Security for Insurance Brokers: defense against BEC, data leakage and ransomware
Brokers intermediate policies and sensitive data between clients and insurers with lean teams and critical integrations. See how Decripte responds to fraud and structures the security of the business.
Direct answer
To protect an insurance broker, start by treating email and commission communications as a fraud surface: make out-of-band verification mandatory for any change of bank details, monitor 24x7 the integrations with insurers and access to policyholder data, apply phishing-resistant MFA on all access, and maintain an incident response plan with containment within 1h. Decripte combines SOC 24x7, penetration testing of integrations, LGPD compliance and incident response to close the three risk fronts of the sector: BEC fraud on commissions, leakage of policyholder data and ransomware. The practical starting point is a free exposure assessment at decripte.com.br/intelligence-center.
24/7
SOC monitoring access and integrations
<=1h
Containment SLA in incident response
LGPD
Policyholder data is sensitive personal data
MFA
Anti-phishing on all critical access
In summary
- ›The largest direct financial loss in brokers usually comes from BEC (business email compromise fraud) diverting commissions and transfers, not from sophisticated malware.
- ›Policyholder data is personal and frequently sensitive under the LGPD: CPF, policies, claims, health data and assets require a legal basis, minimization and a breach response plan.
- ›The integrations with insurers (portals, APIs, spreadsheet and email exchange) are the least watched and most exploited surface.
- ›Mandatory out-of-band verification for changing bank details neutralizes most commission-diversion scams.
- ›Lean teams need an outsourced SOC 24x7 and incident response with an SLA, because there is no in-house security on-call.
- ›Fast containment (within 1h) and evidence preservation determine whether an incident becomes a recoverable loss or a breach with an ANPD sanction.
Cibersegurança para Insurance Brokers
Brokers intermediate policies and sensitive data between clients and insurers with lean teams and critical integrations. See how Decripte responds to fraud and structures the security of the business.
Why insurance brokers are a target
The insurance broker occupies a structurally attractive position for crime: it sits in the middle of the flow of money and data between the policyholder and the insurer. On one side, it concentrates sensitive personal data of hundreds or thousands of clients - CPF, address, vehicle and property data, claims history and, in life and health insurance, health data. On the other, it moves commissions, transfers and premiums, with recurring and predictable financial flows that a fraudster can map.
Add to this the typical operational profile: a lean team, heavy reliance on email and WhatsApp to close deals, multiple insurer portals with reused passwords, and financial processes that run on trust among a few people. It is the ideal environment for social engineering. The attacker does not need to break encryption; they need to convince a person to change a bank account or click a link.
The five threats that most affect the sector
- ›Leakage of policyholder data (CPF, policies, claims, health data)
- ›Fraud and BEC diverting commissions and transfers
- ›Targeted phishing against partners and the finance team
- ›Compromise of integrations with insurers (portals and APIs)
- ›Ransomware paralyzing the operation and the client portfolio
BEC: the scam that hurts the cash flow most
BEC (Business Email Compromise, or corporate email compromise) is the fraud that generates the most direct financial loss in brokers. The scheme is simple and effective: the attacker observes the real communication between the broker, the insurer and the clients - usually after compromising a mailbox through phishing or a leaked password - and then impersonates one of the parties to redirect a commission or premium payment to an account they control.
The most common variants are: the fake email from a supposed insurer representative requesting an update of bank details for a commission transfer; the email from the partner (with a look-alike domain or a truly compromised mailbox) instructing finance to pay an urgent supplier; and the interception of a real negotiation, in which the fraudster enters the thread at the exact moment the payment method is being discussed.
The technical detail that exposes BEC
Almost every BEC leaves traces: a look-alike domain (corretra.com.br instead of corretora.com.br), email headers with a Reply-To differing from the From, inbox rules created to hide the victim's replies, and logins from anomalous locations or times. A SOC that correlates these signals detects the compromise before the payment goes out.
The decisive defense is not technological, it is procedural: no change of bank details or out-of-pattern payment can be executed based on email alone. There must be out-of-band verification - a phone call to an already-registered number, never the number that came in the email. Decripte deploys this control as policy and also monitors the technical signals that precede the fraud.
