The insurance industry is facing a mounting cyber threat as a sophisticated hacker collective has reportedly taken aim at financial and underwriting firms.
Scattered Spider is believed to be behind a spate of costly breaches in the UK retail sector, where the group exploited supply chain vulnerabilities and internal support channels to infiltrate corporate networks.
Industry leaders and cyber experts warn that insurance companies, rich in sensitive data and reliant on complex workflows, are now ripe targets for the group’s next wave of cybercrime.
In recent weeks, major insurance companies including Philadelphia Insurance Companies (PHLY), Erie Insurance, and Aflac have reported significant network outages.
On Wednesday, First Insurance Company of Hawaii (FICOH), a sister company of Philadelphia Insurance Companies and part of the Tokio Marine Group, revealed it was working to contain a network outage linked to unauthorized access of its systems. The firm said the incident also affected other Tokio Marine units, including Tokio Marine America.
PHLY reported a disruption in its internal systems and customer-facing services starting June 9. The company severed access to compromised infrastructure and said it would rebuild its systems with enhanced identity verification procedures. In an update, the company confirmed that the incident was not a ransomware attack and that no systems were encrypted.
Around the same time, Erie Insurance disclosed suspicious activity in a regulatory filing, indicating that it activated its cyber incident response plan and is working with law enforcement to investigate. While attribution remains unofficial, the incident bears striking similarities to known Scattered Spider operations.
Aflac, meanwhile, confirmed a breach of its US network on June 12, which it also attributed to a sophisticated threat actor.
Cybersecurity analysts have warned that Scattered Spider may be mounting a coordinated effort to breach insurance networks using tailored and persistent attack strategies.
“Scattered Spider and its affiliated groups are incredibly proficient at social engineering,” said Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf. “They often impersonate employees seeking IT support, manipulating helpdesk staff into granting them elevated access. Even well-trained IT professionals, driven by a natural instinct to help, can be vulnerable in the right scenario.”
Hostetler emphasized that Scattered Spider’s techniques are not unique to a single industry but are adapted and refined for each target sector.
In the case of insurance, attackers are able to leverage the industry’s reliance on human-operated processes, expansive digital services, and intricate vendor networks to identify and exploit soft spots in cybersecurity systems.
Hostetler outlined several structural challenges that make the insurance industry especially susceptible to attacks like those orchestrated by Scattered Spider:
“These attacks are not just breaches, they’re entry points into entire ecosystems,” Hostetler said. “Once threat actors gain access to insurer systems, they can potentially stage broader campaigns, including ransomware, data theft, and fraud targeting policyholders.”
Serene Davis, global head of cyber at QBE, likened the recent trend of disruptions to what happened in retail, where a slow drip of early intrusions evolved into a wider crisis.
“It became clear that retailers were being systematically targeted. Now, we’re starting to see the same pattern emerge in insurance,” Davis told Insurance Business. “Threat actors are developing models of more targeted attacks, identifying vulnerabilities specific to suppliers or industry workflows and weaponizing them.”
Davis emphasized the importance of early detection and strategic monitoring to prevent a similar escalation.
“There are only a few confirmed incidents in the insurance space right now, but they point to a broader trend of supply chain exploitation and industry-specific attack frameworks,” she said.
As Scattered Spider continues to evolve, so too must the industry’s approach to cyber resilience. Experts agreed that insurance firms should expect more sophisticated intrusions as attackers exploit new technologies and psychological tactics.
“This isn’t just a security problem, it’s a business continuity issue,” Davis said. “We need to think in terms of long-term resilience, industry collaboration, and building systems that can withstand attacks we haven’t even seen yet.”
