How Independent Insurance Agents Can Protect Themselves Against Cyber Threats

Illustration of an open laptop that has been infected by a virus.

By Ujjval Patel

In order to protect your insurance agency against cyber threats, there are three key terms you first need to familiarize yourself with: phishing, smishing, and vishing.

Phishing is the process by which a cyber criminal uses using a legitimate-looking e-mail to trick one of your employees into providing private information (such as passwords or access to your network, via a malicious link) or convince them to transfer funds by impersonating a figure whom they trust.

Smishing is similar to phishing, except that the medium is different: smishing attacks use SMS or messaging apps to try to fool your agency staff, rather than e-mails.

When a cybercriminal uses phone calls to try and steal information or money from your agency, this is known as vishing.

These three most commonly perpetrated attacks remain the top cyber threats faced by independent agencies. Gone are the days of dodgy e-mails riddled with severe misspellings, offering you access to a long-lost relative’s oil fortune from a faraway country; modern cyber attacks are getting more complex and harder to detect by insurance agency principals and their staff.

One attack pattern leverages phishing e-mails from trusted contacts. In this scenario, the e-mail address of a trusted contact (for example, the agency principal) gets hacked, and a cyber criminal begins to propagate e-mails to their recipients.

In the heat of day-to-day operations, these messages can at first appear legitimate to time-stressed employees because they carry the correct e-mail address, business logo, and signature. (In one case, we recently saw an e-mail with the subject line, “Time Sensitive Message” with what appeared to be a secure link to a trusted counterparty.)

However, on closer inspection, these types of messages have many telltale signs in common that can alert you to possible threats.

  • First, such e-mails (or messages/phone calls) often carry a sense of urgency in order to elicit a quick response. Any language urging you to act without hesitation is a red flag.
  • Second, these messages will typically be inconsistent in tone or voice with other communications from the trusted contact. This is because bad actors use cookie-cutter templates of common business requests, and often don’t tailor messages for the specific company or industry. (This is not to say that some cyber criminals don’t do their homework; suspicion should always be the watchword when analyzing a message from a superior.)
  • Third, they will ask you to download suspicious attachments, click on a link, send payments through odd channels, or provide confidential information like a network password or banking numbers. Malicious links will often include indicators that they’re illegitimate, such as hyphens or slight misspellings in key words within the URL.

All three of these warning signs can alert you or your staff to possible cyber attacks, and your agency’s staff should be trained to spot them immediately.

Don’t suffer these consequences

If your agency falls victim to a cyber attack, your business’ financial loss may prove to be just the start of your problems.

The financial consequences can include a possible ransom payment to the bad actor (i.e., payments to unlock malware that locks you out of your own operating system), costs to mitigate the damage once a breach is detected, and costs to recover to normal operations after the incident. Based on claims data collected by Nationwide, small businesses like independent agencies can spend between $15,000 to $25,000 in recovery costs alone.

In a worst-case scenario the scammer can drain your bank account, as it happened to Charles Haney, a Texas small business owner. In March of 2023, Haney was victimized in a vishing attack in which a cyber criminal convinced him he was speaking to his bank’s fraud division, and he revealed his bank account information. Within minutes, Haney’s business checking account was drained from about $192,000 to around $3,000.

There’s also your agency’s reputational risk to consider.

If your e-mail system is compromised in phishing attack, your customers might receive e-mails from you that put them at risk of being hacked. What’s more, if any of your clients’ personal identifiable information (PII) is exposed, by law they will have to be informed. According to the National Conference of State Legislatures (NCSL), all 50 states now have requirements for businesses to notify customers when their data is compromised.

After a cyber breach, the firm’s customer retention rates suffer. One study conducted by ransomware protection provider Arcserve found that 59% of consumers would likely avoid doing business with an organization that had experienced a cyber attack in the past year.

The insurance industry is built on trust and relationships, and cyber breaches can quickly erode your clients’ confidence in your ability to protect them.