Is insurance brokers data already exposed or up for sale? Find out now — for free.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
Policyholder data and the LGPD
The broker is a controller or joint controller in the processing of policyholders' personal data, and much of this data is sensitive under the LGPD - notably health data in life and health insurance. This means concrete obligations: an adequate legal basis for each processing activity, minimization (not keeping what is not needed), technical security proportional to the risk and, in the event of an incident that may create risk to data subjects, notification to the ANPD and to the affected data subjects.
Minimum LGPD compliance for brokers
- ✓Mapping of which policyholder data is processed, where it resides and who accesses it
- ✓Documented legal basis for each purpose (quotation, issuance, claim, marketing)
- ✓Access control by need: not every employee sees the entire portfolio
- ✓Encryption of data at rest and in transit, including in the spreadsheets exchanged
- ✓Incident response plan with a defined ANPD notification flow
- ✓Data protection contracts and clauses with insurers and partners
Leakage of policyholder data is not just a fine: it is a loss of trust in the broker's most valuable asset, which is the relationship with the client. A leaked portfolio database becomes fuel for fake-claim and fake-reimbursement scams against the policyholders themselves, which comes back as complaints and reputational damage to the broker.
The integrations with insurers: the blind spot
Every broker operates dozens of integrations: quotation and issuance portals of each insurer, multi-calculators, proposal APIs, and the old exchange of spreadsheets and PDFs by email. This mesh is the least watched attack surface in the sector, because it was built for operational convenience, not by security design.
Typical integration risks
- ›Insurer portal passwords reused and shared across the team
- ›API credentials stored in plaintext in spreadsheets or in the code of a quotation bot
- ›No MFA on external portals, opening the way to account takeover
- ›Policyholder data traveling over email and WhatsApp without encryption
- ›Quotation bots and RPAs running with excessive privileges and without monitoring
Decripte's penetration testing treats these integrations as what they are: bridges of trust between the broker and third parties. We test the portals and APIs from the OWASP perspective, validate how credentials are stored and rotated, and check whether the compromise of a quotation bot would give an attacker access to the entire portfolio. The goal is to discover it before the fraudster.
Ransomware in a lean operation
For a broker, ransomware is not abstract: it is the inability to access the portfolio, the policies up for renewal and the claim data at the exact moment the client needs it. Because the team is lean and the operation depends on few systems, the shutdown is total and immediate. Worse: many modern attacks exfiltrate the data before encrypting, turning ransomware into a leak as well - and into an LGPD problem.
Ransomware's path usually starts in the same place as BEC: a phishing message or a leaked credential that provides the first access. From there the attacker moves laterally until reaching the server that holds the portfolio. Between this first access and mass encryption there is a window - usually of hours - in which attentive monitoring can still contain the attack before the damage.
What reduces the impact of ransomware
Offline and tested backups (having a backup is not enough, you must be able to restore), segmentation that prevents ransomware from jumping from the broker's desktop to the portfolio server, MFA on remote access and VPN, and 24x7 detection that catches lateral movement before mass encryption. The window between the first access and encryption usually gives time to contain - if someone is watching.
What would an incident in insurance brokers cost? See your real risk before it happens.
Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.
How Decripte closes the three fronts
Continuous detection and monitoring
Decripte's SOC 24x7 monitors the signals that precede fraud and intrusion: anomalous logins in mailboxes and portals, creation of redirection rules, off-hours access to the client base and exfiltration behavior. In an operation without IT on-call, this outsourced vigilance is what turns a silent incident into an actionable alert.
Offensive validation of integrations
The penetration test maps and tests portals, APIs and quotation bots, identifies exposed credentials and account takeover paths, and prioritizes fixes by real business risk - starting with what protects the portfolio and the commission flow.
Expected practical outcome
Brokers that adopt mandatory out-of-band verification, anti-phishing MFA and email monitoring eliminate the most costly vector in the sector - commission diversion via BEC - and gain the ability to prove LGPD compliance to more demanding insurers and clients.
Anatomy of a BEC scam diverting commissions (anonymized real example)
Real, de-identified example
This is an anonymized real example, without identifying the client, built from recurring patterns in the sector. A mid-sized broker, with 14 employees and a portfolio of about 3,000 policyholders, receives monthly commission transfers from several insurers. Finance is run by two people and communication with the insurers' representatives happens almost entirely by email. Three weeks ago, the mailbox of one of the partners was compromised by a phishing message imitating an insurer's portal, and the attacker had been silently observing the conversations, with an inbox rule automatically archiving certain replies.
