Security for Insurers and Insurtechs

Policyholder databases concentrate personal, medical and financial data — exactly the kind of asset that drives claims fraud, data leakage and ransomware extortion. See how Decripte contains incidents and structures security for the sector, from the quotation portal to the claims data lake.

Direct answer

To protect an insurer or insurtech, Decripte combines continuous monitoring (24x7 SOC), Incident Response with a containment SLA of up to 1 hour, Vulnerability Management focused on quotation portals and partner integrations, and Compliance structuring aligned with LGPD, ISO 27001 and the ANPD's privacy best practices. In practice this means classifying and encrypting policyholder databases (personal, medical and financial data used in claims), instrumenting exfiltration detection across those repositories, hardening the external quotation surface against abuse and injection, and having a runbook for notifying the ANPD and data subjects ready before the incident happens. The no-cost starting point is the free Threat Management diagnosis at decripte.com.br/intelligence-center; full contracting is done at decripte.io/start.

24/7

SOC monitoring threats

<=1h

Containment SLA in Incident Response

LGPD

Health data treated as sensitive

ISO 27001

Security management framework

In summary

  • The most exploited surface of an insurer is not the policy core — it is the internet-facing quotation portal, which queries policyholder databases in real time and typically has weak access control and rate limiting.
  • Health data used in claims is sensitive personal data under the LGPD (art. 5, II), which raises the duty of protection, restricts legal bases and makes a leak more serious before the ANPD.
  • Modern ransomware is double-extortion: the attacker exfiltrates the database before encrypting it, so backup alone is not enough — you need to detect the exfiltration and have an LGPD notification plan ready.
  • Decripte acts on both fronts: immediate containment (24x7 SOC + IR with an SLA of <=1h) and preventive structuring (data classification, encryption, exfiltration monitoring, hardening of partner integrations).
  • Notifying the ANPD and data subjects requires a rehearsed runbook: deadline, content, evidence and legal language defined before the incident, not improvised under pressure.
Seguros

Cibersegurança para Insurers and Insurtechs

Policyholder databases concentrate personal, medical and financial data — exactly the kind of asset that drives claims fraud, data leakage and ransomware extortion. See how Decripte contains incidents and structures security for the sector, from the quotation portal to the claims data lake.

Why insurers and insurtechs are a priority target

An insurer is, in essence, a data operation. To price risk, settle claims and prevent fraud, the company accumulates one of the most sensitive sets of information in the market: CPF, address, income, credit history, medical reports and records, exams, partial charts, vehicle and property data, geolocation, beneficiaries, life insurance policies and behavioral profiles. Insurtechs amplify this accumulation by operating 100% digitally, with instant onboarding, self-service quotation and open integrations with brokers, reinsurers, clinics, repair shops and credit bureaus. Each of these connections is a door — and, from an attacker's point of view, a set of doors with very uneven degrees of control.

The underground market value of this database is high precisely because it feeds multiple crimes at once. A life or health insurance policyholder record enables claims fraud, social engineering against the victim, credit fraud in third parties' names and blackmail with medical information. Unlike a card number, which can be canceled, a medical diagnosis or a claims history cannot be 'reissued'. This makes insurer data a durable asset for crime, and the insurer a recurring target.

Health data changes the weight of the incident

Under the LGPD, health-related data is sensitive personal data (art. 5, II). Leaking it is not just an IT incident: it is the exposure of a specially protected category, with restricted legal bases for processing, a reinforced duty of security and a higher likelihood that the incident will be considered one of relevant risk to data subjects — the trigger for notification to the ANPD.

Add to this the regulatory and contractual pressure. Supervised insurers operate under the governance and cybersecurity rules of the sector regulator, reinsurance contracts with confidentiality clauses, and requirements from partners that process payments (when a card is involved, PCI DSS applies). A leak, therefore, does not only harm the policyholder's trust: it triggers regulatory, contractual and reputational obligations simultaneously. It is a sector where the cost of not having a structured response is disproportionate.

