Insurance Penetration Testing: DORA, Solvency II & EIOPA Cyber Resilience
Insurance companies operate under DORA (mandatory since Jan 2025 for all financial entities), Solvency II Pillar II (operational risk including cyber), and IDD (Insurance Distribution Directive). EIOPA's cyber resilience guidelines apply to all EU insurers. Matproof Sentinel runs targeted insurance pentests focused on claims systems, customer portals, and distributor APIs — from €149.
Why insurance companies face unique cyber pentest challenges
European insurance companies face overlapping regulations: DORA (Digital Operational Resilience Act, applicable since January 17, 2025) mandates regular pentests for all insurance and reinsurance undertakings. Solvency II Pillar II requires operational risk capital calculation including cyber. EIOPA (European Insurance and Occupational Pensions Authority) has published cyber resilience guidelines since 2017. National supervisors add their own requirements: BaFin VAIT in Germany, ACPR for France, IVASS in Italy. Beyond compliance, insurance companies are uniquely targeted: claims fraud (BEC, identity theft for false claims), customer PII at scale (health data, financial data, life events), and distributor / agent portal compromises that can cascade to thousands of customer policies.
- DORA Art. 24: mandatory annual pentest for all insurance and reinsurance undertakings — including life, non-life, and health insurance.
- Solvency II Pillar II: operational risk capital includes cyber risk — undocumented pentest weakness can increase regulatory capital requirements.
- EIOPA Cyber Resilience Framework (2019): annual security testing recommended for all EU insurers.
- BaFin VAIT (Germany): equivalent of BAIT for German insurers — annual technical testing for IT systems.
- IDD (Insurance Distribution Directive): distributor data protection, customer onboarding security, cross-border distribution audit.
- Claims fraud via cyber: 18% increase in cyber-enabled insurance fraud 2022-2024 (Coalition Cyber Insurance Report 2024).
- Health insurance specifically: GDPR Art. 9 (special category data) + health-specific national laws — health insurance breaches carry highest GDPR fines.
What we specifically test in an insurance application
- Customer portal: account access, claims submission flow, IDOR on policy details, privilege escalation between customer roles.
- Claims processing: claims fraud prevention controls, automated approval logic, document upload validation.
- Distributor / agent portal: privilege escalation between distributor levels, cross-distributor data access, commission manipulation.
- Policy management: policy modification audit log, premium calculation tampering, policy lapse/reinstatement flow.
- Health data (life/health insurance): GDPR Art. 9 compliance, encrypted storage, access logging for special category data.
- Third-party integrations: actuarial software, fraud detection APIs (LexisNexis, Verisk), broker management systems.
- InsurTech mobile apps: claims via photo upload, customer authentication, biometric verification flow.
- Open Insurance APIs (FRISS, FRISS-FIRE for EU): emerging standard for insurance data sharing, OAuth2 + FAPI compliance.
- VAIT compliance (BaFin §6.3): annual technical testing of insurance IT systems, documented in BSI IT-Grundschutz format.
- Reinsurance treaty management: secure access controls for reinsurance partners, treaty modification audit log.
Sample finding
Claims submission flow allows premium tampering via API parameter manipulation
The insurance customer portal allows claim submission via /api/claims with parameters including policy_id, claim_amount, and incident_date. The endpoint validates that the authenticated customer owns the policy_id but doesn't validate that the claim_amount is within policy limits or that the incident_date falls within the policy term. Test demonstrated: (1) submitting claim with incident_date before policy start; (2) submitting claim with claim_amount exceeding policy maximum payout; (3) submitting claim with policy_id of a lapsed policy. All three scenarios succeeded — the claims processing system would have approved up to €450,000 in fraudulent claims before manual review triggered.
Fix: Immediate action: server-side validation of claim_amount (within policy limits + minimum threshold), incident_date (within policy effective period), policy status (active not lapsed/cancelled). Implement automated red flags for claims exceeding 80% of policy maximum or submitted within first 30 days of policy. Add 2nd-level review for claims > €10,000 regardless of automation. Audit log all parameter changes during claim submission.
