Simon Glairy stands at the forefront of the modern insurance revolution, bringing years of seasoned expertise in risk management and the rapidly evolving Insurtech landscape. As digital threats move from the periphery of corporate concern to the very center of operational survival, Glairy has become a leading voice in deciphering the complexities of AI-driven risk assessment and the volatile cyber insurance market. In this discussion, we explore the current state of the industry, moving past the surface-level relief of price stabilization to uncover the compounding risks that many organizations overlook. We delve into the historical “reset” of 2020, the critical difference between the frequency and severity of attacks, and why the interplay between artificial intelligence and insurance coverage is the next great frontier for risk officers.
With the dramatic rate hikes of 2020 and 2021 now largely behind us, many businesses feel a sense of relief regarding their premiums, but how would you describe the danger lurking beneath this surface-level stability?
While it is certainly a “no-brainer” for many of our clients to feel that the market is finally finding its footing from a pricing perspective, I often describe this phase as a “silent killer.” The sticker shock of previous renewal cycles may have faded, but the underlying risk is still compounding at an alarming rate, and it is truly only a matter of time before that pressure finds a release point. We are seeing a situation where insureds feel comfortable because the numbers on their invoices aren’t jumping by double digits anymore, yet the actual exposure they face grows more complex every day. This stability we are currently enjoying is cyclical and deceptive; it reflects a temporary equilibrium rather than a permanent solution to the unpredictable nature of cyber threats. In the insurance world, calm seas often precede the most significant shifts, and the accumulation of risk behind the scenes suggests that the next wave of losses could be even more impactful than what we saw during the pandemic.
Looking back at the market reset that occurred around 2020, what were the specific catalysts that forced underwriters to abandon their previous approach and demand much higher standards for entry?
The year 2020 acted as a violent wake-up call for the industry because, prior to that point, cyber insurance was widely underpriced and the barriers to entry were almost non-existent. Underwriters recognized the potential for loss in a theoretical sense, but the policies were not priced to reflect the reality of the burgeoning ransomware epidemic. That changed almost in an instant when the frequency and cost of attacks surged, forcing carriers to tighten their requirements with a level of scrutiny we hadn’t seen before. Controls like multi-factor authentication, which were once considered “nice to have,” suddenly became the absolute baseline for even being considered for a policy. This era marked the end of the “wild west” for cyber coverage, as the industry had to establish a new base level of security expectations just to remain solvent in the face of mounting claims.
Cyber risk is often described as fundamentally different from traditional property or casualty lines, so how do these unique characteristics complicate the way carriers attempt to quantify and limit their exposure?
The difficulty with cyber is that you simply cannot quantify it or “put it in a box” the same way you can with a physical asset like a building. When you insure property, you have decades of actuarial data on fire, wind, and theft, allowing you to define the risk with a high degree of mathematical certainty. Cyber attacks, by contrast, are criminal, adaptive, and geographically untethered, making them incredibly difficult to model or define within traditional insurance parameters. Carriers have tried to manage this inherent uncertainty by leaning heavily on exclusions and sublimits, particularly around headline-grabbing issues like war exclusions that dominated the conversation back in 2020. However, those specific concerns often distract from the real issue: the aggregation of risk and the fact that a single systemic failure can cause a cascade of losses across thousands of unrelated policies simultaneously.
There is a common belief that implementing advanced security controls will automatically lead to cheaper premiums, but how do these tools actually influence the underwriting process and the limits offered to a client?
It is a common misconception that having the latest endpoint detection or multi-factor authentication tools will drastically slash your premium costs. In reality, these pre-bind controls have become so foundational that they function more as a ticket to entry rather than a discount lever. What these controls truly influence is the amount of coverage you can actually secure—your limits—rather than just the price you pay. If you want a “good” policy with high limits, you absolutely have to have your technical house in order, but the two biggest factors driving your premium will always be your annual revenue and the industry class you occupy. To get the best results, a company needs a strong narrative to support why they are a better risk than their peers, explaining why they shouldn’t be sublimited for specific threats despite their size or sector.
Many organizations today seem to operate under the assumption that moving to the cloud or investing heavily in high-tech tools provides a safety net, but what are the most common misconceptions you see regarding how these investments translate into actual insurance protection?
I frequently encounter the dangerous “I’m in the cloud, I’m good” attitude, where executives assume that outsourcing their infrastructure means they can stop worrying about cyber insurance or security. This belief that “everything is in the cloud, so I don’t give a shit” is a massive blind spot because it ignores the fact that the legal and financial responsibility for data remains with the company, regardless of where the servers sit. On the other end of the spectrum, some firms invest millions in technology and then expect their insurance policy to provide blanket coverage for every conceivable mishap. They think their tech stack should entitle them to total protection, forgetting that insurance is a backstop for residual risk, not a replacement for active management. Underwriting today requires a deep dive into how these tools are actually managed, because a cloud environment that is poorly configured is often more dangerous than a well-guarded on-premise system.
While the industry previously focused heavily on things like war exclusions, you have suggested that the real looming threat involves emerging technologies like artificial intelligence, so how do you see AI reshaping the cyber landscape?
The conversation around war exclusions was very loud a few years ago, but it has largely faded as people realized that the interplay with AI is what will actually define the next decade of cyber risk. AI is the great unknown that no one is really talking about in depth yet, specifically how it will empower criminals to scale their attacks with a level of sophistication we haven’t seen before. It isn’t just about more frequent attacks; it’s about how AI can be used to bypass traditional controls or create entirely new categories of loss that our current policies aren’t designed to handle. We are entering a phase where the speed of the threat will far outpace the speed of the underwriting cycle, and carriers are going to have to find new ways to account for this AI-driven volatility. The integration of AI into both the attack vectors and the defense mechanisms will create a new kind of “arms race” that will inevitably impact how coverage is structured and what remains insurable.
What is your forecast for the cyber insurance market?
My forecast is that we are approaching the end of this current period of price stability and heading toward a market where “cyber narrative” becomes the most valuable currency a business can hold. Within the next 18 to 24 months, I expect that simply checking the boxes for MFA and EDR will no longer be enough to secure the high limits that large enterprises require. We will see a greater divergence in the market: companies that can demonstrate a proactive, AI-ready security culture will maintain access to broad coverage, while those relying on the “set it and forget it” cloud mentality will face severe sublimiting and restricted terms. Ultimately, the industry will move away from broad, all-encompassing policies toward more modular, data-driven coverage that reacts in real-time to the specific threat profile of the insured’s industry and revenue bracket.
