Resources/Industry Guides

Penetration Testing for Insurance Companies

A comprehensive guide to penetration testing requirements for insurance carriers, brokers, and MGAs navigating state regulations while protecting sensitive policyholder and actuarial data.

Introduction

Insurance companies hold some of the most sensitive data in any industry: detailed health records, financial histories, claims documentation, and high-value actuarial and underwriting models. This data makes insurers prime targets for both cybercriminals seeking personal information and adversaries interested in proprietary pricing logic.

The regulatory landscape for insurance cybersecurity has evolved rapidly. Many state insurance departments have implemented cybersecurity requirements modeled on the NAIC Insurance Data Security Model Law and related guidance, and regulators increasingly expect evidence of risk-based security testing (which may include penetration testing). Failing to meet applicable requirements can result in regulatory action, fines, and restrictions on writing business in affected states.

This guide covers everything insurance companies need to know about penetration testing: state regulatory requirements, common vulnerabilities in insurance platforms, testing strategies for claims systems and actuarial data, and how to build a security program that protects policyholder trust.

Why Insurance Companies Face Unique Security Challenges

High-Value Data Concentrations

Insurance companies maintain extensive records that are valuable to attackers:

  • Personal health information: Medical records, diagnoses, treatment histories
  • Financial data: Bank accounts, income verification, credit information
  • Identity documents: Driver's licenses, Social Security numbers, employment records
  • Claims documentation: Accident reports, legal documents, investigation files

A single breach can expose thousands of policyholders to identity theft, insurance fraud, and personal harm.

State-by-State Regulatory Complexity

Unlike many industries with federal oversight, insurance is regulated primarily at the state level:

  • 50+ regulatory bodies: Each state has its own insurance department
  • Varying requirements: Cybersecurity rules differ across jurisdictions
  • Multi-state compliance: Insurers writing business in multiple states must meet each state's requirements
  • Model law adoption: States adopt NAIC model laws with local modifications

This fragmented landscape makes compliance complex and increases the importance of comprehensive security testing.

Legacy System Dependencies

Many insurance carriers operate on legacy policy administration and claims systems:

  • Mainframe-based core systems that have been in production for decades
  • COBOL applications that are difficult to modernize or secure
  • Complex integrations between legacy and modern systems
  • Technical debt that creates security gaps

These legacy environments often lack modern security controls and present unique testing challenges.

Third-Party Ecosystem Risks

Insurance operations involve extensive third-party relationships:

  • Agents and brokers with access to quoting and binding systems
  • Third-party administrators processing claims
  • Reinsurers receiving detailed policy and claims data
  • Vendors providing everything from document management to analytics

Each relationship expands the attack surface and introduces potential vulnerabilities.

Regulatory Requirements for Insurance Penetration Testing

NAIC Insurance Data Security Model Law

The National Association of Insurance Commissioners developed model cybersecurity requirements that most states have adopted in some form:

  • Risk assessment requirements: Regular evaluation of security risks
  • Information security program: Written policies addressing security testing
  • Third-party oversight: Due diligence on vendor security practices
  • Incident response: Plans for detecting and responding to breaches

While the model law doesn't mandate specific testing frequencies, it requires a risk-based security program that includes assessment of controls—which typically includes penetration testing.

New York DFS Cybersecurity Regulation (23 NYCRR 500)

New York's regulation, which applies to insurers licensed in the state, explicitly requires:

  • Annual penetration testing of information systems
  • Bi-annual vulnerability assessments at minimum
  • Risk-based testing program proportionate to organizational risk
  • Documentation and reporting to senior leadership

For many insurers, NY DFS requirements effectively set the national standard since most major insurers are licensed in New York.

State-Specific Requirements

Beyond New York, multiple states have adopted cybersecurity requirements:

  • California: CCPA and Insurance Data Security Law requirements
  • Ohio: Safe harbor provisions for companies with cybersecurity programs
  • South Carolina: Insurance Data Security Act based on NAIC model
  • Michigan, Connecticut, and others: Similar adoptions with state variations

Insurers must track requirements across all states where they're licensed and ensure testing programs meet the most stringent applicable standards.

SOC 2 and Customer Requirements

Beyond regulatory mandates, insurance companies face pressure from:

  • Enterprise customers requiring SOC 2 reports for group coverage
  • Reinsurers conducting security due diligence
  • Rating agencies incorporating cyber risk into assessments
  • Regulators requesting evidence of security practices during examinations

Common Vulnerabilities in Insurance Systems

1. Claims Processing System Weaknesses

Claims systems often have security gaps that enable fraud or data exposure:

  • Insufficient authorization checks allowing adjusters to access claims outside their authority
  • Claims status manipulation through direct database access or API exploitation
  • Document management vulnerabilities exposing sensitive claim files
  • Payment redirect attacks targeting ACH and check disbursement processes

Example scenario: A claims portal allows authenticated adjusters to view any claim by modifying a claim identifier in the URL, exposing claims history across lines of business.