Detection
Decripte's SOC generates an anomalous-behavior alert: the partner's mailbox logged in from an unusual ASN in the early hours and a new redirection rule was created to move messages containing the words commission and bank details. On the same day, finance receives an email, apparently from the partner herself, asking to update the transfer account of an insurer before a payment scheduled for 48h.
Containment
Within the SLA of up to 1h, Decripte forces the termination of the compromised mailbox's active sessions, resets the credentials with anti-phishing MFA, removes the malicious inbox rule and freezes any pending change of bank details. The payment due in 48h is suspended before any transfer.
Eradication
The investigation identifies the initial phishing, isolates the look-alike domain used in the fraudulent messages, reviews all email rules of the other mailboxes in search of hidden redirections and confirms that no other account was compromised. The credentials exposed in insurer portals are rotated.
Out-of-band verification
Decripte contacts the insurer representative's real number by phone, using a previously registered number, and confirms that the alleged account-change request never existed - it was entirely forged. The payment process is redone with the legitimate details.
Recovery
The operation returns to normal with the mailbox cleaned and the commissions transferred to the correct accounts. No amount was diverted because the fraud was intercepted before payment.
Anti-fraud structuring
Decripte deploys as policy the mandatory out-of-band verification for any change of bank details, anti-phishing MFA on all access, continuous monitoring of email rules and targeted training of finance against social engineering.
Lessons learned
The incident showed that the vector was not technically sophisticated, but procedural: a convincing email was enough. The cheapest and most effective fix was to turn the implicit trust of email into mandatory verification through an independent channel.
Outcome with Decripte
No commission was diverted: the fraud was detected by the SOC and contained within the 1h SLA, before payment. More importantly, the broker came out of the incident with a structured anti-fraud control - out-of-band verification, anti-phishing MFA and continuous email monitoring - that turns the BEC vector from a recurring risk into a threat neutralized by process.
Don’t wait for the incident. Start hardening insurance brokers today.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
How Decripte responds to an incident in brokers
When a broker calls on Decripte in the face of suspected fraud, leakage or ransomware, the response follows a flow designed for the sector, prioritizing halting the financial loss and preserving evidence.
- Triage and immediate activation: we classify the incident (BEC, email compromise, leakage, ransomware) and mobilize the response team with a containment target of up to 1h.
- Containment: we terminate active sessions, reset compromised credentials with MFA, remove malicious email rules and freeze payments and changes of bank details in progress.
- Evidence preservation: we collect email logs, headers, access records and artifacts before any cleanup, to support the investigation and any ANPD notification.
- Eradication: we identify the initial vector (phishing, leaked password, compromised integration), isolate look-alike domains and compromised bots and rotate credentials exposed in insurer portals.
- Out-of-band verification: we confirm through an independent channel (an already-registered phone) any suspicious financial request before releasing payments.
- Recovery: we restore the operation from tested backups when necessary and validate that the portfolio and the integrations came back intact.
- Notification and compliance: we assess the duty to notify the ANPD and the data subjects when there is risk to policyholder data, and we support the documentation required by the LGPD.
- Post-incident structuring: we deploy the controls that prevent recurrence (out-of-band verification, anti-phishing MFA, email monitoring) and start continuous monitoring via the SOC.
How Decripte structures the broker's security
Responding to incidents is necessary, but the goal is that they do not come back. Decripte structures the broker's security on pillars designed for a lean operation that needs effectiveness without inflating the team.
Communications anti-fraud
Policy of mandatory out-of-band verification for changes of bank details and atypical payments, email domain authentication (SPF, DKIM and DMARC), anti-phishing MFA and training of finance against social engineering - the pillar that neutralizes BEC.
Protection of policyholder data
Mapping of the personal and sensitive data processed, access control by need, encryption at rest and in transit and LGPD compliance, including a breach response plan and an ANPD notification flow.
Security of integrations
Inventory and hardening of insurer portals and APIs, credential and secret management, MFA on external access and offensive validation via penetration testing of quotation bots and data exchange points.
Operational resilience
Offline and tested backups, network segmentation to contain lateral movement, hardening of remote access and a continuity plan that keeps the portfolio accessible even under a ransomware attack.
Continuous 24x7 monitoring
SOC watching email, portals and the client base full time, correlating signals of fraud and intrusion and triggering incident response with a containment SLA - the vigilance that the lean in-house team cannot maintain alone.
