Threat actors today have a common theme, and that’s how they capitalize on their access. So, personally, I do not over-index on the vertical specific threats; it’s really about the data or access those organizations possess and its perceived value. Specific to the insurance industry, there may be information collected to inform a claim or policy that a threat actor might determine valuable even if it only refines their targeting efforts of others.
However, we also cannot wish away the “idealist” or “ideologically motivated” threat actors that target the insurance industry because of historical misconceptions or animosity toward the industry.
Specific to ransomware, threat actors are likely to target organizations that have a high likelihood of paying or be exploited. So, it’s as much about the data those organizations possess, not necessarily the industry verticals themselves, and the maturity of their security program. Threat actors want to expend the least number of resources for the highest return on investment, so they often target low-hanging fruit, which are, in many cases, the least mature security programs.
