Cyber risk enters a new era: supply chain threats and AI sharpen the test for cyber insurers
Cyber is no longer a side product. It's now a core lever for enterprise risk - and the insurer's role is moving from indemnity payer to resilience partner.
At Tokio Marine Kiln (TMK), that shift shows up in operations, not slogans. Laila Khudairi, head of cyber, says the team starts with continuous visibility: daily scans of every insured's external network and real-time alerts on live exposures. The aim is simple - reduce loss frequency and severity before a claim exists.
From indemnity to proactive partnership
Early cyber policies were built around indemnity. Then incident response took center stage. Now the value is upstream: insurer and client working together to cut exposure.
TMK's Cyber Ctrl suite backs that up with daily scanning, targeted alerts, and an in-house tool updated three to five times per week based on active claims intel and global threat signals. That feedback loop turns portfolio knowledge into practical prevention for every insured.
The human side matters too. Vendor performance can vary, and buyers are flooded with promises. TMK curates service partners so insureds can move fast with people who deliver.
Where losses are coming from now
Third-party risk. Vendors expand attack surface and shrink visibility. You don't control their security stack, yet their weakness can become your breach. That's driving more supply chain-triggered incidents and more demand for continuous monitoring outside the perimeter.
AI-fueled impersonation and social engineering. Threat actors with native fluency and generative tools craft emails, voice, and chats that pass a quick sniff test. Impersonation looks real, and wire fraud or credential theft follows. On the defense side, EDR continues to improve - and will keep improving as models get better - but people and process still decide outcomes.
The insurer's next phase
Cyber has been criticized as reactive. That's changing. Every claim can inform controls, scanning logic, underwriting guidelines, and vendor choices. Feed that learning back into the portfolio and you lower aggregate risk - not just shift it.
TMK's approach centers on two levers: continuous external visibility and active collaboration. The goal isn't to catch everything. It's to catch what matters fast enough to change the loss curve.
Practical actions for insurers and brokers
- Require continuous external attack surface monitoring for insureds, not annual point-in-time checks. Act on high-severity findings with defined SLAs.
- Make third-party risk measurable: SBOMs for critical apps, vendor tiering, and breach propagation playbooks. Align with NIST SP 800-161 where feasible.
- Tie underwriting to controls that blunt social engineering: phishing-resistant MFA, SSO, verified call-backs for payment changes, and least-privilege access.
- Standardize EDR across endpoints with 24/7 monitoring and containment. Validate alert-to-action times in real incidents.
- Push DMARC enforcement, inbound email authentication, and banner warnings for external senders that model real risks, not just checkbox settings.
- Run social engineering simulations and report training outcomes. Reward measurable improvement with pricing or terms.
- Curate a vendor panel (IR, forensics, legal, PR, restoration) and test them through joint tabletop exercises with insureds.
- Convert claims into prevention: update scanning rules, underwriting questions, and vendor guidance after each significant event.
- For high-dependency supply chains, request compensating controls and business continuity evidence specific to the vendor's service.
- Track funds transfer fraud patterns and enforce out-of-band verification on any banking change or urgency-triggered request.
Why this works
Humans remain the weak link. Attackers exploit trust and timing; AI just makes their messages sharper. The right controls - enforced consistently - cut through that. Insurers are in a unique spot to see what fails across hundreds of incidents and push those lessons to every client.
That is the edge: shorten the loop from "we saw it" to "we fixed it." Daily scanning, fast alerts, curated partners, and claims-informed updates make it real.
Helpful resources
- Supply chain security guidance: NIST SP 800-161 Rev. 1
- Account takeover defense: CISA on phishing-resistant MFA
Optional: Upskilling your team on AI risk and security
If your underwriting, claims, or risk engineering teams need a faster grasp of AI-driven threats and defenses, see curated programs at Complete AI Training.
Bottom line: The market is maturing from indemnity to prevention. Partnership and collaboration aren't slogans - they're the control that moves loss ratios and gives clients fewer bad days.
Your membership also unlocks:
