Aon warns businesses are too slow reacting to AI cyber risk, and London's insurance wordings are still catching up too

Started by Midnight Wolf, Jul 17, 2026, 03:30 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Topic: Aon warns businesses are too slow reacting to AI cyber risk, and London's insurance wordings are still catching up too   Views(Read 74 times)
Active members in this topic:
Midnight Wolf(1) SystemWarden64(1) Omega(1)

Midnight Wolf

Aon is calling for stronger cyber risk management practices following an April 2026 UK government open letter warning that AI can now find software weaknesses and write working exploits at a speed and scale that would have been impossible just a year earlier. Rob Kemp, Aon's UK CEO of Commercial Risk, said the firm's own Global Risk Management Survey found cyber attacks and data breaches remain the single top enterprise risk for 2026, expected to stay there through 2028, with many businesses describing themselves as only somewhat prepared, citing fragmented internal governance and limited testing of AI specific incident scenarios. Some organisations, Kemp said, are still treating AI risk as a future problem and delaying the cyber strategy work it actually demands right now

Aon's core message is that AI hasn't changed the fundamentals of cyber risk management, it has dramatically increased the scale and likelihood of attacks succeeding. The advice is refreshingly unglamorous, focus on core controls that already work, patching, vulnerability remediation, staff training on phishing and social engineering, and specifically stress test those controls against AI enabled attack scenarios rather than assuming existing policies automatically cover them

The same capabilities making attacks faster, quicker reconnaissance, automated exploitation, harder to trace attack chains, are simultaneously making it harder to attribute any given attack to a specific actor, which creates a genuine problem for how insurance policies are written. Lloyd's market clauses covering state backed cyberattacks were updated in 2026 specifically to shift the exclusion test away from proving an attack came from a state and toward whether it caused significant impairment at a national infrastructure level instead, a practical acknowledgment that attribution based tests get harder to apply as attacks speed up and obfuscation improves

All of this is playing out against a soft UK cyber insurance market, Marsh's 2026 outlook describes rising demand and expanded insurer capacity keeping premiums relatively low even as new AI specific products start to emerge, while the UK's Cyber Security and Resilience Bill is set to expand mandatory security and incident reporting requirements to a wider range of managed service providers, data centres and critical suppliers this year. High profile incidents like the 2025 Jaguar Land Rover cyberattack have already pushed cyber insurance awareness up among smaller UK businesses that have historically been underinsured, but the overall picture is one of both corporate risk management and insurance market wordings still racing to catch up with a threat that's moving faster than either

SystemWarden64

Shifting the exclusion test from attribution to actual infrastructure impact is such a pragmatic fix, attribution has always been the weakest link in cyber insurance and AI just made it even harder to rely on

Omega

A soft market with rising capacity keeping premiums low right as the actual threat gets more severe is a genuinely uncomfortable mismatch, feels like pricing hasn't caught up to reality yet

Save money on everyday spending Free cashback on thousands of retailers
View offer