Safeguard.sh
Industry Guides

Insurance Industry Software Risk Assessment and Supply Chain Security

Insurers manage massive amounts of sensitive data through complex software systems. Here's how the insurance industry should approach software supply chain risk.

James
Compliance Specialist
7 min read

Insurance companies are in the business of understanding risk. Ironically, many insurers have a blind spot when it comes to the software risk sitting inside their own applications. The policy management system that holds millions of customer records, the claims processing platform that handles sensitive health information, the actuarial models that drive business decisions -- all of this runs on software with supply chains that nobody is watching.

The insurance industry handles some of the most sensitive personal data in any sector: health records, financial information, Social Security numbers, and detailed personal histories. A software supply chain compromise at an insurer could expose data that makes a typical retail breach look trivial.

The Insurance Software Landscape

Insurance companies depend on a complex mix of software:

Core policy administration systems. These manage the lifecycle of insurance policies, from quoting to issuance to renewal. They're often legacy systems that have been modernized over decades, accumulating layers of components and integrations.

Claims management platforms. Processing and adjudicating claims involves sensitive data -- medical records for health insurance, property assessments for P&C, financial records for life insurance. These systems integrate with dozens of external services.

Actuarial and underwriting tools. Statistical models, pricing engines, and risk assessment tools that drive business decisions. Many are built on R, Python, or specialized actuarial software with their own dependency ecosystems.

Customer portals and mobile apps. Self-service platforms that let policyholders file claims, view policies, and make payments.

Agent and broker platforms. Distribution systems that serve thousands of independent agents and brokers, each accessing policyholder data.

Regulatory reporting systems. Tools that generate the statutory filings, risk-based capital calculations, and market conduct reports that regulators require.

Regulatory Drivers

NAIC Insurance Data Security Model Law

The National Association of Insurance Commissioners (NAIC) adopted its Insurance Data Security Model Law in 2017, and states have been steadily adopting it. The model law requires insurers to:

  • Conduct risk assessments that identify reasonably foreseeable threats, including threats to information systems
  • Implement an information security program based on the risk assessment
  • Oversee third-party service providers that handle nonpublic information
  • Investigate and report cybersecurity events

Software supply chain risks fall squarely within the scope of "reasonably foreseeable threats." If your risk assessment doesn't include the possibility of a compromised software component, it's incomplete.

State-Level Requirements

New York's DFS Cybersecurity Regulation (23 NYCRR 500) applies to insurers licensed in New York and has some of the most prescriptive requirements:

  • Vulnerability management programs that address application vulnerabilities
  • Third-party security policies that cover technology providers
  • Risk assessments that consider threats from third-party service providers
  • CISO appointment and reporting requirements

Other states are following New York's lead with their own cybersecurity regulations for insurers.

GDPR and International Requirements

For insurers operating in Europe, GDPR's requirements for data protection by design and by default extend to the software supply chain. You need to demonstrate that the software processing personal data is secure, including its components.

Risk Assessment: Applying Insurance Thinking to Software

Insurers know how to assess risk. Apply that expertise to your software supply chain:

Probability Assessment

What's the likelihood of a supply chain compromise affecting your software? Consider:

  • Historical frequency. Supply chain attacks are increasing year over year. The probability is not low.
  • Component exposure. How many open-source and third-party components are in your critical systems? More components means higher probability.
  • Component quality. Are your components from well-maintained projects with responsive security teams, or from abandoned projects with known vulnerabilities?

Impact Assessment

If a supply chain compromise occurs, what's the impact?

  • Data exposure. Policyholder data including PII, PHI, and financial information
  • Regulatory penalties. Fines under state data security laws, NYDFS requirements, or GDPR
  • Reputational damage. Customer trust in an insurer is foundational to the business
  • Operational disruption. Claims processing downtime, policy administration failures
  • Litigation. Class action lawsuits following data breaches are nearly automatic

Control Effectiveness

What controls do you currently have in place?

