Cyberattacks on insurers put CFOs on high alert

Good morning. Cybersecurity is a pressing issue for CFOs, and recent high-profile breaches underscore the need for heightened vigilance among finance leaders.

Aflac, a Fortune 500 company and one of the largest insurance providers in the U.S, announced on Friday that it identified unauthorized access to its U.S. network on June 12. The potentially impacted files contain claims, health information, Social Security numbers, and other personal data. Aflac said it activated its cyber-incident response protocols and stopped the intrusion within hours.

The company is still in the early stages of reviewing the incident and has yet to determine the total number of affected individuals. However, Aflac’s business remains operational, and its systems were not impacted by ransomware. According to an SEC filing, the company will notify regulators and affected customers and offer free credit monitoring and identity theft protection services. I contacted Aflac but a representative referred me Friday’s announcement.

Alongside Aflac, two other insurance companies—Erie Insurance and Philadelphia Insurance—recently experienced cyberattacks.

Aflac attributed the incident to a sophisticated cybercrime group involved in a broader campaign targeting the insurance industry. Google’s Threat Intelligence Group identifies Scattered Spider as a financially motivated threat actor known for its persistent use of social engineering and brazen communications with victims.

John Hultquist, VP of intelligence analysis at cybersecurity firm Mandiant (a Google Cloud company), posted on June 16 on X: “Actors that bear the hallmarks of Scattered Spider are now targeting the insurance industry. They have a habit of working their way through a sector. Insurance companies should be on the lookout for social engineering schemes targeting their call centers.”

The rising cost of cyber risk

For the U.S. specifically, the average cost of a data breach was $9.36 million in 2024, which remains the highest average among the 16 countries and regions studied, according to IBM research. The rising costs of cybersecurity programs require CFOs to integrate cyber-risk management with financial oversight, according to recent analysis from EY.

Cyber risks can manifest in many ways, and CFOs are uniquely positioned to quantify these risks and estimate the cost of incidents. By collaborating closely with chief information security officers, CFOs can better understand risk probability and exposure, set spending and ROI metrics, and communicate recommendations for prioritizing cybersecurity investments, EY finds.

Geopolitical complexity

Federal officials caution that pro-Iranian hacktivists or state-sponsored groups could target vulnerable U.S. networks. “The ongoing Iran conflict is causing a heightened threat environment in the United States,” according to a bulletin published on Sunday.

In a Saturday post on X, Hultquist shared his perspective on Iran’s cyber activities: “Iran leverages its cyberattack capability for psychological purposes. There is a real, practical risk to enterprises, but it’s important that we don’t overhype the threat here.”

He expressed particular concern about cyber espionage targeting U.S. leaders and surveillance facilitated by compromises in travel, hospitality, telecommunications, and other sectors where data could be used to identify and physically track people of interest.

When it comes to cybersecurity, the stakes are high and vigilance is now a core part of the CFO’s job description.

Sheryl Estrada
sheryl.estrada@fortune.com

This story was originally featured on Fortune.com