Simon Glairy is a seasoned strategist at the intersection of high-stakes insurance and cutting-edge risk technology. With years of experience navigating the complexities of cyber underwriting and Insurtech innovation, he offers a unique vantage point on why the traditional insurance model is being pushed to its breaking point by the rapid evolution of artificial intelligence. Today, he shares his insights on the unsettling disconnect between plummeting cyber insurance premiums and the skyrocketing costs of digital extortion, particularly for the world’s most private and wealthy financial entities.
The conversation explores the paradoxical “softening” of the cyber insurance market where increased competition among major carriers is driving down prices even as threats become more sophisticated. We delve into the specific vulnerabilities of family offices, the alarming rise of AI-driven fraud such as deepfakes and voice cloning, and the increasingly common phenomenon of insurance claims being denied due to technicalities or misrepresentation. Furthermore, the discussion touches on the tightening regulatory environment and the shifting burden of proof from the policyholder to the insurer’s automated scanning tools.
Cyber insurance premiums are reportedly dropping by double digits even as ransomware costs nearly double. How can insurers possibly sustain this model while the financial stakes are rising so sharply?
We are witnessing a classic market paradox where the influx of new capital is temporarily masking a very dangerous reality. On one hand, you have major players like Chubb, AIG, and CNA Insurance flooding the space, which has created a fierce pricing war that is expected to drive average premiums down by another 11% in 2026. On the other hand, the actual cost of a global ransomware claim has essentially exploded, jumping from an average of $374,000 in 2024 to approximately $713,000 in 2025. This 38% surge in technology errors-and-omissions incidents highlights a structural tension that cannot last forever. Insurers are essentially betting that they can grab market share now and refine their risk models later, but with claims being denied at a staggering 40% rate, the friction between policyholders and carriers is reaching a boiling point. It feels like a race to the bottom where the winner might find themselves holding a bag of liabilities they didn’t fully price for.
The rise of AI has introduced “an entirely new attack surface” for these organizations. In your view, what makes deepfakes and AI-generated phishing so much more effective than the traditional threats we’ve seen in the past?
The sheer velocity and convincing nature of these attacks have rewritten the playbook for digital defense. Since 2022, we have seen deepfake fraud attacks skyrocket by a massive 2,137%, and in the first quarter of 2025 alone, the frequency of these incidents was 19% higher than the entire previous year. When an attacker uses a cloned voice of a high-ranking official—a tactic that helped drive a 37% rise in business email compromise incidents—the traditional “gut check” for employees disappears. These tools allow hackers to remain undetected inside a compromised system for 100 days or more, silently gathering intelligence to make their eventual strike perfectly timed. The cost to launch these AI attacks is tiny compared to the massive financial and emotional cost to defend against them, creating a lopsided battlefield where the attacker has every advantage and almost zero risk of prosecution.
Family offices are often described as being “uniquely exposed” to these risks. What specific cultural or structural gaps within these private entities are hackers currently exploiting?
Family offices often operate on a foundation of trust and speed, which, while efficient for business, is a nightmare for cybersecurity. They frequently rely on informal approval processes and the discretion of personal assistants who are conditioned to prioritize the principal’s demands over rigid security protocols. This “speed over process” mentality, combined with complex multi-generational structures, creates wide gaps that attackers can easily walk through. It is a sobering thought that nearly half of all US family offices fell victim to a cyberattack in 2025, yet only 60% of their staff feel confident they can even spot an AI-powered threat. The multi-generational aspect is particularly tricky because you have older members who may be less tech-savvy and younger members who are highly connected but perhaps less cautious about the metadata they leave behind, providing a roadmap for social engineering.
With more than 40% of cyber insurance claims now being denied, what is causing this breakdown between the coverage people think they have and what is actually being paid out?
The era of “checking the box” on a self-attestation form and walking away is officially dead. The most common reason for claim denials in 2026 has been material misrepresentation, where a forensic audit after a breach reveals that the security controls the company claimed to have in place didn’t actually exist or weren’t functioning. We are seeing roughly three out of four carriers move toward external attack surface scans during the underwriting process to verify security in real-time rather than relying on the applicant’s word. Claims are also falling through the cracks because of simple notification delays or the absence of specific policy provisions that cover evolving AI threats. When a family office realizes too late that their policy is missing a crucial rider, or that they failed to report an incident within the required window, the financial blow is often unrecoverable. It’s a harsh awakening for those who shopped for the cheapest premium without looking at the fine print of the compliance requirements.
Regulatory bodies like the SEC are tightening their grip with amendments to Regulation S-P. How will these new mandates change the day-to-day operations for smaller investment advisers and family offices?
The regulatory noose is tightening in a way that perfectly mirrors the requirements of the insurance industry, leaving very little room for error. The amendments to Regulation S-P, which took effect for smaller firms on June 3, 2026, mandate a written incident response program and a very strict 30-day window for notifying customers after a breach. This isn’t just a suggestion; the SEC’s Division of Examinations has made operational resilience against AI-related threats a top priority for fiscal year 2026. For a small family office, this means they can no longer afford to be reactive; they must have documented staff training and expanded oversight of every third-party vendor they use. The stakes are now dual-edged: failing to meet these standards doesn’t just mean a denied insurance claim, it means potentially facing severe regulatory penalties and a permanent stain on their professional reputation.
What is your forecast for the cyber insurance landscape as we move further into 2026?
I expect we will see a sharp “correction” where the benign pricing environment we’ve enjoyed suddenly evaporates as the true scale of AI-driven losses hits the balance sheets. While premiums might fall another 11% in the short term due to competition, the rate of that decline is already starting to slow, signaling that insurers are reaching their limit. We will likely move toward a hybrid model where insurance isn’t just a financial product, but a continuous monitoring service where premiums fluctuate based on the results of weekly or even daily automated security scans. The gap between those who are “insurable” and those who are “uninsurable” will widen significantly, and family offices that haven’t professionalized their cybersecurity culture will find themselves locked out of the market entirely. The “structural tension” we see today is the precursor to a major shift where data-driven proof of security will be the only currency that matters.
