An independent cybersecurity review across the largest insurance carriers in the United States — national property-casualty, life, and specialty insurers including State Farm, GEICO, and Progressive — reveals a surprisingly wide range of results. These organizations handle sensitive customer and financial data at national scale, yet several show the same email-authentication gaps found at much smaller regional institutions.
Using data from audit.emailmenow.com, we evaluated each carrier’s primary domain across email, website, and network security — including SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
In this national audit, scores ranged from 84% to 38% — 4 of 18 (22%) scored below 60%.
Cybersecurity Scores of Insurance Carriers
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Insurance Carrier | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | CNA | cna.com | 84% | Strong |
| 2 | USAA | usaa.com | 72% | Strong |
| 3 | Farmers Insurance | farmers.com | 70% | Strong |
| 3 | AIG | aig.com | 70% | Strong |
| 5 | Lemonade | lemonade.com | 65% | Good |
| 6 | Liberty Mutual | libertymutual.com | 64% | Above Average |
| 7 | Allstate | allstate.com | 61% | Above Average |
| 8 | GEICO | geico.com | 60% | Above Average |
| 8 | Nationwide | nationwide.com | 60% | Above Average |
| 8 | Travelers | travelers.com | 60% | Above Average |
| 8 | Chubb | chubb.com | 60% | Above Average |
| 8 | The Hartford | thehartford.com | 60% | Above Average |
| 8 | MetLife | metlife.com | 60% | Above Average |
| 8 | Zurich North America | zurichna.com | 60% | Above Average |
| 15 | State Farm | statefarm.com | 54% | Below Average |
| 16 | American Family | amfam.com | 52% | Below Average |
| 17 | Progressive | progressive.com | 48% | Weak |
| 18 | Prudential | prudential.com | 38% | Weak |
What the Results Reveal
- Scores range from 84% (CNA) down to 38% (Prudential) — 4 carriers reach a strong (70%+) posture, led by CNA at 84% and USAA at 72%.
- The biggest household names sit in the middle: State Farm (54%), GEICO (60%), and Progressive (48%) trail several specialty carriers on basic email authentication.
- The gap from top to bottom is 46 points — brand scale is no guarantee of strong email hygiene.
- Without an enforced DMARC policy, criminals can spoof a carrier’s own domain to phish policyholders or to redirect claims and premium-payment instructions.
Why This Matters for Insurance Carriers
Insurance carriers are bound by NAIC model standards, state department of insurance oversight, and GLBA-style safeguards for policyholder data. Email authentication (SPF, DKIM, and an enforced DMARC policy) is the single highest-impact control against claims fraud, policy-change phishing, and business email compromise targeting agents and policyholders.
Check any carrier’s posture at audit.emailmenow.com/?industry=financial-advisors.
See also — state audits
- Texas Title Companies
- California Title Companies
- Florida Title Companies
- Illinois Title Companies
- New York Title Companies
- Pennsylvania Title Companies
- Ohio Title Companies
- Georgia Title Companies
- Michigan Title Companies
See also — related national audits
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Adopt verified call-back procedures for any change to payment or wiring instructions, and train customer-facing staff.
Protect your organization. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=financial-advisors.
Contact EmailMeNow IT Consulting for help with GLBA-aligned email security hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.