Soft market, tougher threats: Gen AI accelerates cyber attacks as insurers fall behind

Gen AI is the new cyber battleground - are insurers falling behind?

Generative AI is speeding up both attacks and defenses. That speed is exposing a weak spot: underwriting discipline in a soft market. Leaders from Marsh, Tokio Marine, and Markel warned in London that loosened controls and cheap capacity could set the sector up for avoidable losses.

The message was blunt: the threat is moving faster than traditional insurance models. Underwriting that leans on last year's data will miss this year's attack paths.

What's changing in the threat set

• Ransomware and extortion remain the top loss driver.
• Cloud identity compromise is surging as attackers pivot around perimeter tools.
• Software and services supply chain attacks are more frequent and harder to contain.
• AI-enabled social engineering is more convincing, more scalable, and harder to spot.
• Nation-state activity is increasingly aimed at operational technology.

"There isn't one single critical threat anymore… the list is getting longer," said Kelly Butler, managing director and head of cyber for the UK at Marsh Specialty.

Daljitt Barn, global head of cyber risk at Tokio Marine, noted that attackers are now using AI to automate phishing at scale. On the other side, carriers are deploying AI to continuously scan environments and flag unpatched vulnerabilities.

M&S breach: the lesson insurance teams should not ignore

The Marks & Spencer incident showed how identity gaps beat perimeter tools. Attackers reportedly exploited the help desk to generate fresh credentials and move with intent.

"Even the biggest corporates struggle with identity governance," said Barn. The takeaway for boards is shifting: coverage matters, but restoration speed matters more. Matthias Schneider, chief risk officer at Markel, pressed the need for liquidity planning and resilience tests: insurance supports recovery, but it is not the entire plan.

Soft market pressures are testing underwriting standards

Capacity is back, competition is heavy, and minimum security requirements are at risk of being watered down. "Some of the hygiene is being forgotten about. That's dangerous," Butler said.

The carriers most likely to endure will pair threat intelligence, continuous monitoring, and hands-on advisory with the policy. Barn added that the painful lessons from 2019-2021 are pushing a services-first mindset, backed by intelligence-led tools.

Underwriting needs real-time intelligence, not rearview mirrors

Historical claims data ages out quickly in cyber. "By the time you collect the data, the risk has already changed," Butler said. Continuous monitoring and AI-driven predictive models, combined with rapid client communication, form the new baseline.

Schneider highlighted that better documentation and higher-quality data improve model outcomes. Put simply: better data feeds better AI, and better AI sharpens underwriting.

What carriers and brokers should do now

• Reset minimum controls: phishing-resistant MFA, strict identity governance, privileged access management, endpoint detection with isolation, immutable/offline backups, and tested restore procedures.
• Close identity blind spots: monitor help desk credential workflows, enforce just-in-time access, and kill dormant accounts quickly.
• Track cloud posture in real time: misconfigurations and token abuse are driving losses.
• Stress test recovery: define time-to-restore targets, validate backup integrity, and run cross-functional tabletop exercises quarterly.
• Tie liquidity to downtime: map cash burn per day of outage; confirm accessible credit lines.
• Adopt intelligence-led underwriting: blend external attack surface data, vulnerability telemetry, and control effectiveness signals into pricing and terms.
• Attach services to the policy: continuous monitoring, patch orchestration, identity hardening, and incident response retainers with clear SLAs.
• Standardize on proven frameworks and playbooks such as the NIST Cybersecurity Framework (NIST CSF) and CISA's ransomware guidance (CISA Stop Ransomware).

Model updates insurers should prioritize

• Move from static questionnaires to continuous control validation and telemetry.
• Score identity maturity (MFA quality, conditional access, service account governance) as a core rating factor.
• Price to restoration capability: tested RTO/RPO, IR retainers, and backup recoverability.
• Use near-real-time threat intel to adjust endorsements and notify insureds of emerging exposures.
• Institute model governance to monitor drift, false positives, and bias in AI scoring.

Broker talking points for boardrooms

• How fast can we recover core revenue functions if identity is compromised?
• What is our daily outage cash burn, and how many days can we self-fund?
• Have we tested restore from clean, immutable backups in the last 90 days?
• Which third parties (SaaS, MSPs, payroll, comms) are single points of failure?
• Who has authority to trigger the "go" plan at hour zero, and what SLAs back our IR team?

The bottom line

Gen AI has tilted the field toward speed. That rewards carriers and clients who keep underwriting tied to live telemetry, identity strength, and recovery readiness-not cheap limits and optimistic questionnaires.

Don't relax controls to win quotes. Invest in intelligence, monitoring, and restoration. That's how you write profitable cyber in a soft market.

Team enablement: If your underwriting, claims, or risk advisory teams need a fast primer on AI and automation fundamentals, explore focused options here: AI courses by job.