As a crucial reminder for the insurance industry that cyber risk is universal, even firms that help other businesses manage cyber risk can find themselves being data breached. This reality was made clear on September 9, 2025, when XS Brokers, the Quincy-based excess and surplus broker that proclaims on its website, “Cyber Security and Data Breach is our specialty,” notified the Attorney General under M.G.L. c. 93H, of a data breach.
The incident transforms XS Brokers from a provider of insurance solutions into a real-world case study on why those solutions, particularly cyber liability coverage, are indispensable for every business.
The Anatomy of the Breach
According to the report filed with the Massachusetts Office of Consumer Affairs and Business Regulation, the breach at XS Brokers affected at least two residents of Massachusetts. The type of personal information compromised included Social Security Numbers. However, the legal obligation to report data breaches only applies to personal identifying information of consumers. XS did not have to report under Chapter 93H, the loss of commercial information in the breach.
In its notification letter to affected individuals, the firm stated it discovered on August 19, 2025, that their personal information was included in data that was “accessed or acquired by the unauthorized actor”. Upon learning of the incident, the company stated that it “contained the threat and immediately commenced a prompt and thorough investigation” with the assistance of external cybersecurity professionals. While XS Brokers noted it was not aware of any reports of identity fraud as a direct result of the incident, it took the standard remedial step of offering victims a complimentary two-year membership to Experian’s IdentityWorks credit monitoring and identity restoration service.
The Inevitable Fallout: Solicitations for potential class actions
The public filing of the data breach immediately placed XS Brokers in the crosshairs of law firms and websites that seek to potentially file data breach class-action lawsuits. Just two days after XS Brokers began mailing notification letters on September 9, 2025, the law firm Strauss Borrelli PLLC announced on September 11 that it was formally investigating the incident. The firm began soliciting affected individuals, stating, “We would like to speak with you about your rights and potential legal remedies in response to this data breach”. Similarly, the website Class Action U began targeting victims, helping them “connect with skilled attorneys” for a potential class-action lawsuit. This site noted that individuals whose data was compromised could be entitled to compensation for damages, including loss of privacy, emotional distress, and out-of-pocket expenses.
The Teachable Moment for Every Agent
For agents, this incident is a powerful and local sales tool. The fact that an insurance brokerage, expert in cyber risks, fell victim to a data breach demonstrates that no industry is immune and no amount of internal knowledge can eliminate cyber risk entirely.
This situation perfectly illustrates that cyber resilience requires a two-pronged strategy: strong prevention efforts and a comprehensive insurance plan to manage the financial consequences when an attack succeeds. The XS Brokers incident underscores the crucial need for coverage that addresses the specific costs outlined here: forensic investigation, legal counsel, regulatory compliance, notification expenses, credit monitoring services, and legal defense against liability claims.
Use this real-world example to drive the point home with your clients. Cyber insurance is not an optional purchase; it is a fundamental necessity for survival in today’s business environment.
To review the exemplar data breach notification letter XS Brokers submitted to the Massachusetts Attorney General, click the link below:
XS Brokers Insurance Agency, Inc. Data Breach Notification Letter (PDF)