Reference: OWASP A04:2021 Insecure Design · OWASP A01:2021 Broken Access Control · DORA Art. 24 · EIOPA Cyber Resilience Framework · Solvency II Art. 41 (Operational risk)
Insurance pentest options compared
| — | Free scan | Matproof Sentinel | Traditional consultancy |
|---|---|---|---|
| Automated scan engine | ✓ (3-min preview) | ✓ Full scan | ✗ Manual only |
| OWASP Top 10 coverage | Partial | ✓ Complete | ✓ Complete |
| Proof-of-exploit evidence | ✗ | ✓ Per finding | ✓ Per finding |
| Regulatory mapping (DORA/NIS2/ISO 27001) | ✗ | ✓ Automated | ✓ Manual |
| Audit-ready PDF report | ✗ | ✓ Instant | ✓ 2–4 weeks delivery |
| Continuous / recurring scans | ✗ | ✓ Per deploy | ✗ Annual engagement |
| Time to first result | ~3 min | ~30 min full scan | 2–4 weeks |
| Price | €0 | From €149 | €8,000–€25,000 |
| Source code review (SAST) | ✗ | ✓ On Growth plan | ✓ Scoped engagement |
| API testing (REST/GraphQL) | ✗ | ✓ Automated | ✓ Manual |
Insurance pentest packages
- 1 full pentest scan
- AI-prioritized findings with CVSS 3.1
- Proof-of-exploit per finding
- Audit-ready PDF report
- Regulatory mapping (DORA, NIS2, ISO 27001)
- Unlimited scans (up to 3 domains)
- Continuous monitoring
- CI/CD integration (GitHub, GitLab)
- All regulatory mappings
- Priority support
- Unlimited scans + domains
- Authenticated / White-Box testing
- API & cloud infrastructure tests
- Dedicated security account manager
- 24h SLA response time
Frequently asked questions about insurance pentest
Is Matproof Sentinel accepted for DORA Art. 24 audit for insurers?
Yes. DORA applies to insurance and reinsurance undertakings since January 2025. Our report includes explicit DORA Art. 24 mapping. EIOPA and national supervisors (BaFin, ACPR, IVASS) examine pentest documentation during regular cyber resilience supervision.
Do you test health insurance specifically (GDPR Art. 9 special category data)?
Yes. Health data has specific GDPR requirements (Art. 9 + national health data laws). We test encrypted storage, access logging, breach notification readiness (72-hour rule), and consent management for health data processing.
How does pentest affect Solvency II operational risk capital?
Documented annual pentest with remediation tracking reduces operational risk capital allocation under Solvency II Pillar II. Insurers without recent pentest face higher capital charges — typically 10-15% increase in operational risk module.
Do you test InsurTech platforms specifically?
Yes. InsurTech-specific risks include: AI-powered underwriting bias/manipulation, claims via mobile photo upload (image tampering), digital health data integration (Fitbit, Apple Health), parametric insurance triggers.
What's the cost compared to traditional insurance cyber audit?
Traditional insurance cyber audit: €25,000-€80,000 per engagement. Matproof Sentinel: €149-€799/mo for ongoing coverage. Most insurers combine: Matproof Sentinel monthly + traditional Big-4 cyber audit annually.
Do you support InsurTech multi-jurisdiction (UK + EU + Switzerland)?
Yes. We cover insurance regulations across UK (FCA cyber rules), EU (DORA + EIOPA + national supervisors), Switzerland (FINMA Circular 23/1 Operational Risks). Single Matproof Sentinel report supports all three jurisdictions.
Go deeper — related blog articles
DORA Art. 24 ready for insurance companies
First scan in 3 minutes, complete insurance pentest with explicit DORA / EIOPA / VAIT mapping. From €149.
Start free scan