The Cyber & Privacy Imperative:
How the Insurance Industry’s Future Gets Decided Before Sunrise

Every executive fears a 3 a.m. phone call. It never signals good news.

For CIOS and other executives in Insurance, the reality is this call is now more likely than ever before.

For anyone who has experienced this, they know incident calls can quickly spin into emergencies that dominate the mindshare of everyone from the CEO down through the COO, General Counsel, Claims Chief, and Board Chair.

The questions come fast and are hard to answer quickly. “Do we know the impact radius?” “How long until we know? “How long until we notify regulators?” “How long before this hits the press?”

With PII-heavy, data rich ecosystems and often fragmented and siloed architectures, insurance companies have become ready and consistent targets for continual cyber-attacks. And the attack velocity and volume are only increasing.

A Landscape of Data Peril

Insurance companies are more exposed to attacks than ever. Legacy systems share space with new SaaS platforms, mobile apps, IoT devices, and hybrid cloud. They store the most sensitive data imaginable: driver’s licenses, health records, bank accounts, even telematics, tracking how fast someone breaks into a stoplight.

The attack surface is vast. And the bad guys? Relentless.

The sobering facts:

• The average global cost of a data breach in 2024 was $4.88 million, and in the financial sector, it averaged $6.08 million.
• EU GDPR fines totaled €1.2 billion in 2024.
• 75% of consumers say they would not purchase from an organization they don’t trust with their data.

And Boards and C‑suites are being held personally accountable. In Delaware, courts extended Caremark‑style oversight duties to officers, and in the UK the SMCR regime imposes personal accountability on senior managers.

A breach isn’t just an expensive, distracting line item. It’s the moment the world stops and stares at your brand.

When Real Life Strikes: The CNA and Health Net Wake-Up Calls 

In March 2021 CNA Financial, one of America’s largest commercial insurers, was paralyzed by a ransomware attack that took claims, policies, and payments offline for weeks and exposed customer and broker data. In addition to the $40 million paid in ransom, there were weeks of productivity lost, estimated tens of millions more in lost business, and fractured relationships with brokers, clients, and regulators.

Why did it get so bad? Scattered data, fractured logs, and no way to quickly connect dots between systems. The “blast radius” wasn’t known for days.

Of a different flavor, but the same root cause was what happened to Health Net, a large California insurer. In 2010, Connecticut reached a $250,000 settlement with Health Net over delayed breach notification, and in a separate matter a 2023 class action related to a 2021 incident settled for $2.5 million. Data was in too many places, logs were split between claims and IT, and the alert came too late.

The Broken Toolkits—Silos, Spreadsheets, and Scrambling in the Dark

The uncomfortable truth is that most insurers are incredibly vulnerable. Industry surveys show insurers continue to rely on spreadsheets and manual reconciliations for key Solvency II and reporting processes. Like most large, complex data estates, insurers struggle to achieve end‑to‑end lineage and visibility across mainframes, clouds, partners, and the edge with customers. Because of this, in an attack notifications are slow because no one trusts the data is all in the same place.

The Toll on Teams, Leaders, and Boards 

Stepping back from the headlines, a breach or data security scramble is a heavy and ongoing distraction that has ripple effects across the entire business.

• The CISO is in a marathon of war rooms hoping audit logs are complete, fearing the next call is the one from the state regulator.
• The COO is scrambling to keep claims and services running—while fielding irate calls from brokers and agents.
• The Chief Claims Officer wonders how much PII has slipped out. Will adjusters be named in lawsuits?
• The CRO is calculating the odds of regulatory action, rate hikes, or capital downgrades.
• The General Counsel is swamped with emails marked “high priority” and legal deadlines stacking up.
• The CDO and CIO face the herculean task of reconciling records from cloud, on-prem, SaaS, and partners.
• The CFO must prepare for a board grilling about “cyber exposure.”
• And the CEO and Board? Wondering if their legacy will be the year the trust was lost.

Everyone feels it and everyone is accountable.

The Pentaho Difference – Turning Panic into Preparedness

Imagine a different 3 am call from the security team alerting the leadership to an attack.

• The CISO logs in and allows you to see every user, API call, and access attempt in a real-time, unified dashboard.
• The COO sees which business lines are affected to quickly assess what is at risk and what is safe.
• Compliance has one-click reports that are pre-formatted for every regulator ahead of time.

And CDO, CIO, and CRO share a single trusted view of data that traces any asset from its origin to every downstream system, every user’s touchpoint, every integration for visibility and quick alerts to any potential impacts.

Pentaho isn’t just software. It’s a set of solutions that enable a philosophy of trust, transparency, and readiness. With Pentaho, CNA would have had access to real-time lineage and orchestration that would help to map the breach instantly, reducing downtime, shrinking losses, and building credibility with regulators and the market. At Health Net, continuous compliance monitoring powered by Pentaho would have ensured notifications were made the same day and not in weeks, saving millions and preserving reputation.

Where Privacy Becomes Your Superpower

Cyber risk is just a fact of life for insurers. Brokers and group accounts now demand proof you’re “good at privacy” or they walk. And investors and ratings agencies set capital costs based on your cyber and privacy maturity.

The difference between brands that endure and those that falter isn’t luck. It’s preparation, culture, and the right tools.

Pentaho can be the difference between a night spent scrambling and a morning spent leading. It’s what can enable your board, your teams, and your customers to realize that you’re ready for whatever comes next.