The insurance industry occupies an awkward position in the software supply chain conversation. On one hand, insurers underwrite cyber risk — they write the policies that pay out when ransomware takes down a hospital or when a third-party compromise leaks a customer database. On the other hand, insurers run some of the largest, longest-lived software estates in the economy, full of actuarial code written in the 1990s, claims platforms that have been modernized in pieces, and modern microservices that depend on the same open-source ecosystem as everyone else. The gap between the sophistication of an insurer's risk modeling for their insureds and the sophistication of their risk modeling for their own software is often striking.
Two events in 2023 and 2024 made this gap visible. The MOVEit Transfer vulnerability Cl0p exploited starting 27 May 2023 hit dozens of insurers and their downstream customers — Prudential confirmed exposure in July 2023, and TIAA disclosed related incidents through its pension-administration vendor Pension Benefit Information. The Change Healthcare breach that began 21 February 2024 was not directly an insurance event, but the downstream impact on payer claims processing — including Elevance Health, Humana, and dozens of smaller plans — was a reminder that a health insurer's operational resilience is now tightly coupled to a small number of shared software vendors.
Where the risk actually sits
Insurance software looks different from fintech or healthcare software, but the supply chain structure is similar in shape. A typical carrier runs:
A policy administration system. Often Guidewire, Duck Creek, or a homegrown platform dating to the 1990s or 2000s. These are where the policyholder records live.
A claims management platform. Claims systems integrate with a long list of external services — medical record retrieval for health and workers' comp, vehicle history for auto, property inspection for P&C.
Actuarial and pricing engines. Many built in R, Python, or specialized software like SAS, Moody's RMS, or AIR Worldwide's catastrophe models. The dependency graphs of R and Python packages are deep and poorly governed in most actuarial shops.
Distribution and agent platforms. Salesforce-based or vendor-specific systems that give independent agents access to quoting and binding. These have broad access to sensitive underwriting data.
Regulatory reporting. NAIC filings, state-level market conduct reports, and statutory accounting all run on specialized software.
The NAIC and state regulatory picture
The NAIC adopted the Insurance Data Security Model Law in October 2017. As of mid-2024, twenty-five states had adopted versions of the model law, with New York's Department of Financial Services 23 NYCRR 500 being the most widely emulated framework. The model law requires an information security program, risk assessment, and oversight of third-party service providers. The third-party provider language is the most directly relevant to software supply chain: insurers must exercise due diligence in selecting providers, require providers to implement appropriate safeguards, and periodically assess whether they continue to do so.
What the model law does not say is that insurers must maintain an SBOM or verify the software composition of their vendors. The regulatory text was written in a different era, and the interpretation that has emerged in practice is that third-party oversight means sending annual questionnaires and collecting SOC 2 reports. That is a floor, not a ceiling, and the carriers that have actually operationalized supply chain risk management have moved well beyond it.
The cyber insurance feedback loop
The most interesting dynamic in the industry is the feedback loop between carriers' own software risk and the policies they write for others. Over 2023 and 2024, Marsh McLennan, Aon, and Lockton all published analyses of ransomware claim severity that pointed to the same trend: a rising share of losses were traceable to a third-party incident rather than a direct compromise of the insured. Coalition's 2024 Cyber Claims Report put the figure near 30% of all claims.
Carriers responded by tightening the underwriting questions. The 2024 renewal cycle saw a marked increase in questions about SBOMs, software composition tooling, and dependency vulnerability management. Some carriers began asking applicants to name the software supply chain security platform in use and to provide evidence of coverage across production applications. This is the industry starting to underwrite software supply chain risk directly, the way it once learned to underwrite cloud risk.
What this means for the carriers' own operations is that they are being held to the standard they are asking their insureds to meet. A carrier that requires its insureds to have an SBOM program while its own claims platform runs on unpatched Spring Boot with no dependency visibility is in an uncomfortable position, and the internal audit and board risk committees have noticed.
The MOVEit lesson
The Cl0p MOVEit Transfer campaign — exploiting CVE-2023-34362, a SQL injection in the web interface disclosed by Progress Software on 31 May 2023 — was the largest clear example of how a single vendor's compromise cascades across insurance. Dozens of insurers used MOVEit, directly or through vendors who used it for file transfer. Employee benefits administrators using MOVEit exposed retirement account data. Medical record retrieval vendors using MOVEit exposed claims data. Payroll vendors using MOVEit exposed premium remittance data.
The specific CVE mattered less than the pattern. A critical piece of file-transfer infrastructure, widely deployed across the insurance ecosystem, had a single remotely exploitable flaw, and the attackers found it before the defenders did. The subsequent disclosures — Progress Software confirmed additional issues CVE-2023-35036 and CVE-2023-35708 in the following weeks — suggest the product had accumulated a significant attack surface that had not been well audited.
What good looks like
The carriers that have started to close the supply chain gap are doing three things. First, they have a defined inventory of software that touches policyholder data, claims data, or financial data, with SBOMs collected from every material vendor. Second, they have a patching expectation per risk tier — the customer-facing portal patches faster than the batch reporting system — and they measure against it. Third, they treat cyber insurance underwriting and their own internal risk program as the same problem with two faces, so the controls they require of insureds are the controls they can evidence internally.
How Safeguard Helps
Safeguard builds the software inventory that NAIC Model Law and state regulations like NYDFS 23 NYCRR 500 expect, applying reachability analysis so actuarial teams can distinguish the CVEs that matter in their Python and R dependency graphs from the ones that cannot be invoked. Griffin AI correlates vendor disclosures — Progress Software, Fortra, Ivanti — against your platform inventory the moment an advisory lands, collapsing the hours of questionnaires into a single dashboard. Our SBOM pipeline handles mixed formats from Guidewire, Duck Creek, and bespoke actuarial systems, and the TPRM module scores clearinghouses, medical-record retrieval vendors, and benefits administrators against live advisories. Policy gates block production deployments that would regress the supply chain posture you evidenced to your reinsurers.