How FTJ Protects Customer Data: Inside A 99th Percentile Insurance CyberSecurity Program

Executive Summary

FTJ protects sensitive insurance customer data through a dedicated Information Security Department that provides 24/7 monitoring, vendor risk management, employee training, and NIST-aligned cybersecurity controls.

FTJ’s Information Security (InfoSec) program is a separately funded department responsible for protecting customer and corporate data from cyber threats, including hacking attempts, phishing campaigns, ransomware, and supply chain attacks.

Like many mid-sized U.S. companies, FTJ faces a constant barrage of cyber threats. Each week, millions of unauthorized attempts target its networks, while thousands of malicious emails and text messages attempt to compromise employees. Increasingly, cyber criminals also target FTJ’s vendors and business partners.

“So far, we’ve kept a step ahead of the bad guys,” said Shawn Heckmaster, Chief Information Security Officer for FTJ and its sister companies, including Fidelity Security Life Insurance Company. “But the bad guys only have to succeed once, while we have to win 100% of the time.”

FTJ established its Information Security Department in 2018 to ensure a full-time, specialized focus on cybersecurity. Before that time, information security responsibilities were housed within the company’s Information Technology (IT) Department.

The department operates independently and reports directly to FTJ’s owner executives, reflecting the company’s view that cybersecurity is a core business requirement rather than a technical afterthought.

“This is their only job,” said Rick Jones, FTJ President. “It’s not cheap, but it’s an investment we have to make, and it’s well worth whatever we have to spend.”

The department’s annual budget for personnel, tools, and systems approaches seven figures.

FTJ’s Information Security Department is led by Shawn Heckmaster, who has more than 30 years of experience in information technology and cybersecurity across government and private-sector organizations.

His background includes service with:

• The U.S. Department of the Army
• The Department of Defense
• Global engineering firm Black & Veatch Corporation

Heckmaster leads a team of five information security specialists who collectively bring more than 90 years of cybersecurity experience and provide 24/7/365 monitoring of FTJ’s systems.

FTJ’s Information Security Department is responsible for:

1. Safeguarding sensitive information, including personal health information (PHI), personally identifiable information (PII), and nonpublic personal information (NPI)
2. Monitoring networks and security systems around the clock to detect threats
3. Identifying vulnerabilities and implementing mitigation strategies
4. Creating and enforcing cybersecurity policies and procedures
5. Ensuring compliance with government and industry regulations
6. Training employees to recognize phishing attempts and practice safe online behavior
7. Evaluating the cybersecurity posture of vendors and business partners

FTJ employs multiple layers of cybersecurity tools that work together to provide defense in depth.

Key cybersecurity tools include:

• A security information and event management (SIEM) system that monitors firewalls, logs threat activity, and supports incident response
• Security awareness and training tools, including mandatory training for employees and contractors with network access
• A phishing alert button in Microsoft Outlook that allows employees to efficiently report suspicious emails
• Anti-virus software that aggregates threat intelligence from more than 5,000 organizations worldwide
• An email security suite that quarantines suspicious messages and enables encrypted communication
• An authorized password manager for creating and managing strong credentials
• A vendor risk management platform to assess and monitor third-party cybersecurity preparedness

Some tools overlap intentionally and are configured to work together, adding redundancy and resilience.

In addition to internal tools, FTJ participates in national and global cybersecurity organizations that provide threat intelligence, education, and collaboration, including:

• High Technology Crime Investigation Association (HTCIA)
• U.S. Secret Service Electronic Cybercrimes Task Force (ECTF)
• FBI InfraGard
• International Information System Security Certification Consortium (ISC2)
• Information Systems Audit and Control Association (ISACA)

Many FTJ personnel maintain industry-recognized cybersecurity certifications from these organizations.

FTJ currently ranks in the 99th percentile of the NIST Cybersecurity Framework, reflecting nearly a decade of continuous improvement.

When FTJ first underwent a cybersecurity assessment in 2017, its score placed the company in the bottom quintile. Through sustained investment in tools, infrastructure, policies, and training, FTJ steadily improved its posture. “We were pretty quickly able to move our score into the mid-60s,” Heckmaster said, “but it took us four or five years eclipse the 90th percentile mark.”

For comparison, Heckmaster noted that during his time with the Department of Defense, cybersecurity scores were only slightly higher but achieved with nearly unlimited funding.

FTJ’s workforce of nearly 300 employees and contractors is a frequent target of phishing and social engineering attacks. Employee education has been a major focus of the cybersecurity program.

The industry average phishing susceptibility rate is approximately 4.7%. Since 2020, FTJ has remained well below that level. In 2025, FTJ’s phishing-prone percentage was 1.13%.

Despite strong performance, FTJ continues to monitor a rapidly evolving threat landscape. Key trends from 2025 include:

• Record-breaking data breaches affecting more than 425 million accounts globally ⁽¹⁾
• A doubling of supply chain attacks, accounting for 30% of all cyber-attacks ⁽²⁾
• Ransomware involvement in 44% of all breaches ⁽³⁾
• A 53.5% increase in phishing emails, with more than 80% using artificial intelligence ⁽⁴⁾

Artificial intelligence and third-party risk represent the most significant emerging challenges.

Cyber criminals increasingly use AI to generate realistic, grammatically accurate phishing messages that are harder to detect and can be launched at scale.

1. Identity Theft Resource Center 2025 Annual Data Breach Report
2. https://deepstrike.io/blog/supply-chain-attack-statistics-2025
3. Verizon 2025 Data Breach Investigations Report
4. New Report: Over 80% of Cyberattacks Now Use AI - Programs.com and Phishing For AI: Over 80% Of Attacks Utilize Artificial Intelligence

As supply chain attacks increase, FTJ evaluates vendors using dedicated cybersecurity assessment tools and provides guidance to key partners to help improve their defenses.

This proactive approach helps reduce risk not only for FTJ but across its extended business ecosystem.

FTJ’s cybersecurity program demonstrates that protecting sensitive insurance data requires dedicated leadership, continuous monitoring, and organization-wide accountability.

“Cybersecurity has become probably the most critical part of our business,” said Rick Jones. “Without excellence in this area and the ironclad ability to protect all the sensitive data we manage, we would no longer have a viable business model.”