The insurance industry is facing a period of rapid transformation, as the dual threats of cybercrime and artificial intelligence (AI) liability converge to reshape the risk landscape for businesses worldwide. Recent reports from AXA XL and sweeping moves by major US insurers highlight the mounting urgency: the cost, complexity, and unpredictability of digital threats are reaching new heights, forcing companies and insurers alike to rethink their approach to risk and resilience.
According to AXA XL’s latest Future Risks Report, cyber risk has surged to become the third highest global threat, with a staggering 69% of UK experts naming it among their top five concerns. The numbers paint a sobering picture. As of 2024, the global average cost of a cyber breach hit $4.9 million—a 10% jump over the previous year—while a SoSafe report predicts the worldwide cost of cybercrime will soar to an unprecedented $10 trillion in 2025. For UK businesses, this is more than just a statistic; it’s a daily reality that demands constant vigilance and adaptation.
Vanessa Leemans, Head of Cyber, UK & Lloyd’s at AXA XL, told Insurance Business that cyber is “most certainly a key concern for UK businesses,” and that awareness is on the rise thanks to high-profile breaches involving well-known companies. “As the threat environment evolves, the cyber insurance market in London, and worldwide, must remain focused on sustainability and building up the expertise and knowledge that will help clients face the challenges on the horizon,” Leemans emphasized.
But while insurers are working to bolster their offerings, threat actors aren’t standing still. Instead, they’re honing their craft—finding new ways to bypass even advanced multi-factor authentication (MFA) and exploiting vulnerabilities in cloud systems. Leemans warns that attackers “are becoming more adept at bypassing multi-factor authentication controls,” recommending that businesses adopt more sophisticated MFA methods that consider contextual data like location, time of day, and user behavior patterns. Cloud attacks and zero-day vulnerabilities, where hackers exploit flaws before vendors can patch them, are also on the rise. Companies are encouraged to implement zero-day patching strategies and conduct thorough vendor assessments to shore up their defenses.
Artificial intelligence is another double-edged sword. As Leemans pointed out, “We haven’t yet seen the full scale of what AI could be capable of in terms of cyberattacks. But it’s possible, for example, for attackers to reverse engineer some of the cybersecurity patches that have been published.” While claims stemming from such AI-driven attacks haven’t materialized yet, the potential is there—and it’s forcing both insurers and businesses to prepare for a rapidly shifting threat landscape.
Preparation, it seems, is the watchword of the day. Leemans described AXA XL’s four-pillar approach: prevention (assessing security maturity and defining strategies), preparation (identifying vulnerabilities and anticipating attacks), protection (building robust defenses), and response (helping clients recover and emerge stronger post-incident). “It’s beneficial to all concerned if we can work with our clients to help them on a journey of continuous risk improvement,” she said. That means not just transferring risk, but actively supporting clients in building cyber resilience—through phishing-awareness training, enforcing strong password policies, and encouraging the use of inside-out scanning for continuous risk management.
Regulators are also stepping up. The UK Cyber Security & Resilience Bill, introduced to Parliament on November 12, 2025, proposes mandatory reporting standards for medium and large IT service providers supporting critical infrastructure—including organizations like the NHS. If enacted, the bill would require these companies to comply with strict security programs and reporting requirements, making cyber coverage not just prudent, but a legal necessity. “The proposed new laws will place obligations on IT providers and supply chain partners supporting critical infrastructure,” Leemans noted, underlining the shift from cyber insurance as a ‘nice to have’ to a regulatory must-have.
Meanwhile, on the other side of the Atlantic, the insurance industry is grappling with the liabilities posed by AI itself. According to Financial Times reporting, three major US insurers—AIG, Great American, and WR Berkley—are seeking regulatory approval to limit their exposure to claims arising from AI agents and chatbots. This marks a significant shift, as insurers acknowledge that traditional liability frameworks simply aren’t equipped to handle the systemic risks posed by autonomous, data-driven systems.
The worries aren’t unfounded. As AI systems become embedded in everyday business operations, the list of potential missteps grows: from chatbots dispensing poor financial advice to generative models creating defamatory or harmful content. The risk of a single large-scale failure—one that could affect thousands of users at once—looms large. Insurers fear that such a scenario could generate claims running into the billions, far outstripping existing reserves and exposing gaps in current policy language.
The legal landscape is already shifting. AI-related lawsuits and disputes involving generative models have surged, with businesses facing complaints about misinformation, privacy violations, and unintended financial consequences from automated interactions. Regulators are paying closer attention, and companies are scrambling to update their AI guidelines. For insurers, the answer is clear: without tighter liability terms, the risk is simply too great.
If regulators approve these proposed policy changes, businesses that rely on AI could soon face higher premiums, narrower coverage, or the need to seek specialized AI liability insurance. This could slow the pace of AI adoption, especially among smaller firms that turned to AI as a cost-saving measure. As the Financial Times notes, “Without clear guardrails around accountability and risk, the potential for AI innovation and adoption could slow, and smaller businesses, especially, may pull back from AI adoption as businesses become more cautious about potential costs.”
Interestingly, while Western insurers tap the brakes, AI adoption in China appears to be surging ahead. Alibaba’s Qwen App, for instance, racked up over 10 million downloads in its first week of public beta—demonstrating the appetite for AI-driven solutions, even as risk management frameworks struggle to keep up.
Looking to the future, Leemans is unequivocal: “As we face the future, the evolving threat means it is vital that cyber insurers continue to conduct rigorous risk assessments, remain focused on underwriting discipline and keep a close eye on our risk aggregation to manage exposures. This will facilitate a sustainable cyber insurance market which is what all of us—clients, brokers, insurers and reinsurers—want and need.”
With the stakes rising on both sides of the digital divide, one thing is clear: the only way forward is through preparation, adaptation, and a relentless focus on resilience. For insurers and businesses alike, the next five years will be defined by those who can anticipate, understand, and respond to risks that are evolving faster than ever before.
