Why ‘hybrid’ cyberattacks are an insurance industry threat

KPMG is seeing more hybrid cyberattacks targetting both first and third parties as well as threat actors working together, experts at the firm said last week during its 2025 Insurance Conference in Toronto.

During a cyber insurance and cybersecurity session, conference attendees heard examples of cyberattacks on insurers and third-party administrators. In one case, two major threat actors worked together to execute a social engineering attack against employees to get into the Salesforce CRM (customer relationship management) platform, says Mike Rosenlund, senior manager of cyber defence with KPMG in Canada.

“It’s particularly interesting because technically it could be a first-party incident, because you have the employee being abused from social engineering,” Rosenlund says. “Could be a third-party incident, because the entire attack takes place within Salesforce’s SaaS [software-as-a-service], or online solution.”

In the attack against Allianz Life, the stolen data “wasn’t necessarily proprietary, highly sensitive insurance data,” he says. “It’s sales information, but it’s still potentially names, dates of birth, addresses, payment information…stuff like that.”

At least 1.4 million customers, financial professionals and select employees were believed to be affected.

Rosenlund says KPMG is seeing “more and more” of these hybrid attacks that may impact both first and third parties, “but also are taking two sophisticated threat actors. In this case, one’s a very common ransomware operator and the other one’s a more common initial access broker, or the bad guys that you go to to get access to a company working together to deliver this over and over and over again across industry.”

It all comes back to strong cyber hygiene, or practices to protect personal information and devices from cyber threats.

“Most of the attacks we’re seeing and most attacks we’re talking about — be it ransomware, third-party breaches, even social engineering — can often be defeated with solid cyber fundamentals and cyber hygiene,” Rosenlund says. “Cyber hygiene and cyber fundamentals are the name of the game.”

Industry professionals should look at their supply chain, how much confidence you have in their security outlook, and what you’re doing to protect yourself from your own third parties, he advises.

State of the market

Generally speaking, average incident costs for Canadian claims are trending downward, from a high of $2 million in 2022 to $753,000 in 2024, Rosenlund says, citing 2025 statistics from NetDiligence.

“That looks a little low to me,” comments Imran Pira, managing partner and head of complex risk at Jones DesLauriers Insurance Management. “That’s a fluid, real-time stat that we’re updating on a daily basis…It’s a bit of a moving target.”

Rosenlund attributes better cyber resilience to the declining incident costs. “I believe in a lot of cases, it has to do more with the actual ability to respond and then the resilience on the organization’s back-end, so you’re not completely ‘rip and replacing’ everything because of hardware fault or lack of back-ups…”

CAIB New Edition 1.0 – a New Standard for Broker Education Image

Insights Paid Content

CAIB New Edition 1.0 – a New Standard for Broker Education

Preparing brokers to navigate an increasingly complex insurance landscape.

By 

Sponsor Image

The cyber market has come a long way over the past few years, from days when a lot of insurers exited cyber portfolios, Pira adds. “We’ve seen more insurers enter the marketplace, taking over vacant books,” he says, adding that global insurers are also opening shop in Canada.

Claims frequency and severity is increasing, but because there’s much more supply than demand, pricing has also bottomed out, Pira says. “It is so inexpensive to buy cyber insurance right now, particularly if you work with a good consultant or good broker to position your risk profile in a positive light.”

And while exclusions “were going haywire in the hard market,” insurers have softened their stance on certain key exclusions, Pira reports. “You will see fewer exclusions in those policies, and then…[that’s] forcing others to take exclusions out.

“So, I’d say most insurance policies are back up to snuff pre-hard market.”

Jason Contant

Jason has been an award-winning journalist with Canadian Underwriter for more than a decade, including the past three years as associate editor and, before that, as digital editor for seven years.