4 Things You Should Do If Your Carrier Has Been Hacked

• By: Will Jones
• June 19, 2025

Erie Insurance and Philadelphia Insurance Companies are both grappling with extended system outages following cybersecurity incidents that began earlier this month.

Erie reported “steady progress” in restoring operations after detecting unusual activity on June 7, while Philadelphia Insurance has been offline since June 9 after a similar discovery.

Both insurers say teams are working around the clock alongside cybersecurity experts, but full restoration will take time. The outages have disrupted phone, email and online services.

In the wake of these attacks, John Hultquist, chief analyst at Google’s Threat Intelligence Group, warned that the insurance industry should brace for attacks by Scattered Spider, the hacker group linked to the recent assault on the U.S. and U.K. retail sector.

“Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity. We are now seeing incidents in the insurance industry,” Hultquist told The Register tech website.

Hultquist added that, given Scattered Spider’s history of “focusing on a sector at a time,” the industry should be on “high alert,” particularly for “social engineering schemes, which target their help desk and call centers.”

Scattered Spider, also known as UNC3944, is believed to be a trans-Atlantic coalition of hackers whose past targets have included large firms across the technology, telecommunications and financial services sectors, according to Google.

“When carrier systems go down, independent agents are often left to navigate a difficult and confusing situation,” says Nancy Germond, Big “I” executive director of risk management and education. “It can be tempting to bend procedures in the name of customer service, but that’s when errors & omissions risks are at their highest, so don’t.”

Here are four things Germond recommends you do to limit your E&O exposure if one of your carriers is the target of a cyberattack:

1) Follow each carrier’s advice. Insurers are reaching out to agents with information and advice. Keep copies of any communication and instructions from the carriers in your agency management system (AMS).

“Unless you feel it would expose your agency to an E&O claim, follow the carrier’s advice,” Germond says. “Acting outside of the carrier’s advice could create problems with your appointment authority with that carrier. When in doubt, get legal advice.”

“Also, remember that different carriers will offer different instructions,” she says.

2) Consider moving coverage. If you are unable to provide the coverage requested by your insured, you may have to move the business. There may be situations where you do not have binding authority and cannot complete the insured’s request. Be sure to communicate that to the insured and look for alternatives when necessary.

“In these unusual circumstances, we revert back to the basic requirement of an insurance agent: Place the coverage as requested or notify their customer in a timely manner that they are unable to do so,” Germond says. “Communication is key, including informing the customer and offering them the option to purchase coverage through another carrier, or even another agent if they so choose.”

3) Document, document, document. Thoroughly document and respond by email to all conversations or coverage requests with or from your insureds. Events like cyberattack-related outages can cause an insured to allege that “we asked for coverage and the agency told us it was bound” when in fact they did not. Documentation patterns can be a significant help in defending against any allegation of this type.

“With the carrier system down, carriers are no doubt unable to properly document all communications and changes,” Germond says. “Agents should document every discussion or action in their AMS.”

“In situations like this, dates will matter,” she continues.  “Should customers end up without coverage for some time, you may need to show what communications were sent to them and what options you offered.” 

4) Warn your customers of possible payment scams. If a carrier’s payment portal is down, this is a wide-open target for scammers to set up fake payment sites or to call and request credit card or other payment information. Warn your insureds not to pay anything via online portals before checking with you. And ensure you have the most current payment portals when they become available again.

“Cyberattackers are opportunists and will seek to capitalize further on the disarray they’ve created,” Germond says. “Remind staff and clients to keep their guards up against follow-up scams, whether that’s from phishing emails or social engineering attempts.”

Will Jones is IA editor-in-chief.