The sector's threat map

The five fronts Decripte prioritizes

We do not treat 'threats' as a generic list. For insurers and insurtechs, Decripte concentrates effort where impact and probability are highest, and where the sector's typical architecture creates structural fragility. Each front below has specific detection, containment and hardening.

Prioritized vectors

  • Leakage of sensitive policyholder data — exfiltration of databases with medical, financial and claims data, often via exposed portals or compromised partner credentials.
  • Claims fraud — manipulation of settlement flows, accounts and documents to receive undue indemnities, often from insider access or an abused integration.
  • Double-extortion ransomware — encryption of the environment combined with prior exfiltration of the database, turning the incident into disclosure blackmail on top of unavailability.
  • Compromise of quotation portals — abuse of public simulation endpoints to enumerate policyholders, scrape data, inject payloads and discover pricing logic.
  • Attacks on partner integrations — exploitation of APIs, webhooks and tokens shared with brokers, clinics, repair shops and bureaus, where the weakest link becomes the entry point.

The thread connecting these vectors is the integration and quotation surface. The policy core is usually relatively protected in the back office; what is exposed to the internet — and what changes every week with new partnerships — are the portals and the APIs. That is exactly where we concentrate Vulnerability Management and monitoring.

Why quotation is the blind spot

A quotation portal must, by design, query the policyholder database and risk models in real time to return a price. This means a public endpoint is connected to sensitive data. When rate limiting, per-object authorization checks and response masking are missing, the same resource that quotes a legitimate customer lets an attacker enumerate records and infer data — without ever 'breaking in' in the classic sense.

Gestão de Ameaças · Grátis

Is insurers and insurtechs data already exposed or up for sale? Find out now — for free.

Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.

The anatomy of a leak via the quotation portal

To make concrete how these incidents happen, we describe below the typical mechanics of a policyholder database leak originating in a quotation portal. This section is technical and precedes the anonymized case study further down; the goal here is to explain the 'how', so that Decripte's preventive structure makes sense.

Phase 1 — Reconnaissance and abuse of a legitimate function

The attacker does not start by breaking anything. They use the portal as an ordinary user: requesting quotes. Observing the behavior, they identify that the simulation endpoint accepts an identifier (CPF, policy number, proposal ID) and, depending on the implementation, returns partially filled data of already-registered policyholders — name, coverage, values, sometimes declared health conditions. This is the flaw known as Insecure Direct Object Reference (IDOR), in the Broken Object Level Authorization family of the OWASP API Security Top 10. The server responds because the request is technically valid; all that is missing is the check that this requester may see that object.

Phase 2 — Enumeration and scraping at scale

Once the flaw is confirmed, the attacker automates. Without effective rate limiting and without anomalous-behavior detection, scripts iterate over ranges of identifiers and extract records in volume. Because each request looks like a legitimate quote, the traffic blends into the normal. This is where most insurers lose time: the leak is already underway and nothing on the operational dashboard lights up, because the system is 'working as designed'.

The silent leak is the rule, not the exception

In exfiltration incidents through API abuse, the signal is rarely an intrusion alarm. It is a statistical deviation: query volume per source, dispersion of identifiers queried, timing, pagination pattern. Without exfiltration detection instrumentation, this deviation goes unnoticed for weeks — and the first warning usually comes from outside, when the database shows up for sale or a data subject complains.

Phase 3 — Monetization and, sometimes, escalation to extortion

With the database in hand, the path varies: sale on forums, direct use in claims and credit fraud, or — when the attacker has also gained a foothold in the environment — combination with double-extortion ransomware. In the latter, proven exfiltration becomes blackmail leverage: pay or we disclose your policyholders' medical data. It is the worst possible reputational scenario for an insurer, and the reason exfiltration detection is as central as backup.

How Decripte responds to incidents in the sector

When the incident happens, speed and method decide the size of the damage. Decripte's Incident Response operates with a containment SLA of up to 1 hour and follows a flow designed to preserve evidence, stop the bleeding and meet privacy obligations without improvisation. The 24x7 SOC is what ensures the count on that SLA starts early — because someone was watching.