Best practices to stay safe

There are several simple best practices you can follow to safeguard your agency. The first is to train and retrain your staff in cyber safety awareness as often as possible.

Sadly, the largest threat to your agency’s cybersecurity is human complacency. It’s critical to teach each team member how to consistently evaluate e-mails for suspicious indicators – sender addresses that don’t look quite right, misspellings, odd-looking links, calls for urgency, and out-of-character tone from a “known” sender, to name a few.

When a team member doubts the veracity of an e-mail, message or phone request, it is always best for them to call the sender on a known phone number, and to distrust anyone who calls your agency claiming to be from a trusted institution such as your bank.

It’s also critical to have proper professional protections in place for your agency. Many independent insurance agencies have a single person who is responsible for everything, which is not the best approach to keeping your private information secure. Cybersecurity is a specialized skill set that requires expert knowledge of the latest threat patterns.

All too often, investment in technology infrastructure is seen as a cost center, and it’s important to change that mindset. We highly recommend partnering with a managed service provider that can provide normal IT services but also cybersecurity and incident response.

However, it’s worth noting that not all service providers are created equal. When selecting a vendor, vet them to see if they have knowledge of security frameworks such as the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the COBIT control model, and Center for Internet Security (CIS) Controls, and understand how privacy regulations like the California Consumer Privacy Act (CCPA) might be impacted by a tight control framework.

Note that compliance and cybersecurity have some overlap in control frameworks but are not one in the same; understanding the difference is critical to securing your agency across multiple fronts.

Hackers focus on getting into your system day and night; it would be an oversight to assume one person on an agency staff can do it all to safeguard you.

Insurance protections

Independent agencies must bat 1.000 each day to prevent exposure, but hackers only have to get it right once. As a result, it’s imperative that you also maintain the right cyber insurance policy to protect your business.

There are several things to consider for your cyber insurance protections. Make sure your agency’s policy covers data breaches and the third-party liability of those breaches. It should also cover breaches by vendors and other third parties, as well as attacks originating across the world since there are exclusions in some policies for specific geographies. It’s also prudent to ask about other exclusions, such as acts of terrorism.

One thing to note is that all cyber coverage will exclude incidents that result from poor security processes, human errors, and pre-existing vulnerabilities. Before you seek coverage, make sure you do an assessment of internal gaps to make sure things that your agency might be doing wrong don’t get excluded later.

For a good starter checklist, consult the FTC’s guidelines for cyber protections.

As the agency principal, the buck stops with you in ensuring your agency is protected against cyber attacks. Proper training for your staff, professional assistance from a managed service provider, and a well-crafted cyber policy will keep your business safe in a world in which the stakes continue to rise.

Rhodian Group, which specializes in cybersecurity, IT services, and compliance, is Renaissance’s preferred vendor for our member agencies. Visit them at

Ujjval Patel is the Chief Technology Officer for Renaissance Alliance. He is responsible for developing and managing the agency network’s high-performing, scalable, and secure technology stack.

About Renaissance

Powered by a differentiated suite of technology products and services, Renaissance drives organic, profitable revenue growth for your insurance agency.

Keep Reading



These Non-Disclosure Terms and Conditions (“Agreement”) govern the provision of information by Renaissance Alliance Insurance Services, LLC (“Renaissance”) to a prospective agency member (“Recipient”). Renaissance and Recipient Renaissance and Recipient are hereinafter referred to together as the “Parties,” and each may be referred to separately as a “Party.”

