Insurance brokers are now showing up on ransomware leak sitesIn mid-May, the insurance brokerage Ross & Yerger was listed on a ransomware leak site by an affiliate operating under the DragonForce cartel model, with an attack date of May 15th. Days later, on May 25th, the insurance adjusting firm Alliance Adjustment Group was added to a DragonForce victim list. These follow the Everest group’s listing of Liberty Mutual in early May. The pattern is no longer limited to large carriers — brokers, adjusters, and agencies are being named directly. What insurance leaders should care about: DragonForce runs an affiliate model: it supplies the ransomware and the leak site, affiliates do the intrusion and take the larger cut. That structure lowers the barrier to entry and widens the target pool, which is why mid-sized brokerages and adjusters are now appearing alongside national carriers. If your organization holds policyholder data — or you place business through a broker or adjuster that does — assume you are in scope. The data on these sites includes the same claims files, policy details, and personal information your policyholders trusted you to protect.
|
|
|
|
|
The groups behind last year’s insurance breach wave are still operatingThe cybercrime collectives Scattered Spider and ShinyHunters — responsible for the 2025 campaign that hit Aflac, Allianz Life, Farmers, Erie, and Philadelphia Insurance — remain active in 2026. Their method has not changed: voice phishing aimed at IT help desks and tricking staff into authorizing malicious connected apps in cloud platforms like Salesforce. Researchers note these groups splinter, rebrand, and resurface, and that stolen data and undetected access from prior intrusions can persist long after public activity appears to pause. What insurance leaders should care about: February’s brief warned about help-desk vishing after the NYDFS advisory. A year of breaches later, it is still the entry point. The control that matters is identity verification at the help desk: out-of-band confirmation before any credential reset or MFA change, and tight governance over which third-party apps can connect to your CRM and claims platforms. These attacks bypass your firewall by design. The defense is procedural, not technical, and it is testable today.
|
|
|
The NAIC AI exam tool is now in the field, not on the horizon The NAIC’s AI Systems Evaluation Tool — the structured instrument examiners will use to review insurer AI governance during market conduct and financial exams — is being piloted by 12 states as of spring 2026. Based on the pilot, the NAIC anticipates adopting the tool at its Fall 2026 National Meeting. More than half of states have already adopted the NAIC AI Model Bulletin or substantially similar guidance, so for most carriers the exposure already sits in bulletin states where the examination apparatus is now real. What insurance leaders should care about: Earlier briefs told you AI governance was entering exam use. Now there is a specific tool, a pilot underway, and a target adoption date. The tool gathers information on the extent of AI use, governance and risk-mitigation practices, high-risk models, and the data feeding those systems. If AI supports your underwriting, claims, fraud detection, or customer service, an examiner will soon have a standardized checklist to ask about it. The inventory you build now is what answers that checklist.
|
|
|
|
|
Privacy enforcement against insurers is moving from breach response to data practicesState attorneys general are pursuing insurers over how they collect and share data, not just how they protect it. Texas filed suit under its Data Privacy and Security Act against a national auto insurer and a subsidiary, alleging it embedded a software development kit in third-party apps that collected and sold driving-behavior and location data without notice, consent, or opt-out. Separately, California’s amended CCPA now requires qualifying businesses to complete an annual cybersecurity audit performed by a qualified, objective, independent professional, and litigation over website tracking technology continues to generate per-violation statutory penalties. What insurance leaders should care about: This is a different kind of exposure than a breach. It comes from your marketing stack, your mobile apps, your analytics tools, and the trackers on your website — the things GLBA assumptions tend to leave uncovered. The Texas case is a warning: an SDK collecting telematics or location data without proper notice is now a multi-million-dollar enforcement risk. Map where consumer data flows out of your organization, not just where it could be stolen.
|
|
|
|
|
The cyber insurance market is essentially flat on pricing in 2026 as new capacity returns, with healthcare a notable exception drawing single-digit increases on elevated claims. Favorable pricing is not a signal that loss activity has eased. Insurers are appearing on leak sites, last year’s threat groups remain active, and regulators are sharpening both AI and privacy enforcement at the same time. What insurance leaders should care about: A soft market is the time to strengthen the controls that drive severity, not to relax them. Use the pricing reprieve to close the help-desk, vendor, and AI-governance gaps now, while the budget conversation is easier.
|
|
|
Priority Actions for Insurance Leaders (Next 60 Days)Priority 1 — Document your response to the NYDFS heightened-threat guidance.
Walk through the six recommended measures and record, for each, what you adopted or declined and why. Send the third-party engagement note to your top TPAs, MGAs, and claims administrators this month, and keep a copy. In an exam, the documentation is the control. Priority 2 — Lock down help-desk identity verification. Require out-of-band confirmation before any credential reset or MFA change, and review which third-party apps can connect to your CRM and claims systems. Run one realistic vishing scenario against your help desk and measure whether it holds. Priority 3 — Build the AI inventory the NAIC tool will ask for. List every AI use case, including tools embedded in vendor platforms. For each, capture the business owner, the data it touches, who approved it, and whether it sits in your cybersecurity risk assessment. One page is enough to start, and it is the document an examiner will want.
|
The warnings became the exam. Insurers are on leak sites, the same crews are still calling your help desk, and the AI governance tool is now in examiners’ hands. The organizations that documented their response over the last 60 days are the ones that will be ready for the next 60.
|
|
|
→ If your organization cannot show documented evidence that it acted on the NYDFS heightened-threat guidance, verified its critical vendors, and inventoried its AI use, those are the gaps an examiner will find first. FiveM helps insurers build, document, and continuously test regulator-ready governance programs — so the answer to an examiner’s question is already on file.
|
|
|
|
|
|
|