Two timeframes, a single team

Containing is the short timeframe: isolate, revoke, block, preserve. Structuring is the long timeframe: classify data, encrypt, instrument detection, harden integrations. Decripte delivers both continuously, so that every incident responded to leaves the environment harder to attack next time.

The differentiator in insurers lies in three points: containment must protect sensitive data under the LGPD (which changes the notification posture), the investigation must distinguish exfiltration from legitimate operation (because the abuse uses valid functions), and communication must be ready for the ANPD, data subjects, the sector regulator and partners — all under time pressure and reputational exposure.

How Decripte structures security

Responding well is necessary, but the goal is to need to respond less. The preventive structure we build for insurers and insurtechs attacks the root of the described vectors: it protects the database at rest and in transit, gives visibility over who accesses what, closes the quotation and integration surface, and keeps compliance as a living process — not a document on a shelf.

What changes in the environment after structuring

  • Policyholder databases classified by sensitivity, with health and financial data segregated and encrypted.
  • Quotation portals with per-object authorization, rate limiting and response masking fixed.
  • Exfiltration detection instrumented over the sensitive repositories and the quotation APIs.
  • Partner integrations with least-privilege tokens, rotation and monitoring of anomalous use.
  • A rehearsed LGPD/ANPD notification runbook, with deadlines, content and responsibilities defined.
  • Continuous Vulnerability Management prioritizing the external surface and partnership changes.

This structure is built incrementally and prioritized by real risk — we do not require a one-shot overhaul. We generally start with the external surface (quotation and integrations), because that is where the probability of an incident is highest, and move on to database classification and encryption, which is where the greatest impact lies.

Gestão de Ameaças · Grátis

What would an incident in insurers and insurtechs cost? See your real risk before it happens.

Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.

Compliance that sustains the business, not that blocks it

For insurers, compliance is not bureaucracy: it is a condition of operating and of contracting. Decripte treats LGPD, ISO 27001, PCI DSS (when a card is involved), SOC 2 and the sector's cybersecurity governance requirements as an integrated system, avoiding the rework of implementing each one in isolation.

The LGPD essentials for the sector

Health data is sensitive (art. 5, II), with its own legal bases (art. 11). An incident that may cause relevant risk or harm to data subjects must be communicated to the ANPD and to the data subjects within a reasonable timeframe (art. 48), in accordance with the Authority's guidance and regulation. Automated decisions — such as pricing and quote refusal — give the data subject the right to review (art. 20). All of this must be reflected in the architecture, not just in the policy.

In practice, we translate regulatory requirements into verifiable technical controls: the retention policy becomes a lifecycle rule in the repository; the duty of security becomes encryption and segregation; the right to review an automated decision becomes an audit trail of the pricing engine; the duty to notify becomes a rehearsed runbook. Compliance that does not become a control is exposure with the appearance of coverage.

PCI DSS applies when there is a card

If the insurer or insurtech processes, stores or transmits card data (premium payment, for example), the environment falls under the scope of PCI DSS. Decripte helps reduce that scope (tokenization, segmentation) and sustain the required controls, without turning it into a parallel project disconnected from overall security.

Vulnerability Management where the sector bleeds most

A digital insurer's surface changes every week: a new broker integration, a new quotation endpoint, a new app version, a new telemedicine partner. One-off Vulnerability Management cannot keep up with that pace. Decripte operates continuously, focused on what is exposed and on what has just changed.

Technical priorities in the sector

What we look at first

  • Quotation and simulation APIs: per-object authorization (BOLA/IDOR), rate limiting, masking and input validation.
  • Partner integrations: token management, minimum scope, rotation, webhook validation and mTLS where applicable.
  • Policyholder-facing portals and apps: authentication, session management, user enumeration and recovery flows.
  • Data exposure in responses: sensitive fields returned beyond what is needed (over-fetching) in screens and APIs.
  • Cloud and storage configuration: buckets, databases and policyholder-database snapshots exposed or poorly permissioned.

