Simon Glairy is a titan in the world of risk management and Insurtech, known for his clinical ability to dissect the complex intersections of artificial intelligence and cybersecurity. With a career dedicated to helping major carriers navigate the volatile waters of digital transformation, he has become a leading voice on why technology alone cannot save a company from a breach. He focuses heavily on the human element and the structural integrity of data, arguing that the modern insurer’s greatest threat isn’t just a malicious actor, but the internal chaos of fragmented information. In this discussion, he explores the shift from mere prevention to deep-seated cyber resilience, the hidden dangers of vendor concentration, and the looming reality of autonomous AI agents in underwriting. We dive into the necessity of defining a “minimum viable organization,” the organizational friction slowing down AI adoption, and why the “evidence sprawl” across cloud platforms is creating a nightmare for claims adjusters.
Since cyberattacks are now widely considered an inevitability rather than a possibility, how can a company define its “minimum viable organization” to ensure its survival during a crisis?
The concept of a “minimum viable organization” is born out of the harsh reality that our defensive walls will eventually be breached. To define it, leadership must undergo a rigorous, almost surgical, identification process of the critical processes and data assets that keep the lights on and the business functioning before an attack ever occurs. You have to strip away the non-essentials and ask what the absolute baseline of survival looks like, which involves classifying information assets by their criticality and enforcing a strict policy of least-privilege access. It is about creating a resilient core where your most vital data is protected by immediate patching of known vulnerabilities, while legacy systems that are too fragile to patch are wrapped in compensating controls. This isn’t just a technical exercise; it requires security leaders to align perfectly with business priorities and cultivate a sense of risk ownership at every single staffing level so that everyone knows their role when the sirens start blaring.
With nearly half of cyberattack targets reporting the presence of AI-generated malware, where are large enterprises still proving to be the most vulnerable?
The vulnerability landscape has shifted because AI has made the execution of ransomware faster and more sophisticated, yet the entry point remains frustratingly human. Our data shows that while large enterprises have well-funded defenses, they are still being compromised through human error at help desks and other customer-facing touchpoints where social engineering thrives. In fact, 51% of businesses report dealing with AI-crafted phishing attacks that are so convincing they bypass the traditional “sniff tests” employees were trained on just a few years ago. We are seeing a ripple effect where 58% of attacked organizations trace the incident back to their suppliers, proving that your security is only as strong as the weakest link in your supply chain. It is a sobering environment where 49% of targets are seeing malware actually written by AI, turning every minor oversight into a potential catastrophic opening for third-party litigation.
Evidence sprawl is often described as a silent killer for claims outcomes; how does this fragmentation of data across cloud and SaaS platforms actually impede the recovery process?
Evidence sprawl is the digital equivalent of a paper trail scattered across a hurricane-ravaged city, where fragmented data across cloud platforms, SaaS applications, and unmapped shadow IT makes it nearly impossible to mount a defensible forensic response. When a breach happens, the clock is your enemy, with notification windows now compressing to as little as 72 hours in many jurisdictions. If an organization cannot quickly produce a proof pack that documents their security telemetry and remediation timelines, they face delayed claims, intense coverage disputes, and massive regulatory penalties. We saw the weight of this risk with Morgan Stanley’s $35 million penalty for untracked decommissioned servers, which is a loud warning to anyone ignoring data lineage. The only way to win is to build forensic-grade preservation workflows long before an incident happens, focusing on eliminating data with no business purpose and mapping every single hidden corner of the network.
Only 10% of P&C insurers are successfully scaling AI, which suggests a massive gap between investment and results. Why is the organizational friction so high?
The industry is currently falling into a classic trap where 72% of AI investment is being funneled into technology while a mere 28% is reserved for the change management required to actually use it. This lopsided spending means that nearly half of employees report seeing absolutely no meaningful change in their daily workflows even 18 months after a new AI tool has been deployed. Most insurers—roughly 60%—are stuck in a perpetual state of exploration or “proof-of-concept” purgatory because they haven’t redesigned their incentives or workflows to accommodate these new capabilities. Only 27% of insurers have made the effort to actually change how their teams are rewarded and structured in an AI-driven environment. To become a true AI trailblazer, executives must stop treating AI as a plug-and-play gadget and instead redirect their budgets toward redesigning the very soul of their operations, including the 42% of firms that currently fail to track any AI metrics at all.
What is the “single point of failure” risk in the cloud landscape that you believe the insurance industry is currently underappreciating?
There is a dangerous concentration of risk where a massive portion of the world’s data and security infrastructure is held by just five to ten major cloud and cybersecurity vendors. This creates a catastrophic aggregation exposure across entire insurer portfolios; if one of these “too big to fail” providers goes down, the resulting contingent business interruption could be systemic and unmanageable. Many enterprises are trying to build redundancies, but they are still struggling to fully scrutinize the deep vendor dependencies that run through their secondary and tertiary suppliers. It is the industry’s most underappreciated threat because it transforms a single technical glitch or a targeted attack on a provider into a global economic event. We are essentially watching a situation where everyone is using the same few locks on their doors, and if someone finds a master key, the entire neighborhood is compromised simultaneously.
As we look toward 2026, the concept of “trust engineering” is gaining traction. How should insurers prepare for the transition of AI from a support tool to an autonomous agent?
The move toward autonomous AI agents in underwriting and pricing represents a seismic shift that demands a framework of explainability and auditability that most firms simply don’t have yet. With the EU AI Act classifying AI-driven risk assessment in life and health insurance as high-risk, insurers are under a legal microscope to prove they have human oversight thresholds and clear data lineage. You cannot have an autonomous agent making life-altering financial decisions if you cannot explain the “why” behind its output to a regulator or a customer. This requires treating governance not as an afterthought or a “check-the-box” compliance task, but as a foundational architectural pillar that is integrated into the core system from day one. Companies that fail to master this trust engineering will find themselves sidelined by regulators who are increasingly demanding transparent, governed, and human-checked AI processes.
What is your forecast for the future of cyber claims and organizational resilience?
I predict that the next three years will see a brutal culling of firms that rely on legacy pricing tools and disconnected spreadsheets, as inflation and rising claims severity make precision the only path to profitability. We will see a massive shift where cyber insurance is no longer just about paying out a loss, but about mandating a level of digital hygiene where proof of “cyber resilience” is the only way to get covered. The insurance gap, particularly among the 67% of U.S. businesses that have faced a cyber event in the last year, will force a market correction where only those who have stress-tested their incident response plans can survive. Ultimately, we are moving toward an era where the ability to manage and preserve forensic data will be just as important as the ability to sell a policy, and those who haven’t modernized their data mapping will be crushed by the weight of their own evidence sprawl.