  • Do you know what components are in your critical applications?
  • Can you determine your exposure to a newly disclosed vulnerability within hours?
  • Do your vendor contracts require supply chain transparency?
  • Is your development team scanning for vulnerable dependencies?

Most insurers find significant gaps when they honestly assess their control effectiveness for software supply chain risk.

Building an Insurance Software Supply Chain Program

Leverage Your Risk Management Culture

Insurance companies have sophisticated risk management frameworks. Use them. Your software supply chain program should integrate with your enterprise risk management:

  • Include software supply chain risk in your annual risk assessment
  • Establish risk appetite for software supply chain exposure
  • Report supply chain risk metrics to your risk committee
  • Treat software supply chain risk the same way you treat other operational risks

Prioritize by Data Sensitivity

Focus your initial SBOM efforts on systems that handle the most sensitive data:

  1. Claims systems (especially health insurance claims with PHI)
  2. Policy administration (PII, financial data)
  3. Customer portals (authentication, payment processing)
  4. Agent platforms (distributed access to policyholder data)
  5. Regulatory reporting (aggregated sensitive data)

Vendor Assessment for InsurTech

The insurance industry is rapidly adopting InsurTech solutions -- AI-powered underwriting, digital claims processing, IoT-based risk assessment. These tools are often from startups with limited security maturity. Your vendor assessment should include:

  • Does the vendor conduct software composition analysis?
  • Can they provide SBOMs for their products?
  • What is their vulnerability response process?
  • How do they manage open-source dependencies?
  • What is their secure development lifecycle?

Actuarial and Analytics Software

Actuarial tools built on R and Python present a unique challenge. The R and Python package ecosystems are enormous, and many packages used in actuarial work are maintained by small communities. These tools may process sensitive data and drive business-critical decisions.

Include actuarial and analytics software in your SBOM program. Scan Python and R dependencies for known vulnerabilities. Establish vetting processes for new packages.

The Cyber Insurance Angle

Many insurers also underwrite cyber insurance. Your software supply chain security program can inform your underwriting:

  • Understanding software supply chain risk firsthand makes you a better cyber insurer
  • SBOM data from applicants could become part of cyber insurance underwriting
  • Claims experience from supply chain incidents informs risk pricing
  • Requiring SBOMs from policyholders could reduce claims frequency

There's a strategic opportunity for insurers to lead on software supply chain security, both for their own protection and as a differentiation in their cyber insurance products.

How Safeguard.sh Helps

Safeguard.sh provides insurance companies with the software supply chain visibility that risk-based regulation demands. The platform generates SBOMs across your application portfolio, monitors components for vulnerabilities, and provides the risk metrics that insurance risk management frameworks require.

For InsurTech vendor assessment, Safeguard.sh can evaluate vendor-provided software for component risks. For internal development, the platform integrates into build pipelines to ensure every release is scanned and documented. For regulatory compliance, Safeguard.sh generates the evidence and documentation needed to demonstrate that software supply chain risks are identified, assessed, and managed.

Insurance companies using Safeguard.sh can apply the same rigor to their software supply chain risk that they apply to every other risk in their portfolio.

insurancerisk assessmentNAICactuarialsupply chain
Back to all articles

More on #insurance

View all →
Industry Analysis

Insurance Industry Software Supply Chain

6 min read

Related articles in Industry Guides

Industry Guides

Enterprise SCA Tool Evaluation Framework

Choosing a software composition analysis tool for the enterprise? Here's a structured evaluation framework covering what actually matters.

April 5, 2024Read
Industry Guides

Energy Sector Software Security and NERC CIP Compliance

Power utilities and energy companies must secure software supply chains while meeting NERC CIP requirements. Here's a practical approach.

March 12, 2024Read
Industry Guides

Media and Entertainment Software Supply Chain Security

Streaming platforms, studios, and media companies depend on complex software stacks. Here's how the entertainment industry should approach supply chain security.

February 15, 2024Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.