The Parties acknowledge that Renaissance may disclose to Recipient certain of Renaissance’s confidential, sensitive and/or proprietary information including, but not limited to, business, financial or technical information, in connection with the potential establishment and/or conduct of a business relationship or transaction between the Parties (the “Transaction”). In connection therewith, for good and valuable consideration, the receipt and sufficiency of which consideration are hereby acknowledged by Recipient, and as a condition of the provision of Confidential Information (as defined below) to Recipient, Recipient hereby agrees as follows:

  1. Confidential Information.Confidential Information” means any and all information provided by Renaissance to Recipient in any form, and at any time (including prior to or following the execution of this Agreement), including but not limited to any such information that (a) is related to Renaissance’s business, finances, financial information, pricing, business plans, profitability, projections, business or financial opportunities, investment strategies, other strategies, data, products, services, concepts, contacts, personnel, customers, vendors, prospects, intentions, formulas, methods, processes, practices, models, tools, computer programs, software, discoveries, inventions, know-how, negative know-how, business relationships, agreements (including this Agreement), intellectual property, trade secrets (whether or not patentable or copyrightable), trade secrets, or other confidential or proprietary information, (b) contains or is related to any communications, negotiations or proposals regarding the Transaction; (c) Recipient has either been informed, or reasonably should know, is confidential in nature; or (d) consists of or contains names, addresses or other information of any description relating to any of Renaissance’ member agencies or any of such member agencies’ customers or clients. Confidential Information shall also include any analyses, compilations, studies or other documents or materials prepared by Recipient or by any of its Representatives, that contain, rely upon, are derivative of or otherwise reflect any Confidential Information as described in the preceding sentence. The foregoing notwithstanding, Confidential Information shall not include any information which, at the time it is provided to Recipient; (i) is already known to Recipient, (ii) is then or later becomes available to the general public without violation of any requirement of confidentiality.
  1. Providing of Confidential Information. Renaissance may provide to Recipient any Confidential Information, in such manner and at such times as Renaissance may determine, to assist Recipient in evaluating, negotiating and carrying out the Transaction, but shall have no obligation to provide any, or any particular, Confidential Information to Recipient. Renaissance makes no, and disclaims any, representations or warranties regarding any Confidential Information it may provide, except as may be provided in any definitive documentation relating to a Transaction.
  1. Non-Use and Non-Disclosure; Representatives. Recipient agrees not to use any of Renaissance’s Confidential Information for any purpose other than for or in connection with the evaluation, negotiation, entering into or carrying out of a Transaction. Recipient agrees not to disclose any of Renaissance’s Confidential Information to any third party other than Recipient’s directors, officers, employees, affiliates, counsel, consultants, advisers, representatives and agents (collectively, “Representatives”) who have a reasonable need for the same in connection with the uses thereof permitted under this Agreement. Any such Representatives who are provided with any Confidential Information shall be instructed to maintain the same in confidence, and not to make any use or disclosure of the same other than as permitted under this Agreement. Recipient shall be responsible for any breach of this Agreement by any of its Representatives, to the same extent as though Recipient had committed such breach personally. Recipient agrees to use the same level of care in protecting the Confidential Information from unauthorized disclosure as it uses to protect its own confidential or proprietary information, and in any case will use no less than a commercially reasonable level of care in protecting all Confidential Information from unauthorized disclosure. The foregoing notwithstanding, Recipient shall be permitted to disclose so much of the Confidential Information as has been authorized for release by Renaissance in writing, to the persons and upon the conditions so authorized by Renaissance, in connection with the carrying out of the Transaction. Recipient shall not circumvent or seek to circumvent Renaissance’s negotiations with any third party, either by entering into discussions directly with such third party otherwise than on behalf of Renaissance, or otherwise. For purposes of this Section, each Party shall act in good faith and deal fairly with the other Party.
