Simon Glairy is a recognized expert in the fields of insurance and Insurtech, with a specialized focus on risk management and AI-driven risk assessment. We sat down with him to discuss the tectonic shifts occurring in the cyber insurance landscape. Our conversation explores how the rise of AI-powered threats is forcing businesses and insurers to recalibrate everything from policy limits and coverage design to the very nature of underwriting, highlighting the critical new exposures created by legacy technology and the blurring lines between cyber and professional liability.
As AI-driven tools like voice cloning and automated phishing accelerate potential losses, how are you advising businesses to reassess their cyber insurance limits? What metrics or scenarios should they use to determine if their coverage is adequate for this new reality?
The most significant shift we’re seeing is that the conversation has moved beyond simple checklists for ransomware or data breaches. We are now in an era where the scale of potential loss has fundamentally changed. The barrier to entry for attackers has dropped dramatically thanks to AI, meaning attacks can move faster and spread wider than ever before. Therefore, I advise businesses to stop thinking about a single breach scenario and start modeling for aggregation and rapid escalation. They need to ask themselves not just if they can be hit, but how quickly a sophisticated, AI-enabled social engineering attack could compromise multiple systems or executives, and what the cascading financial impact of that would be. The core metric is no longer just the cost of a breach response, but the total potential for business interruption and financial fraud when attacks can be automated and scaled with terrifying efficiency. Many existing programs are simply not calibrated for this new exposure.
With AI-enabled social engineering targeting human behavior over systems, what practical process disciplines are most effective for companies to implement? How can businesses best demonstrate these strong internal controls to underwriters to secure more favorable policy terms?
This is one of the most acute risk areas because it exploits our weakest link: human nature. Technology alone is not the answer. The most effective defense is a deeply ingrained process discipline. This means implementing and rigorously enforcing multi-step verification processes for any financial transaction or sensitive data request, no matter how authentic the initial outreach feels. It means creating a culture where employees feel empowered to pause and question an urgent request from a supposed executive. To an underwriter, demonstrating this is about more than just showing you have a security tool; it’s about proving you have a resilient process. You can do this by providing documented procedures, training logs, and even records of internal phishing tests. Showing that you are actively coaching your team and have pre-breach services in place tells an underwriter that you are a strong, proactive risk, which is far more compelling than simply having the latest software.
We often see a claims divide between startups with modern infrastructure and established firms with legacy systems. Could you share an example of how this “technology debt” materially increases cyber risk and claims costs, and what first steps older organizations should take to mitigate this exposure?
The difference is incredibly stark. I work with many small technology companies that, by their nature, have no technology debt. They were born in the cloud and use the latest network protection and cybersecurity tools from day one. As a result, they experience fewer claims, and when a claim does occur, it’s typically smaller and easier to contain. On the other hand, an established manufacturer with a 20-year-old network and a patchwork of outdated applications presents a much different picture. Defending that environment is exponentially more difficult and expensive. We see claims where the initial breach is minor, but it spreads like wildfire through legacy systems that lack modern segmentation and monitoring, turning a small incident into a catastrophic, multi-million dollar business interruption event. The first step for these older organizations is a mental one: they must reframe infrastructure updates as a critical risk management decision, not just a line item on the IT budget. They are severely underestimating how much that outdated technology truly costs them in silent, accumulating risk.
For firms embedding AI into their professional services, the line between a cyber failure and a professional error is blurring. What are the key coverage gaps in a standard cyber policy in this scenario, and why is a separate E&O policy with explicit AI coverage so critical?
This is a massive and often overlooked exposure. When a company uses AI to deliver its core professional services—whether it’s a financial firm using an AI for investment advice or a marketing agency using it for campaign creation—a standard cyber policy offers very limited protection. A cyber policy is designed to respond to a breach or a network failure. It won’t typically cover a third-party’s financial loss because the AI tool you used gave flawed advice or produced faulty work. That’s a professional error, not a cyber incident. The danger here is that many professional liability policies have “silent coverage,” meaning they don’t mention AI at all, which creates enormous uncertainty at the time of a claim. Worse, some are now adding specific AI exclusions. This is why a dedicated Errors and Omissions policy is non-negotiable. Businesses must ensure that policy explicitly affirms coverage for services delivered via AI, because without it, they are operating with a potentially business-ending coverage gap.
As insurers adopt AI for continuous risk monitoring throughout a policy term, what key risk signals or data points are they tracking? How should growth-stage companies prepare for this shift toward more dynamic, automated underwriting in their day-to-day operations?
The days of a single, static application defining your risk profile for an entire year are ending. Underwriting is becoming a continuous, automated process. Insurers are increasingly using AI to scan for external risk signals, such as unpatched software vulnerabilities, misconfigured cloud services, or chatter on the dark web mentioning a company’s credentials. Internally, they might monitor for sudden changes in data access patterns or the addition of new, potentially risky software. For a growth-stage company, this means security and compliance can no longer be a periodic project; they must be a constant operational discipline. You should prepare for this by having real-time visibility into your own security posture. Understanding how an insurer sees your risk profile is becoming as important as the coverage itself. In this new world, your risk is being assessed constantly, and your ability to maintain a strong, consistent security posture will directly impact your insurability and your premiums.
What is your forecast for the cyber insurance market over the next three to five years?
I believe we are heading toward a more dynamic and data-driven market on both sides of the equation. For insurers, the use of AI in underwriting and continuous monitoring will become standard practice, moving from an annual snapshot to a real-time assessment of risk. This will allow for more precise pricing but will also demand that insureds maintain a consistently strong security posture. For businesses, the focus must shift from simply buying a policy to actively managing technology and process risk. This means investing to reduce technology debt, embedding strong process discipline to counter social engineering, and securing explicit professional liability coverage for any AI-driven services. Ultimately, protection will depend on a sophisticated partnership between adequate limits, modern policy forms, and a transparent, realistic view of how a company’s day-to-day technology choices shape its risk.