The chaining with the rest of the services is what creates value: a vulnerability found becomes a monitoring rule in the SOC, a runbook item in Incident Response and evidence of control in Compliance. It is the same risk data circulating among the four fronts, without silos.

Start with the free diagnosis

The lowest-friction path to understanding your own exposure is Decripte's free Threat Management plan. It gives a real view of risk — including signs of external exposure and of credentials and data that may have leaked — with no commitment, and serves as an objective basis for deciding what to structure first.

Next steps

Free threat diagnosis: decripte.com.br/intelligence-center. Contract SOC, Incident Response, Compliance or Vulnerability Management: decripte.io/start. Talk to the team through the form: decripte.com.br/contato. If you suspect an incident in progress, prioritize Incident Response — containment has an SLA of up to 1 hour.

Insurers and insurtechs do not choose to be targeted; they choose how prepared they are when the attack comes. Decripte exists so that this preparation is continuous, verifiable and proportional to the value of the data you hold.

Anatomy of a policyholder-database leak via a quotation portal (anonymized real-world example)

Real, de-identified example

Anonymized real-world example (client not identified). A life and health insurtech operates a public quotation portal that, to return a price in real time, queries the policyholder database and the risk models. The simulation endpoint accepts identifiers and, due to a per-object authorization flaw (BOLA/IDOR, OWASP API Security Top 10), returns partial data of already-registered policyholders. There is no effective rate limiting nor exfiltration detection over the database. The data includes health information — a sensitive category under the LGPD.

  1. Detection

    Decripte's 24x7 SOC identifies a statistical deviation in the quotation portal: a set of sources queries an anomalous volume of distinct identifiers, with an automated pagination pattern and a dispersion incompatible with legitimate quoting. The alert fires even without any classic 'intrusion' — because the instrumentation observes exfiltration behavior, not just attack signatures. The count on the containment SLA begins.

  2. Containment (SLA <=1h)

    Incident Response triggers containment within 1 hour: it applies blocking and throttling to the abusive sources, activates emergency rate limiting on the endpoint, and introduces an authorization check that prevents returning objects not belonging to the requester. The legitimate quotation operation is preserved. In parallel, evidence is preserved (request logs, payloads, identifiers accessed) to size the leak and support the notification.

  3. Eradication

    The root cause is fixed in the application: the Broken Object Level Authorization flaw is eliminated with a per-object ownership check, and the endpoint's response now masks sensitive fields, returning only what is needed to quote. Tokens and credentials possibly exposed in the flow are rotated. A Vulnerability Management scan verifies whether the same IDOR pattern exists in other endpoints and partner integrations.

  4. Sizing and LGPD notification

    Based on the preserved logs, the team determines the scope: which data subjects and which data categories (including health data) were actually accessed. The privacy runbook is executed — communication to the ANPD and to the affected data subjects, with content, deadline and language defined in advance, avoiding improvisation under pressure. The data protection officer (DPO) receives the evidence package to conduct the relationship with the Authority.

  5. Recovery

    The portal returns to operation with the corrected controls: per-object authorization, rate limiting, masking and exfiltration monitoring now permanent. The SOC continuously watches the database query pattern. Commercial operations resume with the surface that originated the incident closed.

  6. Lessons and structuring

    The incident feeds the preventive structure: classification of the database by sensitivity, encryption and segregation of health data, review of all partner integrations under least privilege, and incorporation of the new detection signals into the SOC. The vulnerability becomes a monitoring rule, a runbook item and compliance-control evidence — closing the loop across the four fronts.

Outcome with Decripte

In this anonymized real-world example, the combination of a 24x7 SOC and Incident Response with containment in up to 1 hour limits the leak to a short window instead of weeks of silent exfiltration. Notification to the ANPD and to data subjects happens in a timely and well-documented manner, reducing regulatory and reputational exposure. More importantly: the environment emerges from the incident stronger — with the database classified and encrypted, the quotation surface hardened, integrations under least privilege and exfiltration detection permanent. It is the outcome Decripte pursues: each incident responded to makes the next one harder.

