Assessing Human Cyber Risk in Insurance's Digital Transformation
Key Takeaways
- Digital transformation creates competing priorities: Insurance companies need new digital services to stay competitive, but each new system expands the attack surface.
- Behavioral risk varies dramatically by role: Insurance companies can’t treat every employee the same. A claims adjuster and CEO face different attack vectors and emotional triggers.
- Human risk management delivers measurable ROI: Organizations leveraging an effective human risk management and cybersecurity awareness training program report 91% stronger security posture within 8 months
According to Allianz’s Risk Barometer report, executives view cyberattacks as the top global business risk. As an industry dealing with high-value data, insurers have more to lose with these attacks – their customers’ health records, financial information, policy details, and personal identifiers make them attractive targets for cybercriminals who know exactly what they’re looking for.
The attack on Change Healthcare in February 2024 illustrates the scale of exposure. Cybercriminals stole credentials from a junior customer support employee and ultimately compromised roughly 100 million Americans’ information. All it took was one successful social engineering attack on one employee to cause massive disruption.
Read More Here
The Human Element Behind Insurance Breaches
Most successful data breaches have a human factor in common. Maybe an individual clicked on something they shouldn’t have, shared credentials they shouldn’t have, or responded to social engineering they didn’t recognize as an attack.
IBM’s data shows that social engineering schemes like phishing and credential theft are the most common initial attack vectors. These attacks work because they exploit legitimate access channels. Technical defenses put in place by cybersecurity teams such as firewalls, multi-factor authentication, and encryption can’t stop someone who has valid credentials and appears to be a legitimate user.
The Change Healthcare case proves this. The attacker didn’t break through sophisticated security architecture. Instead, they phished an employee who didn’t have multifactor authentication enabled.
Here’s something that everyone should keep in mind when it comes to cybersecurity: Not all employees are equally vulnerable to the same attacks. A claims adjuster faces different social engineering tactics than a network administrator. Someone susceptible to urgency-based threats might easily resist authority-based manipulation. Generic cybersecurity awareness training treats everyone as having identical risk profiles, which is why it has lower efficacy than human risk management programs.
Our latest research reveals the specific human risk factors driving breaches in the insurance sector and how companies are addressing them.
Download the Report: Human Cybersecurity and the Insurance Industry
Digital Transformation Creates Expanded Risk for Insurers
Insurance companies must digitize to compete. Customers expect online policy applications, digital claims filing, and personalized services. Internally, companies are automating underwriting, claims processing, and data analysis with AI and machine learning.
Each of these initiatives creates new entry points for attackers. Compare the attack surfaces two insurers at different phases of digital transformation may face:
Digitally Transformed Operation
Limited customer interfaces
Manual processes
Multiple customer-facing portals
API integrations
Cloud services
Automated workflows
Expanded employee access from anywhere
Every new service is a potential vulnerability; cybercriminals actively target expanding digital infrastructure
These expanded attack surfaces demand more proactive defenses. While insurance companies need to digitize rapidly to meet customer expectations, rapid change often outpaces security architecture. This creates a window of vulnerability that attackers are actively exploiting.
Technology can reduce some of this risk. But technology alone can’t address what happens when a customer support employee falls for a phishing email, or when a claims processor gets tricked into transferring money to a spoofed account.
Explore insurance-specific strategies for managing human cyber risk.
Visit Our Insurance Resource Center
The Human Risk Management Approach for Insurers
Insurance companies need a different strategy than traditional awareness training: They need to identify which individuals are most vulnerable to which type of attacks, and then provide targeted coaching, not a one-size-fits-all awareness program.
How traditional cybersecurity awareness training works:
- Delivers the same content to all employees regardless of role, experience, or vulnerability
- Focuses on attack types and general best practices
- Measures success through completion rates rather than behavioral change
- Doesn’t adapt based on individual performance or need
How human risk management works:
- Uses behavioral science to identify the specific emotional triggers and social engineering tactics most likely to fool each person
- Delivers personalized security coaching that targets individual vulnerabilities, not generic threats
- Continuously assesses and adapts training based on performance, creating an Emotional Susceptibility Profile for each employee
- Focuses on reducing behavioral risk, not just training completion
As a result, insurance companies implementing human risk management see employees become significantly better at recognizing and avoiding social engineering attacks. More importantly, they see a dramatic reduction in successful phishing attempts and credential compromises.
Getting Started with Human Risk Management: What Insurance Companies Should Do Now
You don’t need to overhaul your entire security program overnight. Start here:
- Assess your baseline. Run simulated phishing campaigns to identify which employees are most susceptible to social engineering and which attack vectors work best on your organization.
- Identify high-risk roles. Not all employees face equal risk. Customer support, finance, executives, and employees with access to sensitive data deserve targeted attention.
- Build Emotional Susceptibility Profiles. Determine whether your employees are more vulnerable to urgency-based attacks, authority-based manipulation, curiosity-driven threats, or other emotional triggers.
- Implement personalized coaching. Provide targeted training that addresses the specific vulnerabilities you’ve identified, not just generic awareness content.
- Measure behavioral change. Track whether employees actually improve at recognizing and resisting social engineering, and not just whether they watched a training video.
- Adapt and iterate. Use ongoing simulated phishing and performance data to continuously refine your approach and coaching.
Many insurance companies choose to partner with managed cybersecurity awareness program providers rather than build this capability in-house. These providers handle campaign design, phishing simulations, data analysis, and program optimization, thus allowing your internal security team to focus on response and policy rather than program administration.
Ready to assess your organization’s human risk? See how NINJIO’s platform works in a personalized demo.
Frequently Asked Questions
Q: What is human risk management?
A: Human risk management is a data-driven approach to identifying which employees are most vulnerable to specific social engineering tactics, then providing personalized security coaching to change behavior. Unlike traditional cybersecurity awareness training that treats all employees the same, human risk management uses behavioral science to target individual vulnerabilities.
Q: Do insurance companies need human risk management in cybersecurity?
A: Insurance companies handle high-value data across multiple categories while simultaneously digitizing faster than ever. That combination of attractive targets and expanding attack surface means the human layer of security is now your biggest vulnerability.
Q: How is behavioral risk scoring different from traditional security awareness training?
A: Traditional cybersecurity awareness training delivers identical content to everyone. Behavioral risk scoring assesses each employee’s likelihood of falling for specific attacks, allowing you to focus resources on the employees and threat vectors that pose the greatest risk to your organization.
Q: Can personalized security coaching prevent breaches like the Change Healthcare attack?
A: No solution prevents 100% of breaches, but targeted coaching dramatically reduces the likelihood of successful initial compromise. The Change Healthcare attack started with phishing a low-level employee, exactly the kind of threat that personalized coaching is designed to prevent.
Q: How long does it take to see results from human risk management?
A: Most organizations see measurable improvements in their cybersecurity posture within 8 months. The real value compounds over time as the system continuously learns from each employee’s performance and adapts coaching accordingly.
Q: Is this kind of personalized training resource-intensive to manage internally?
A: Yes! This is why many insurance companies use managed services where a provider handles campaign design, phishing simulations, data analysis, and optimization. Your team focuses on response; they handle delivery and continuous improvement.
About NINJIO
NINJIO reduces human-based cybersecurity risk through engaging training, personalized testing, and insightful reporting. Our multi-pronged approach to training focuses on the latest attack vectors to build employee knowledge and the behavioral science behind human engineering to sharpen users’ intuition. The proprietary NINJIO Risk Algorithm™ identifies users’ social engineering vulnerabilities based on NINJIO Phish3D phishing simulation data and informs content delivery to provide a personalized experience that changes individual behavior.
