March, 2026

Cyber risk for insurers, MGAs, and MGUs is increasingly driven by fraud, AI governance, third-party dependency, and regulator expectations, not just system compromise. Here’s what matters now.

AI-enabled payment fraud is now a frontline insurance risk

Recent claims data shows attackers are still getting in through people. Coalition reports that business email compromise and funds transfer fraud account for 58% of claims, with 71% of fraud driven by social engineering, now amplified by AI-generated emails, voice cloning, and deepfakes.

What insurance leaders should care about: This is no longer just a training issue. It is a financial control issue. Claims payments, vendor changes, and executive approvals should all be assumed vulnerable to manipulation and require stronger verification controls.

Cyber extortion is shifting to data exposure and long-tail liability

Ransomware is evolving. Initial ransom demands rose significantly in 2025, and most events now involve both encryption and data theft. At the same time, “data-only” extortion is increasing, where attackers skip disruption and go straight to leveraging stolen data.

What insurance leaders should care about: The real risk is now what happens after the event. This includes regulatory scrutiny, customer notification, litigation, and operational disruption. Backups help restore systems, but they do not solve stolen-data exposure.

New York remains the benchmark for cyber governance and incident response

NYDFS continues to set the standard. Requirements include 72-hour incident notification, 24-hour extortion payment notification, and detailed follow-up reporting. Recent guidance also reinforces strong third-party risk management expectations.

What insurance leaders should care about: Regulators expect documented, timely, and defensible decisions, not just technical response. If a vendor or TPA has an incident, your organization is still accountable for governance, escalation, and communication.

AI regulation is accelerating, with Florida adding momentum

AI oversight is moving from guidance to enforcement. The NAIC’s AI evaluation tools are entering exam use in 2026, while more than half of states have adopted or aligned to the NAIC AI Model Bulletin. At the same time, Florida’s HB 527 is advancing expectations around transparency and responsible use of automated decision-making.

What insurance leaders should care about: AI governance is now a multi-state regulatory expectation. If AI supports underwriting, claims, fraud detection, or customer engagement, regulators may expect documented oversight, accountability, and evidence of fair outcomes. Florida’s movement increases urgency for Southeast-based insurers and MGAs.

For a practical multi-state view: https://fivem.llc/ai-regulation-by-state/

Privacy exposure is expanding beyond breach response

New and updated state privacy laws took effect in 2026, including enhanced California requirements around risk assessments and automated decision-making. Regulators are also increasing enforcement around how companies use consumer data, not just how they protect it.

What insurance leaders should care about: Privacy risk is no longer limited to breaches. Website tracking, analytics tools, marketing practices, and data-sharing arrangements are now under scrutiny. Many insurance organizations still have exposure despite GLBA-related assumptions.

Trend Signal

Cyber insurance claims continue to rise sharply, even as premiums stabilize. This signals that loss activity remains elevated and that fraud, business interruption, and privacy exposure continue to drive claims.

Priority Actions for Insurance Leaders (Next 60 Days)

Priority 1 — Strengthen financial and claims payment controls

Implement out-of-band verification for payments, vendor changes, and approvals. Assume communications can be convincingly spoofed.

Priority 2 — Establish a defensible AI governance baseline

Document AI use cases, assign accountability, and define oversight for internal and third-party AI tools, aligned to emerging state expectations.

Priority 3 — Reassess third-party and privacy risk together

Focus on vendors critical to operations and data handling. Validate notification obligations, data use practices, and alignment with evolving privacy laws.

Cyber risk in 2026 is no longer just about stopping attacks. It is about preventing financial loss, governing AI responsibly, managing third-party exposure, and being able to defend leadership decisions under regulatory scrutiny.

If your organization cannot clearly demonstrate how it prevents payment fraud, governs AI use, and manages third-party risk, now is the time to close those gaps.


→ Consider a focused executive review to assess readiness, align to current regulatory expectations, and identify the top 3 actions that will materially reduce risk in the next 90 days.

FiveM Consulting | Your Partner in Insurance Transformation

facebook logo

Copyright © {{right_now.year}}  {{location.name}}, All rights reserved.

Our mailing address is:
{{location.email}}

Want to change how you receive these emails?
You can unsubscribe from this list.