The UK government has warned that frontier AI cyber-offence capability is now doubling roughly every four months - twice the previous rate - and that AI can find software weaknesses and write exploits at a speed and scale impossible even a year ago. Aon is calling for stronger cyber risk management in response, as its own survey finds cyber attacks and data breaches remain the top enterprise risk in 2026, with many businesses describing themselves as only somewhat prepared.
Rob Kemp, CEO of Commercial Risk in the UK for Aon, said the firm's Global Risk Management Survey shows fragmented governance and limited testing of AI-driven incident scenarios. "Some organisations are still treating AI as a future issue and delaying critical cyber risk management strategies," Kemp said. Aon stresses that AI has not changed the fundamentals of cyber risk management but has significantly increased the scale and likelihood of attacks. The broker wants businesses to focus on core controls - patching, vulnerability remediation, staff training on phishing and social engineering - and to stress-test those controls against AI-enabled scenarios, including checking whether existing policies respond to AI-related incidents.
AI acceleration outpaces corporate readiness
The government's own assessment puts hard numbers behind the warning. The AI Security Institute found that frontier AI cyber-offence capability is doubling roughly every four months, and recent testing found Anthropic's Mythos model substantially more capable at cyber offence than any system assessed before it. That pace of change means attack reconnaissance, automated exploitation and harder-to-trace attack chains are all accelerating, making it difficult for governance frameworks designed for slower-moving threats to keep up.
The attribution problem and London's wording response
Faster, more automated attacks also make it harder to quickly attribute an incident to a specific actor. Insurers spent years relying on traditional "hostile/warlike action" exclusions to deny cyberattack claims, until the 2017 NotPetya attack tested that approach. Merck & Co. v. ACE American Insurance Co. saw US courts reject the attempt to stretch a Cold War-era war exclusion to cover a Russia-linked cyberattack that caused more than $1.4 billion in losses. The dispute ended in an undisclosed settlement in early 2024, but the underlying finding stood: attribution-based exclusions were no longer reliable.
That backdrop drove the rebuild of London's model wordings for excluding state-backed cyberattacks. The LMA's LMA5567A/B clauses shift the exclusion test away from attributing an attack to a state and toward whether it caused significant impairment at a national infrastructure level. Instead of insurers and policyholders arguing over who was behind an attack before cover kicks in or drops out, the newer wording asks a more answerable question: how much damage did it actually do to critical national infrastructure. That is a practical response to a world where attribution is becoming harder to establish quickly, and where a fight over "who did this" can no longer be assumed to settle a claim.
Soft market meets tightening regulation
The UK cyber insurance market remains highly competitive even as the threat environment worsens. Cyber premiums fell by an average of 11% across 2025 while incident volumes rose to unprecedented levels, according to broker Lockton. The number of insurers underwriting cyber risk in the London market has grown from around 25 in 2020 to roughly 45 in 2025, a big reason rates keep softening. Marsh's 2026 UK cyber outlook similarly describes rising demand and expanded insurer capacity keeping premiums relatively low, with new products addressing AI-specific risk beginning to emerge.
That pricing environment sits awkwardly alongside a tightening regulatory picture. The Cyber Security and Resilience Bill, currently before the House of Lords, is expected to expand mandatory security and incident reporting requirements to a wider range of managed service providers, data centres and critical suppliers. At the same time, a GlobalData survey of UK commercial insurance brokers found more than 60% of UK SMEs still carry no cyber cover at all, even as over half of brokers surveyed expect cyber to be the strongest-growing product in their book.
What this means for brokers
A soft market gives brokers leverage to push clients toward broader cover rather than just cheaper cover. That means checking whether a client's existing wording actually responds to an AI-enabled incident rather than only a conventional data breach, understanding where the LMA5567A/B threshold would leave a client exposed if a state-linked attack fell short of "significant impairment" of national infrastructure, and using the current buyer's market to negotiate broader terms while capacity remains abundant. That leverage tends to disappear quickly once a market-changing loss event resets pricing.
Why this matters for insurance professionals
The gap between rising AI-enabled threats and still-developing governance - in both corporate risk management and insurance market exclusion wordings - means insurers and risk managers are still catching up to a threat moving faster than either side's frameworks. Brokers who can articulate how AI changes the attack tempo, and who understand the practical effect of the newer LMA clauses, will be better positioned to close coverage gaps for clients. Professionals who want to deepen their understanding of AI-specific cyber exposures can use resources such as AI for Insurance Courses to better advise on coverage gaps while the soft market still gives them negotiating power.
Your membership also unlocks: