across critical system categories, and most report meeting recovery time objectives for their highest-tier systems. However, recovery tests are often conducted under ideal conditions on a single system rather than across full network recovery, creating a potential gap when a real incident strikes.
• Credentials and Access Management: All participating insurers use corporate password vaults and enforce strong password complexity, with user passwords averaging more than 13 characters. All require multi-factor authentication (MFA) for administrative accounts. However, some organizations still permit less secure MFA methods such as SMS messages and email confirmation, which are approaches with known limitations that threat actors frequently exploit.
• Browsing Controls and Attack Surface Management: Most insurers implement DNS filtering and block peer-to-peer file transfer and web-based email sites, which are effective measures for limiting threat actor access. Some organizations use “split tunneling,” which allows employee internet browsing outside of VPN encryption, improving user experience but increasing exposure to phishing, malware and “man-in-the-middle” attacks.
• Patching and Risk Management: All participants conduct penetration testing, including social engineering scenarios targeting help desk personnel, which recognizes human defenses are as critical as technical ones. However, only about half deploy security patches monthly. In today's threat environment, adversaries often exploit newly disclosed vulnerabilities within hours or days of public disclosure, making accelerated patch cycles an emerging best practice.

Preparation Over Perfection

The study emphasizes systematic preparation, such as tested recovery capabilities and faster patch cycles, over the pursuit of any single “perfect” security solution. Insurers, like all businesses, must balance cybersecurity with user experience and operational performance, making thoughtful risk management essential.

“The difference between resilience and disaster lies not in perfect prevention but in systematic preparation, validated recovery capabilities and organizational commitment to continuous security improvement,” the report concluded.

About the Insurance Information Institute (Triple-I)
Since 1960, the Insurance Information Institute (Triple-I) has been the trusted voice of risk and insurance, delivering unique, data-driven insights to educate, elevate, and connect consumers, industry professionals, policymakers, and the media. An affiliate of The Institutes, Triple-I represents a diverse membership accounting for nearly 50% of all U.S. property/casualty premiums written. Our members include mutual and stock companies, personal and commercial lines, primary insurers, and reinsurers – serving regional, national, and global markets.

About Fenix24
Fenix24™ is the global leader in breach recovery, providing assured and battle-tested cyber resilience solutions. With a mission to redefine how organizations recover from cyber incidents, Fenix24 combines expert-driven response, cutting-edge technology, and a proven track record of restoring businesses faster and more securely than ever before.
For more information, visit www.Fenix24.com

Fenix24 is the "world's first civilian cybersecurity force," with four time-tested battalions:
Fenix24™ / Ransomware rapid response, remediation and recovery
Athena7™ / IT security assessments, strategy and planning
Grypho5™ / Ongoing, security-based management
Argos99™ / Expert insights into data, assets and infrastructure

About The Institutes
The Institutes® are a not-for-profit comprised of diverse affiliates that educate, elevate, and connect people in the essential disciplines of risk management and insurance. Through products and services offered by The Institutes 20 affiliated business units and backed by more than 115 years of experience as a trusted knowledge partner, we empower people and organizations to help those in need with a focus on understanding, predicting, and preventing losses to create a more resilient world.

The Institutes is a registered trademark of The Institutes. All rights reserved.