AI governance is becoming a multi-state regulatory expectation The NAIC’s AI evaluation tools are entering exam use, while more states continue aligning to the AI Model Bulletin. States such as Utah are advancing AI governance frameworks that emphasize transparency, accountability, and oversight of automated decision-making. What insurance leaders should care about: AI governance is now a multi-state regulatory expectation. If AI supports underwriting, claims, fraud detection, or customer engagement, regulators may expect documented oversight, accountability, and evidence of fair outcomes. This is no longer limited to large or coastal states, and expectations are expanding across multiple jurisdictions. For a practical multi-state view: https://fivem.llc/ai-regulation-by-state/
|
|
|
|
|
Third-party dependency remains a primary operational riskIncidents involving SaaS providers, TPAs, and IT service providers continue to demonstrate that organizations can experience disruption even when internal controls are strong. Operational reliance on external platforms remains a key exposure. What insurance leaders should care about: A vendor incident can disrupt claims processing, billing, or customer service. Regulators and customers will not distinguish between your systems and your third parties when operations are impacted.
|
|
|
Privacy risk is expanding beyond breach response State privacy enforcement continues to evolve, with increased focus on how organizations collect, use, and share consumer data. Areas such as website tracking, analytics tools, and data-sharing practices are under greater scrutiny. What insurance leaders should care about: Privacy risk is no longer limited to breaches. Website tracking, analytics tools, marketing practices, and data-sharing arrangements are now under scrutiny, and many insurance organizations still have exposure despite GLBA-related assumptions.
|
|
|
|
|
Cyber insurance claims activity remains elevated, with fraud, business interruption, and privacy-related losses continuing to drive frequency and severity. What insurance leaders should know: Cyber loss is now a predictable business risk, reinforcing the need to align controls with financial processes, data use, and third-party exposure.
|
|
|
Priority Actions for Insurance Leaders (Next 60 Days)Priority 1 — Strengthen financial and claims payment controls
Implement out-of-band verification for payments, vendor changes, and approvals. Assume communications can be convincingly spoofed. Priority 2 — Establish a defensible AI governance baseline Document AI use cases, assign accountability, and define oversight aligned to emerging state expectations. Priority 3 — Reassess third-party and privacy risk together Focus on vendors critical to operations and data handling. Validate notification obligations, data use practices, and alignment with evolving privacy laws.
|
Cyber risk in 2026 is no longer just about stopping attacks. It is about preventing financial loss, governing AI responsibly, managing third-party exposure, and being able to defend leadership decisions under regulatory scrutiny.
|
|
|
If your organization cannot clearly demonstrate how it prevents payment fraud, governs AI use, and manages third-party risk, now is the time to close those gaps. → Consider a focused executive review to assess readiness, align to current regulatory expectations, and identify the top 3 actions that will materially reduce risk in the next 90 days
|
|
|
|
|