Cyber extortion is shifting to data exposure and long-tail liability Ransomware is evolving. Initial ransom demands rose significantly in 2025, and most events now involve both encryption and data theft. At the same time, “data-only” extortion is increasing, where attackers skip disruption and go straight to leveraging stolen data. What insurance leaders should care about: The real risk is now what happens after the event. This includes regulatory scrutiny, customer notification, litigation, and operational disruption. Backups help restore systems, but they do not solve stolen-data exposure.
|
|
|
|
|
New York remains the benchmark for cyber governance and incident responseNYDFS continues to set the standard. Requirements include 72-hour incident notification, 24-hour extortion payment notification, and detailed follow-up reporting. Recent guidance also reinforces strong third-party risk management expectations. What insurance leaders should care about: Regulators expect documented, timely, and defensible decisions, not just technical response. If a vendor or TPA has an incident, your organization is still accountable for governance, escalation, and communication.
|
|
|
AI regulation is accelerating, with Florida adding momentum AI oversight is moving from guidance to enforcement. The NAIC’s AI evaluation tools are entering exam use in 2026, while more than half of states have adopted or aligned to the NAIC AI Model Bulletin. At the same time, Florida’s HB 527 is advancing expectations around transparency and responsible use of automated decision-making. What insurance leaders should care about: AI governance is now a multi-state regulatory expectation. If AI supports underwriting, claims, fraud detection, or customer engagement, regulators may expect documented oversight, accountability, and evidence of fair outcomes. Florida’s movement increases urgency for Southeast-based insurers and MGAs. For a practical multi-state view: https://fivem.llc/ai-regulation-by-state/
|
|
|
|
|
Privacy exposure is expanding beyond breach responseNew and updated state privacy laws took effect in 2026, including enhanced California requirements around risk assessments and automated decision-making. Regulators are also increasing enforcement around how companies use consumer data, not just how they protect it. What insurance leaders should care about: Privacy risk is no longer limited to breaches. Website tracking, analytics tools, marketing practices, and data-sharing arrangements are now under scrutiny. Many insurance organizations still have exposure despite GLBA-related assumptions.
|
|
|
|
|
Cyber insurance claims continue to rise sharply, even as premiums stabilize. This signals that loss activity remains elevated and that fraud, business interruption, and privacy exposure continue to drive claims.
|
|
|
Priority Actions for Insurance Leaders (Next 60 Days)Priority 1 — Strengthen financial and claims payment controls
Implement out-of-band verification for payments, vendor changes, and approvals. Assume communications can be convincingly spoofed. Priority 2 — Establish a defensible AI governance baseline Document AI use cases, assign accountability, and define oversight for internal and third-party AI tools, aligned to emerging state expectations. Priority 3 — Reassess third-party and privacy risk together Focus on vendors critical to operations and data handling. Validate notification obligations, data use practices, and alignment with evolving privacy laws.
|
Cyber risk in 2026 is no longer just about stopping attacks. It is about preventing financial loss, governing AI responsibly, managing third-party exposure, and being able to defend leadership decisions under regulatory scrutiny.
|
|
|
If your organization cannot clearly demonstrate how it prevents payment fraud, governs AI use, and manages third-party risk, now is the time to close those gaps. → Consider a focused executive review to assess readiness, align to current regulatory expectations, and identify the top 3 actions that will materially reduce risk in the next 90 days.
|
|
|
|
|