May 2026: Insurance Carrier Cybersecurity Requirements Get Serious

The insurance sector’s digital transformation has concentrated sensitive client data in cloud‑based workflows, making agencies a lucrative target for cybercriminals. Over the past decade, phishing, credential theft, and business email compromise (BEC) have surged, with BEC now accounting for the highest financial losses in the industry. Insurers, bearing the downstream cost of breaches, have been gathering evidence of recurring security gaps—unprotected email, weak authentication, and absent security policies—before deciding to formalize requirements.

Starting in May 2026, carriers will shift email security from a recommendation to a contractual condition. Required controls include real‑time threat detection that blocks phishing attempts, end‑to‑end encryption for health and financial communications, and domain authentication protocols such as DMARC, SPF, and DKIM to prevent spoofing. In addition, agencies must maintain a written information security program (WISP) that can be produced during carrier audits. These measures align with broader regulatory trends, echoing NIST and ISO standards, and aim to reduce the frequency and severity of BEC incidents that insurers currently underwrite.

For agencies, the new mandate translates into immediate operational priorities. Conducting a comprehensive security assessment—ideally at no cost through providers like CyberFin—helps identify deficiencies before carriers enforce compliance. Investing in managed email security services, updating encryption tools, and documenting policies not only satisfies carrier demands but also strengthens overall risk posture, potentially lowering insurance premiums. As carriers lock in these requirements, agencies that act swiftly will preserve market access and demonstrate resilience in an increasingly hostile cyber landscape.