2. Agent and Broker Portal Vulnerabilities

Distribution channels create significant security exposure:

  • Weak authentication on agent portals (password-only, no MFA)
  • Excessive data access allowing agents to view policies they don't service
  • Quote manipulation enabling unauthorized rating modifications
  • Commission statement exposure revealing sensitive financial data

3. Actuarial Data Protection Gaps

Pricing models and actuarial data represent critical intellectual property:

  • Inadequate access controls on actuarial databases and models
  • Unencrypted data exports to third-party analysts
  • Version control weaknesses in rate filing documentation
  • Analytics platform vulnerabilities exposing predictive models

4. Policy Administration System Flaws

Core policy systems often contain legacy vulnerabilities:

  • Session management weaknesses in web interfaces to legacy systems
  • SQL injection in older database interfaces
  • Inadequate logging of policy modifications
  • Privilege escalation through legacy administrative functions

5. Third-Party Integration Risks

Vendor connections introduce external attack vectors:

  • Overprivileged API access for data vendors
  • Unvalidated webhook callbacks from InsurTech partners
  • Shared credential usage across vendor integrations
  • Insufficient monitoring of third-party data access

Building an Insurance Penetration Testing Program

Testing Scope by System Type

Insurance companies should prioritize testing based on data sensitivity and regulatory exposure:

System Type Testing Focus Recommended Frequency
Claims processing Authorization, payment flows, fraud vectors Quarterly
Policy administration Access controls, data modification, audit trails Semi-annually
Agent/broker portals Authentication, data exposure, privilege escalation Quarterly
Actuarial systems Access controls, data export security Annually
Customer self-service Authentication, account takeover, data exposure Quarterly
Third-party integrations API security, data validation, access scope After changes

Testing Methodology for Insurance Applications

Effective insurance penetration testing addresses industry-specific concerns:

  1. Business logic testing: Payment manipulation, claims fraud scenarios, rating exploitation
  2. Authorization testing: Role-based access across policy, claims, and billing functions
  3. Data exposure assessment: What policyholder data can be accessed improperly?
  4. Integration security: Third-party connections, data feeds, and API security
  5. Legacy system assessment: Security controls on mainframe and legacy interfaces
  6. Fraud scenario testing: Can attackers manipulate claims, payments, or policy data?

Regulatory Evidence Requirements

For state regulatory compliance, ensure your penetration testing produces:

NY DFS and similar state requirements:

  • Annual testing documentation with scope and methodology
  • Findings mapped to regulatory requirements
  • Remediation evidence with verification testing
  • Board-level reporting on security posture

Market conduct examinations:

  • Evidence of regular security assessments
  • Incident response testing documentation
  • Third-party security oversight records
  • Security awareness training verification

Protecting Actuarial Data and Pricing Models

Why Actuarial Data Requires Special Protection

Actuarial models represent years of development and millions in investment:

  • Competitive advantage: Pricing models differentiate carriers
  • Rate filing sensitivity: Filed rates have regulatory implications
  • M&A considerations: Actuarial data is valued in acquisitions
  • Reinsurance negotiations: Loss models affect treaty terms

Security Testing for Actuarial Systems

When testing actuarial environments, focus on:

  • Access control validation: Who can access rate tables, models, and loss data?
  • Data export controls: Can users extract bulk data to external systems?
  • Model integrity: Can unauthorized users modify pricing algorithms?
  • Audit trail verification: Are changes to models logged and monitored?
  • Backup and recovery: Is actuarial data protected against ransomware?

Insurance Penetration Testing Checklist

Before your next security assessment, verify:

  • Claims processing systems tested for authorization bypass
  • Payment disbursement flows validated against fraud scenarios
  • Agent/broker portal authentication and access controls assessed
  • Policyholder data exposure tested across all customer-facing systems
  • Actuarial system access controls validated
  • Third-party integrations tested for security weaknesses
  • Legacy system interfaces assessed for vulnerabilities
  • Incident detection capabilities validated
  • Findings mapped to NY DFS and applicable state requirements
  • Remediation tracked with evidence of retesting
  • Board reporting prepared from assessment results
  • Testing frequency meets all state regulatory requirements

The Cost of Inadequate Testing

Insurance security failures carry industry-specific consequences:

  • Regulatory penalties: State insurance departments can impose fines and corrective actions
  • Market conduct findings: Security failures may appear in examination reports
  • Reputational damage: Policyholders losing trust affects retention and acquisition
  • Claims fraud exposure: Weak security enables internal and external fraud
  • Competitive harm: Actuarial data theft can undermine market position

The Anthem breach demonstrated how insurance data breaches can expose millions of records and result in hundreds of millions in costs. Smaller insurers face proportionally severe consequences from security incidents.

Conclusion

Insurance companies can't treat penetration testing as an annual regulatory checkbox. The combination of sensitive data, state-by-state compliance requirements, and sophisticated threat actors demands ongoing security validation that addresses both regulatory requirements and real-world attack scenarios.

Effective security testing for insurers requires understanding the specific vulnerabilities in claims systems, policy administration, and actuarial platforms, while producing documentation that satisfies state regulators. Testing programs should validate that controls protecting policyholder data are actually working—not just that policies exist on paper.

RedVeil's AI-powered penetration testing helps insurance companies meet state regulatory requirements and protect policyholder data with on-demand testing for policy systems, claims platforms, and distribution channels.

Start testing your insurance platform today.

Previous

Penetration Testing for Law Firms

Next

Penetration Testing for Healthcare Companies

Ready to run your own test?

Start your first RedVeil pentest in minutes.

Start your pentestBook a demo