April, 2026

Cyber risk for insurers, MGAs, and MGUs is becoming more immediate and harder to validate. AI is accelerating fraud, regulators are sharpening expectations around governance, and third-party dependencies continue to expose operations. Here’s what matters now.

AI-enabled payment fraud continues to drive financial loss

Attackers are increasingly using AI to enhance impersonation, including more convincing emails and voice-based scams tied directly to payment workflows. Business email compromise and funds transfer fraud remain leading causes of loss across cyber claims. At the same time, AI is now being used to generate fake supporting evidence, including realistic images of vehicle damage, to validate fraudulent insurance claims.

What insurance leaders should care about: Speed is now the risk. Fraud attempts are happening in minutes, not days, leaving little time for human judgment. Claims payments, vendor changes, and executive approvals should be assumed vulnerable and require strong, independent verification controls. Organizations should also recognize that evidence itself, including images submitted with claims, can no longer be assumed authentic without validation.

AI governance is becoming a multi-state regulatory expectation

The NAIC’s AI evaluation tools are entering exam use, while more states continue aligning to the AI Model Bulletin. States such as Utah are advancing AI governance frameworks that emphasize transparency, accountability, and oversight of automated decision-making.

What insurance leaders should care about: AI governance is now a multi-state regulatory expectation. If AI supports underwriting, claims, fraud detection, or customer engagement, regulators may expect documented oversight, accountability, and evidence of fair outcomes. This is no longer limited to large or coastal states, and expectations are expanding across multiple jurisdictions.


For a practical multi-state view: https://fivem.llc/ai-regulation-by-state/

Third-party dependency remains a primary operational risk

Incidents involving SaaS providers, TPAs, and IT service providers continue to demonstrate that organizations can experience disruption even when internal controls are strong. Operational reliance on external platforms remains a key exposure.

What insurance leaders should care about: A vendor incident can disrupt claims processing, billing, or customer service. Regulators and customers will not distinguish between your systems and your third parties when operations are impacted.

Privacy risk is expanding beyond breach response

State privacy enforcement continues to evolve, with increased focus on how organizations collect, use, and share consumer data. Areas such as website tracking, analytics tools, and data-sharing practices are under greater scrutiny.

What insurance leaders should care about: Privacy risk is no longer limited to breaches. Website tracking, analytics tools, marketing practices, and data-sharing arrangements are now under scrutiny, and many insurance organizations still have exposure despite GLBA-related assumptions.

Trend Signal

Cyber insurance claims activity remains elevated, with fraud, business interruption, and privacy-related losses continuing to drive frequency and severity.

What insurance leaders should know:
Cyber loss is now a predictable business risk, reinforcing the need to align controls with financial processes, data use, and third-party exposure.

Priority Actions for Insurance Leaders (Next 60 Days)

Priority 1 — Strengthen financial and claims payment controls

Implement out-of-band verification for payments, vendor changes, and approvals. Assume communications can be convincingly spoofed.

Priority 2 — Establish a defensible AI governance baseline

Document AI use cases, assign accountability, and define oversight aligned to emerging state expectations.

Priority 3 — Reassess third-party and privacy risk together

Focus on vendors critical to operations and data handling. Validate notification obligations, data use practices, and alignment with evolving privacy laws.

Cyber risk in 2026 is no longer just about stopping attacks. It is about preventing financial loss, governing AI responsibly, managing third-party exposure, and being able to defend leadership decisions under regulatory scrutiny.

If your organization cannot clearly demonstrate how it prevents payment fraud, governs AI use, and manages third-party risk, now is the time to close those gaps.


Consider a focused executive review to assess readiness, align to current regulatory expectations, and identify the top 3 actions that will materially reduce risk in the next 90 days

FiveM Consulting | Your Partner in Insurance Transformation

facebook logo

Copyright © {{right_now.year}}  {{location.name}}, All rights reserved.

Our mailing address is:
{{location.email}}

Want to change how you receive these emails?
You can unsubscribe from this list.