A phishing email hit Insurance Office of America in June 2025. Five days of unauthorized access. 12,913 people exposed. Social security numbers, personal files, internal documents, all scraped from inboxes and shared drives by a cybercriminal group called DAIXIN Team.
IOA is one of the largest privately held brokerages in the United States. And the breach started with one email.
They are not alone. A SecurityScorecard analysis of the 150 largest insurance companies found that 59% of breaches involved third-party attack vectors. That rate is more than double the cross-industry average of 29%. No other sector scored higher. Within insurance, brokers and agencies sit at the bottom of the cybersecurity rankings, scoring 83 out of 100, six points below carriers.
So why are brokers the weakest link?
The inbox is the problem. Not the people.
Insurance brokers handle some of the most sensitive data in financial services. Policy applications with detailed personal and corporate information. Health records. Claims documentation. Tax filings. Power of attorney forms. Signed declarations.
And most of this material moves through email.
An account manager requests a medical certificate from a client. The client emails it back as a PDF attachment, unencrypted. It sits in an inbox, gets forwarded to an underwriter, maybe CC'd to a colleague for review. That file now lives in four or five places, none of them designed for sensitive document handling.
IBM's 2025 Cost of a Data Breach Report confirms the pattern. Phishing is now the most common initial attack vector across all industries, responsible for 16% of breaches, at an average cost of $4.8 million per incident. Generative AI has reduced the time to craft a convincing phishing email from 16 hours to roughly 5 minutes. The volume and quality of attacks is growing faster than any training program can keep up with.
For insurance brokers specifically, the risk multiplies. Every email thread with a client, a carrier, or a third-party administrator is a potential entry point. And once an attacker gains access to a single inbox, they see everything: client names, policy details, renewal dates, coverage amounts, financial documents. Marc Schein, co-chair of the Cyber Risk Practice at Marsh McLennan Agency, has pointed out that insurance applications alone contain enough data to make attackers very effective at what they do next.
DORA just made this personal
For European insurance brokers, the regulatory pressure has sharpened. The EU's Digital Operational Resilience Act (DORA) took effect in January 2025. It applies to insurance companies, reinsurers, brokers, and their ICT service providers.
DORA requires financial entities to prove they can withstand, respond to, and recover from ICT disruptions. That means documented risk frameworks, incident reporting within strict timelines, and formal oversight of every third-party technology provider in the chain. Non-compliance can result in penalties up to 2% of annual global turnover.
The regulation specifically targets how data moves between parties. If a broker shares sensitive documents via unencrypted email, through a personal cloud drive, or using a file-sharing tool without audit trails, that workflow now creates regulatory exposure. DORA demands traceability, accountability, and evidence. An inbox provides none of these.
The real cost is not the fine. It is the trust.
When Aflac was breached in June 2025 through social engineering (attackers impersonated trusted contacts to gain network access), the fallout went beyond the 22.65 million individuals whose data was compromised. More than 20 lawsuits followed. Federal investigations were opened. The Scattered Spider group behind the attack also hit Erie Insurance and Philadelphia Insurance Companies in the same period, causing weeks of system outages.
For brokers, whose entire business model rests on client trust, a breach does not just cost money. It costs relationships. If your client's medical records or financial documents leak because they were sitting in an email thread, the technical explanation ("we were hacked") does not repair the damage. The client trusted you with that file. Where you stored it and how you managed it was your responsibility.
SecurityScorecard's research found that 56% of insurance companies had at least one compromised credential in the past two years. For agencies and brokers, that number likely understates the risk, because smaller firms have fewer resources to detect and report incidents.
What actually needs to change
The pattern behind most of these breaches is remarkably consistent: sensitive documents move through unstructured channels (email, personal drives, consumer-grade file sharing), with no visibility into who accessed what, when, or whether the handoff was completed.
The fix is structural, not behavioral. You can train people on phishing awareness for years. The IBM report found that organizations still take an average of 254 days to detect and contain a phishing-originated breach. Training helps, but it does not close the gap.
What closes the gap is removing sensitive documents from email entirely. When a client needs to send you a tax return, a medical report, or a signed declaration, that exchange should happen in a structured environment where the document request is clear, the deadline is visible, the upload is secure, and the status is trackable. No attachments floating through inboxes. No forwarded threads with sensitive files buried three replies deep.
This is the kind of structured collaboration infrastructure that platforms like Alkmist are built for. Document requests, approvals, and sign-offs live in one shared workspace. Every action is logged. Every file has a clear owner and a clear destination. Clients see exactly what is pending. Brokers see who owes what by when. Nothing moves through email.
The window is closing
Between DORA enforcement in Europe, tightening state-level data privacy laws in the US, and a cybercriminal ecosystem that is specifically targeting insurance (the Scattered Spider campaign was not random, it was a coordinated effort aimed at the industry), the operational risk of running document collaboration through email has never been higher.
The SecurityScorecard report put it directly: the insurance industry's reliance on technology has outpaced its ability to secure it. And brokers sit at the most exposed point in the chain.
The brokers who act on this will not just reduce their breach risk. They will be the ones clients trust with the most sensitive files, because those clients can see exactly where their documents are and who has touched them.
The ones who wait will keep reading about breaches that sound exactly like their current workflow.
What can we do for you?
Alkmist builds structured collaboration infrastructure for professional services firms, including insurance brokers. If you want to take client document exchange out of email and into a secure, traceable environment, see how it works for insurance brokers.
