May, 2026

Regulators moved this week. So did ransomware groups. AI just changed how fast attackers find and exploit software flaws. For insurance leaders, the question is no longer whether the risk is real. It is whether the organization can respond fast enough.

NYDFS issued a heightened-threat warning this week, and named AI as the trigger

On May 22nd, the New York Department of Financial Services issued new guidance warning banks, insurers, and other regulated entities to step up their defenses when cyber risks are significantly elevated. NYDFS specifically named the release of frontier AI models as a condition that triggers a heightened threat environment, alongside geopolitical events with potential to increase cyberattack risk.

This is the first time NYDFS has directly connected frontier AI model releases to a formal threat posture designation. For insurance leaders, that is not an abstract regulatory update.

Source: Insurance Journal, May 22, 2026 (insurancejournal.com)

What insurance leaders should care about: NYDFS regulates thousands of insurance entities. A heightened-threat designation means reviewing your incident response plan, confirming access controls are current, and making sure your team knows the escalation path before something happens. Document the review. That documentation may matter in an exam.

AI just made your software vulnerabilities a faster liability

Cybersecurity firms reported this month that frontier AI models can now identify software vulnerabilities and map them to working exploits in near-real time. What used to take months now takes hours. CISA responded by actively discussing compressing the remediation window for known exploited vulnerabilities to as little as three days.

Most insurance organizations are still operating on 30- to 90-day patch cycles. That gap is now a business risk, not just an IT concern.

The claims data reinforces the point. In 2025, remote access services were the entry point in 87% of ransomware claims. VPN compromises alone accounted for 73% of ransomware intrusions where an entry vector was identified. Those are not obscure systems. They are the same technologies your employees, vendors, and brokers use every day.

Source: At-Bay 2026 InsurSec Report (helpnetsecurity.com)  |  CISA KEV remediation discussion (executivegov.com)

What insurance leaders should care about: Know which of your systems face the internet. Know whether your vendors are patching on a timeline that matches the current threat environment. AI-accelerated exploitation does not wait for your next quarterly review. Patching speed is now a direct operational risk.

Ransomware groups are actively targeting insurers right now

The Everest ransomware group listed Liberty Mutual on its dark web leak site in early May, claiming to hold policyholder files including names, addresses, policy numbers, and financial details. Days before that, the same group listed Frost Bank and Citizens Financial Group. Both banks later attributed the breach to a third-party vendor, not a direct attack on their own networks.

This is not a trend to watch. It is happening now, in your sector.

Source: Cybernews, May 2026 (cybernews.com)

What insurance leaders should care about: The third-party attribution in the banking incidents is the part that should concern every insurance executive. Your biggest exposure may not come from a direct attack. A vendor that processes claims, manages billing, or handles policyholder data carries your risk. When that vendor gets hit, your policyholders and your regulators look to you.

Shadow AI is a governance problem, and exams are getting closer

Employees using unauthorized AI tools create real exposure when underwriting data, claims records, or customer information flows into public platforms without guardrails. The intent is rarely malicious. The risk is real regardless.

The NAIC AI Model Bulletin entered active exam use in 2026. If AI supports underwriting, claims, fraud detection, or customer service at your organization, regulators may expect documented oversight, accountability, and evidence of fair outcomes. Most insurance organizations are not ready for that question.

Reference: FiveM AI Regulation Tracker (fivem.llc/ai-regulation-by-state/)

What insurance leaders should care about: You do not need a complex AI governance program to start. You need a current inventory of where AI is being used, which tools are approved, what data flows through them, and who owns each use case. That document alone answers most of what an examiner would ask.

AI supply chain visibility just became a compliance expectation

CISA and G7 partners published joint guidance on May 13th outlining minimum elements for an AI Software Bill of Materials. The framework gives organizations a structured way to document what is inside the AI systems they use, including models, datasets, infrastructure, and third-party providers.

Insurance organizations relying on vendor-provided AI for underwriting automation, fraud detection, or claims workflows often have no clear picture of what those tools are built on or where the data goes. This guidance puts that gap directly in scope for security and compliance programs.

Source: CISA, May 13, 2026 (cisa.gov)

What insurance leaders should care about: You are accountable for the AI your vendors run on your behalf, not just the AI your team builds. Start with your highest-risk vendor relationships and ask: what AI is embedded in this service, what data does it process, and does the vendor have documented security controls for that AI? Those answers belong in your vendor contracts.

Trend Signal

Every major regulatory and security body moved in the same direction this month. NYDFS issued a heightened-threat warning that explicitly ties frontier AI to elevated cyber risk. CISA is pushing toward three-day remediation windows. G7 partners published AI supply chain transparency standards. Ransomware groups listed a major insurer and two banks within 30 days of each other.

The speed of the threat is now outpacing most organizations' governance and response cycles. That is the gap to close.

What insurance leaders should know:
Governance, patching, vendor oversight, and incident response all need to run faster than they did 18 months ago. Not because the frameworks changed, but because the adversary timeline did.

Priority Actions for Insurance Leaders (Next 60 Days)

Priority 1 — Respond to the NYDFS heightened-threat

Review your incident response plan and confirm escalation procedures are current. Make sure IT and security contacts are reachable and your team knows what an elevated threat posture requires. Document the review.

Priority 2 — Pressure-test your vendor exposure

Pick your top two or three vendors who touch claims, billing, or policyholder data. Walk through a ransomware scenario: the vendor goes down today. What breaks, who calls whom, and when do you notify your regulator? That 30-minute conversation will tell you more than any written assessment.

Priority 3 — Build an AI governance inventory

List every AI tool in active use, including tools embedded in vendor platforms. For each, document the business owner, what data it touches, who approved it, and whether it is covered in your cybersecurity risk assessment. One page is enough to start.

NYDFS issued a heightened-threat warning today. Ransomware groups targeted a major insurer and two banks last month, and blamed vendors. AI is changing how fast exploits happen. Your response does not need to be complicated. It needs to move.

 

If any of these risks are live at your organization, the next 60 days matter more than the next planning cycle.

If you want a second set of eyes on your incident response plan, vendor exposure, or AI governance inventory, I'm happy to spend 30 minutes walking through it with you. No agenda. Just a focused conversation on where your biggest gaps are right now.

Schedule a 30-Minute Call

FiveM Consulting | Your Partner in Insurance Transformation

facebook logo

Copyright © {{right_now.year}}  {{location.name}}, All rights reserved.

Our mailing address is:
{{location.email}}

Want to change how you receive these emails?
You can unsubscribe from this list.