Resposta a Incidentes · 24/7

Don’t wait for the incident. Start hardening insurers and insurtechs today.

Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.

How Decripte responds to an incident at an insurer or insurtech

Incident Response with a containment SLA of up to 1 hour, backed by the 24x7 SOC that ensures early detection. The flow is designed for the sector: it preserves evidence, distinguishes exfiltration from legitimate operation and meets the LGPD's privacy obligations without improvisation.

  1. Detection and triage in the 24x7 SOC: the alert is validated, classified by severity and correlated with the environment's normal behavior — distinguishing abuse of a legitimate function (such as enumeration via quotation) from a classic attack.
  2. Containment in up to 1 hour: isolation of the affected sources and systems, blocking, throttling and revocation of compromised credentials or tokens, stopping the exfiltration or propagation without bringing down the legitimate operation.
  3. Evidence preservation: forensic collection of logs, payloads and access trails to precisely size which data subjects and data categories (including health) were affected — the mandatory basis for LGPD notification.
  4. Root-cause eradication: fixing the exploited vulnerability (for example, per-object authorization on the quotation endpoint), secret rotation and a scan for occurrences of the same pattern on other surfaces and integrations.
  5. Execution of the notification runbook: communication to the ANPD and to data subjects when there is relevant risk, with content, deadline and responsibilities defined in advance; support to the data protection officer (DPO) and to the relationship with the sector regulator and partners.
  6. Controlled recovery: return of systems with corrected controls and reinforced monitoring, validating that the surface that originated the incident is effectively closed before normalizing.
  7. Lessons learned and hardening: turning the incident into permanent improvements — new detection rules in the SOC, runbook items, vulnerability fixes and compliance evidence.
  8. Post-incident follow-up: review with technical and executive leadership, measurement of response time and a prioritized plan to reduce the likelihood of recurrence.

How Decripte structures security for insurers and insurtechs

The preventive structure attacks the root of the sector's vectors: it protects the database at rest and in transit, gives visibility over accesses, closes the quotation and integration surface, and keeps compliance as a living process. Built incrementally and prioritized by real risk.

Classification and encryption of the policyholder database

Mapping and labeling data by sensitivity (personal, financial and health), with segregation and encryption at rest and in transit. Sensitive data under the LGPD receives reinforced treatment, controlled retention and least-privilege access.

Exfiltration detection and continuous monitoring

Instrumentation over the sensitive repositories and the quotation APIs to identify behavioral deviations — volume, dispersion of identifiers, timing and access pattern — that signal a leak even without a classic intrusion. Operated by the 24x7 SOC.

Hardening of the quotation surface and portals

Fixing per-object authorization (BOLA/IDOR from the OWASP API Security Top 10), rate limiting, response masking, input validation and session management. The resource that quotes the legitimate customer stops serving to enumerate the database.

Security of partner integrations

Least-privilege tokens with rotation, webhook validation, mTLS where applicable and monitoring of anomalous use in connections with brokers, clinics, repair shops, reinsurers and bureaus — closing the weakest link in the chain.

Integrated compliance (LGPD/ISO 27001/PCI DSS)

Translation of regulatory requirements into verifiable technical controls and into a rehearsed ANPD notification runbook. When there is a card, PCI DSS scope reduction through tokenization and segmentation, without a disconnected parallel project.

Continuous Vulnerability Management

Tracking of the surface that changes every week — new integrations, new endpoints, new versions — with prioritization by exposure and recent change, feeding the SOC, Incident Response and Compliance with the same risk data.

Recommended plans for Insurers and Insurtechs

Frequently asked questions

Is medical data used in claims sensitive data under the LGPD?

Yes. The LGPD classifies health-related data as sensitive personal data (art. 5, II), with its own legal bases for processing (art. 11) and a reinforced duty of security. Leaking it tends to constitute an incident of relevant risk to data subjects, which triggers notification to the ANPD and to the data subjects. Decripte treats this data with specific classification, segregation and encryption.