Recommended plans for Insurance Brokers
SOC 24x7
Brokers have a lean team and no security on-call; the SOC monitors email, insurer portals and access to the portfolio all the time, catching anomalous logins and malicious rules that precede BEC.
See plan →Incident Response
When a commission fraud or a ransomware attack is underway, containment within 1h is what separates a loss avoided from money diverted and from a breach reportable to the ANPD.
See plan →Pentest
The integrations with insurers, portals and quotation bots are the sector's blind spot; the penetration test uncovers exposed credentials and account takeover paths before the fraudster.
See plan →Compliance
Policyholder data is personal and often sensitive under the LGPD; structuring a legal basis, access control and breach response protects against an ANPD sanction and meets the requirements of partner insurers.
See plan →Frequently asked questions
What is BEC and why does it affect brokers so much?
BEC (Business Email Compromise) is the fraud in which the attacker impersonates a trusted party - a partner, an insurer representative or a client - usually after compromising a mailbox, to redirect payments. It affects brokers because the sector moves recurring commissions and transfers by email, with financial processes based on trust. The decisive defense is to require out-of-band verification for any change of bank details.
Is policyholder data subject to the LGPD?
Yes. CPF, address, policies, claims history and, in life and health, health data are personal data, with health data classified as sensitive by the LGPD. This requires a legal basis, minimization, proportional security and an incident response plan with notification to the ANPD and to data subjects when there is relevant risk.
My broker is small. Am I still a target?
Yes, and precisely for that reason. Smaller brokers usually have fewer controls, a lean team and informal financial processes, which makes them a preferred target for social engineering fraud. The attacker does not seek the biggest, they seek the easiest to deceive that moves money in a predictable way.
How do I protect the integrations with insurers?
Start with MFA on all portals, an end to password sharing, secure storage of API credentials and encryption of the data exchanged. Next, a penetration test validates whether these bridges withstand a real attack and whether a compromised quotation bot would give access to the entire portfolio.
Is ransomware also an LGPD problem?
Frequently yes. Modern attacks exfiltrate data before encrypting, so beyond the operational shutdown there is leakage of policyholder data, which triggers the LGPD's notification obligations. That is why the response must handle containment and the duty to notify at the same time.
What is out-of-band verification and why is it so important?
It is confirming a sensitive request - such as a change of bank account - through a channel independent from the one that originated the request, for example by calling an already-registered number instead of replying to the email. Because BEC lives on convincing emails, validating through another channel neutralizes most commission-diversion scams.
How long does it take to contain an incident?
Decripte works with a containment SLA of up to 1h in incident response. In commission fraud, this time is what usually allows suspending the payment before the transfer goes out; in ransomware, it is the window to contain lateral movement before mass encryption.
Where do I start if I don't have anything structured yet?
With the free exposure assessment at decripte.com.br/intelligence-center, which reveals visible risks on your surface. Based on the result, service contracting is done at decripte.io/start, and questions can be handled at decripte.io/contato.
Sector terms
- BEC (Business Email Compromise)
- Fraud in which the attacker impersonates a trusted party, usually after compromising an email, to redirect payments such as commissions and transfers to an account they control. It is the vector of greatest direct financial loss in brokers.
- Out-of-band verification
- Confirmation of a sensitive request through a channel independent from the one that originated it - for example, calling a previously registered number to validate a change of bank details requested by email. A central control against BEC.
- SOC 24x7
- Security Operations Center that continuously monitors email, portals, integrations and access, correlating signals of fraud and intrusion and triggering incident response. It replaces the security on-call that the broker's lean team does not have.
- Sensitive personal data
- LGPD category that includes health data, biometrics and others of greater risk to data subjects. In life and health insurance, the broker processes policyholders' health data, which raises the level of protection required.
- Account takeover
- Taking control of a legitimate account (mailbox, insurer portal) through theft or guessing of credentials. In brokers, it is the typical entry point for BEC and for improper access to the client portfolio.
- Lateral movement
- Stage in which an attacker, already inside the network, moves from one machine to another seeking to reach critical systems such as the portfolio server. Detecting it early is what allows containing a ransomware attack before mass encryption.
Decripte protects and responds to incidents in insurance brokers.
Pentest, 24x7 SOC, incident response with a 1-hour containment SLA and compliance — without building an internal team. Or start free by seeing what has already leaked from your company.
