There are a host of challenges impacting upon insurance and financial institutions, especially around the rapid escalation of cyber-breaches – including the recent Aflac incident. Here, there are charges that Aflac failed to safeguard the personal information and protected health information of its customers during a recent data breach.
On June 12, 2025, Aflac became aware of suspicious activity on its U.S. network. Upon detection, the company launched an investigation with the assistance of third-party cyber security experts to determine the nature and scope of the incident. The investigation has determined that an unauthorized third party gained access to sensitive systems using social engineering tactics.
These files allegedly included claims information, health information, social security numbers, and/or other personal information related to customers, beneficiaries, employees, agents, and others involved in Aflac’s U.S. business.
Looking at this subject for Digital Journal is Yakir Golan, CEO & Co-Founder at Kovrr as an expert – who has insights from behind-the-scenes strategizing and preparation with numerous financial entities and insurance industry leaders who calculate and predict based on projected risk mitigation and response strategies to such cyberattacks.
Golan expresses the view that with three insurance companies, including Aflac, reporting cyber incidents within the same month, the risk of systemic disruption across the sector is becoming harder to ignore. Whether these three events were coordinated or not, they still highlight a key oversight that insurers tend to make: Long attuned to modelling systemic risk across portfolios, insurance institutions tend to overlook the same vulnerabilities within their organizations.
The recent string of incidents underscores why this must be rectified. Yakir’s long history of work with insurers has shown that CRQ models (see resource) can be leveraged for this purpose, quantifying the potential losses associated with key vendor failures or technology stack vulnerabilities and then translating that exposure into monetary terms that boards and executives can act on.
Here Golan states: “With regulatory scrutiny increasing (both Aflac and Erie have been compelled to file Forms 8-K with the US SEC under the 2023 cybersecurity regulations) and public trust on the line, insurers must start applying the same rigor to their internal cyber posture assessments as they do to underwriting systemic client risk. Systemic cyber threats are not merely portfolio risks; they’re operational realities.”
On the risks percolating following these series of breaches
With the recent run of data breaches, Golan observes: “Insurance companies have made substantial progress in modelling systemic risk across their portfolios. But recent events show that this risk evaluation lens must be turned inward. As cyber threats continue to become more interconnected, the ability to quantify one’s internal exposure, especially in relation to third-party service provider technologies, has become essential for ensuring that material losses are avoided.”
In terms of reaching new standards to address this, Golan says: “Our long-standing partnerships with global insurers have made it clear that leveraging on-demand cyber risk quantification helps both to mitigate the potential impact of these threats and adhere to compliance standards that require institutions to demonstrate proactive risk management.”