Our quotation portal queries the database in real time. Is that a risk?

It is the most exploited surface in the sector. Because the public endpoint must query the database to return a price, per-object authorization flaws (BOLA/IDOR), the absence of rate limiting and the return of excessive fields allow policyholders to be enumerated and scraped without 'breaking in' at all. Decripte fixes authorization, rate limiting and masking and instruments exfiltration detection over that flow.

How quickly does Decripte contain an incident?

Incident Response operates with a containment SLA of up to 1 hour, backed by the 24x7 SOC that ensures early detection. Containment means isolating, blocking, revoking and preserving evidence to stop the exfiltration or propagation without bringing down the legitimate operation; eradication and notification follow in parallel.

Does backup solve ransomware at our insurer?

It solves the unavailability, but not the extortion. Modern ransomware is double-extortion: the attacker exfiltrates the database before encrypting and threatens to disclose policyholders' medical and financial data. That is why backup must be accompanied by exfiltration detection and an LGPD notification runbook — exactly what we structure.

When does PCI DSS apply to an insurtech?

When it processes, stores or transmits card data — for example, in premium payment. In that case the environment falls under the scope of PCI DSS. Decripte helps reduce that scope through tokenization and segmentation and sustain the required controls, integrated into overall security instead of a separate project.

How does Decripte help with notifying the ANPD if there is a leak?

We prepare and rehearse a notification runbook before the incident: deadlines, content, evidence and responsibilities defined. During the incident, forensic preservation allows precise sizing of which data subjects and data categories were affected, and we support the data protection officer (DPO) for communication to the ANPD and to data subjects in accordance with art. 48 of the LGPD.

Are our integrations with brokers and clinics secure?

They are often the weakest link. Decripte reviews tokens and scopes, applies least privilege and rotation, validates webhooks, uses mTLS where applicable and monitors anomalous use in these connections. The goal is that the compromise of a partner does not become the entry point into your database.

Where do we start with no commitment?

With the free Threat Management diagnosis at decripte.com.br/intelligence-center, which gives a real view of your external exposure and of data that may have leaked. From there, contracting of SOC, Incident Response, Compliance or Vulnerability Management is done at decripte.io/start, and the team is available through the form at decripte.com.br/contato.

Sector terms

Sensitive personal data
LGPD category (art. 5, II) that includes data on health, biometrics, racial origin, religious conviction and others. It receives reinforced protection and restricted legal bases. In insurers, reports, exams and conditions declared in claims fall into this category.
Double extortion (ransomware)
Technique in which the attacker exfiltrates the data before encrypting it and demands ransom under two threats: unavailability of the environment and public disclosure of the stolen data. It makes backup insufficient, because the leak blackmail persists even after restoration.
BOLA / IDOR
Broken Object Level Authorization (Insecure Direct Object Reference), a top item in the OWASP API Security Top 10. It occurs when an API returns an object without verifying that the requester has permission over it — a typical flaw in quotation portals that allows policyholders to be enumerated.
Exfiltration detection
Monitoring that identifies the anomalous outflow of data by observing behavior (volume, dispersion of identifiers, timing, access pattern) instead of intrusion signatures. Essential because leakage through API abuse blends into legitimate traffic.
Notification to the ANPD
Duty provided for in the LGPD (art. 48) to communicate to the National Data Protection Authority and to data subjects the incidents that may cause relevant risk or harm, within a reasonable timeframe and in accordance with the Authority's regulation. It requires a rehearsed runbook and preserved forensic evidence.
24x7 SOC
Security Operations Center that monitors the environment continuously, 24 hours a day, 7 days a week. It is what ensures the early detection of incidents and makes the count on the Incident Response containment SLA start in time.

Decripte protects and responds to incidents in insurers and insurtechs.

Pentest, 24x7 SOC, incident response with a 1-hour containment SLA and compliance — without building an internal team. Or start free by seeing what has already leaked from your company.