  1. No License; Return of Confidential Information. Recipient will not acquire any license or other rights whatsoever with respect to any of the Confidential Information by virtue of its disclosure to Recipient pursuant to this Agreement, or by virtue of any use thereof permitted hereunder. Recipient agrees to destroy or to return all Confidential Information to Renaissance, including both originals and all copies thereof (other than copies created as part of the routine backup of Recipient’s servers, or copies retained pursuant to a requirement of a governmental or regulatory authority, all of which retained copies shall be held confidential for so long as such materials are so retained), and to confirm the completion of such return or destruction to Renaissance in writing, promptly upon demand by Renaissance within the term of this Agreement. The term of this Agreement shall be for a period of five (5) years, commencing on the Effective Date set forth above. Either Party may terminate this Agreement at any time, upon written notice to the other Party, provided that the obligations of Recipient hereunder shall nevertheless survive for the period above stated, with respect to all Confidential Information provided prior to such termination.
  1. Orders Requiring Production. In the event Recipient receives a court subpoena, request for production of documents, court order or other requirement of a governmental agency to disclose any Confidential Information (a “Disclosure Requirement”), Recipient shall (unless prohibited by law) give prompt written notice to Renaissance thereof so that Renaissance may seek to challenge or limit the Disclosure Requirement. Recipient agrees to cooperate reasonably in any effort of Renaissance to limit or prevent any required disclosure of Confidential Information, provided that Recipient shall: (i) not be required to incur any expense in connection with such cooperation, and (ii) not be required to disobey any Disclosure Requirement. Recipient shall not be deemed in violation of this Agreement if it complies with any such Disclosure Requirement either after having provided Renaissance with notice thereof and a reasonable opportunity to contest the same, or if such notice is not permitted. Recipient agrees to (a) exercise reasonable efforts to disclose only the minimum amount of Confidential Information that Recipient is compelled to disclose, in the opinion of its legal counsel, and (b) request that confidential treatment (if legally permissible) will be accorded to the Confidential Information being disclosed.
  1. Injunctive Relief. Recipient acknowledges that the Confidential Information is confidential, and that disclosure or use of said information in violation of the terms of this Agreement would result in substantial and irreparable harm to Renaissance, the actual dollar amount of which damage would be impossible to determine. Accordingly, Recipient agrees that, in addition to any other remedies that may be available, in law, in equity or otherwise, Renaissance shall be entitled to seek injunctive relief against the actual or threatened breach of this Agreement or the continuation of any such breach by Recipient, without the necessity of proving actual damages and without posting bond. This provision shall not limit the right of Renaissance to seek actual damages or any other legal or equitable remedy for any breach hereof.
  1. Miscellaneous. This Agreement shall be construed in accordance with and governed by the laws of the State of Illinois, without regard to its conflicts of laws principles. Any action or proceeding against either Party relating in any way to this Agreement shall be brought and enforced only in the Federal (to the extent appropriate jurisdiction exists) and State courts located in Cook County in the State of Illinois, and the Parties irrevocably submit to the jurisdiction of such courts in respect of any such action or proceeding, and irrevocably waive any objection to venue in such courts, including but not limited to any objection that such venue is inconvenient. This Agreement embodies the entire agreement of the Parties with respect to the subject matter hereof, and supersedes all prior and contemporaneous agreements and understandings, oral or written. No amendment to this Agreement and no waiver of any provision hereunder shall be effective unless it is in writing and signed by an authorized officer of the Party against whom such amendment or waiver is asserted. No invalidity or unenforceability of any provision of this Agreement shall affect the validity or enforceability of the remaining portions hereof. This Agreement shall be binding upon, and shall inure to the benefit of, each of the Parties and their respective successors and assigns. There are no intended third-party beneficiaries of this Agreement. This Agreement does not in any way bind either Party to enter into or continue any type of business relationship with the other. Nothing in this Agreement shall prevent Renaissance from at any time disclosing any of its Confidential Information to others or negotiating with others for any purpose whatsoever. Nothing contained in this Agreement shall be construed to constitute the Parties as partners, joint venturers, co-owners or otherwise as participants in a joint or common undertaking. Recipient’s indication of assent to this Agreement via electronic means shall be equally binding and effective as an original signature hereon, and shall be deemed duly and effectively delivered if so transmitted or provided.