Cyber insurers' self‑preparedness gap

Cyber insurers sell a strange promise. They tell other companies how to survive a breach, how to price digital risk, and which controls matter enough to become conditions of coverage. Then a new study asked a simple question: how well are insurers protecting themselves? The answer was awkward. A report released on April 2 by the Insurance Information Institute and incident-response firm Fenix24 found that property and casualty insurers have made real security investments, but still show gaps in patching cadence, authentication practices, and recovery testing. Those are not cosmetic flaws. They are the same kinds of weaknesses that turn a bad intrusion into a business-wide failure. (iii.org) The report matters because insurers are unusually exposed. They hold sensitive customer and claims data. They sit inside a web of brokers, vendors, and policyholders. They also shape the rules for everyone else. Triple-I called this a paradox: insurers assess cyber risk for clients while needing to prove that their own defenses meet rising standards. Fenix24’s contribution was even more pointed. Many organizations rehearse for storms and ordinary IT outages, the firm said, but not for ransomware campaigns that wipe out identity systems, virtual machines, hypervisors, and email all at once. Recovery, in that scenario, is not just restoring backups. It is rebuilding the nervous system of the company. (iii.org) That is why the most revealing part of the study is not that backups exist. It is that testing often happens under tidy conditions. The report says most insurers use immutable backups across critical systems and most say they can meet recovery objectives for top-tier assets. But it also warns that “immutable” has no universal definition and that best practice is full-network recovery testing, not isolated drills on a single system. In other words, insurers may be measuring readiness in the lab while attackers will test it in the wild. (fenix24.com) This self-preparedness gap lands at a moment when the cyber industry is trying to decide what AI is actually for. At RSAC 2026, the tone shifted. AI was still everywhere, but the useful conversations were no longer about whether a product had AI inside it. They were about ownership, accountability, trusted telemetry, and whether anyone could explain what the system really did. Touchdown PR’s roundup from the conference captured that mood well: the companies that stood out were the ones that connected AI to real problems and real outcomes, not the ones that simply said “AI” the loudest. (touchdownpr.com) That change in tone helps explain why insurers are moving carefully. Underwriting is a precision business, and generative AI is not a precision tool by default. Rankiteo, in a vendor blog that is obviously selling its own approach, still puts its finger on the real issue: hallucinated or low-quality signals are poison in pricing. If an AI system wrongly reports that a company has strong endpoint protection or mature controls, the carrier can underprice the risk and discover the mistake only after a claim. That is one reason insurers have been reluctant to push generic AI deeper into core pricing workflows, even as AI vendors keep pitching them exactly that. (blog.rankiteo.com) The market gives them room to hesitate. Cyber insurance is still growing, with Triple-I citing Munich Re figures that put net premiums written at $15.3 billion in 2024 and $16.3 billion in 2025. Gallagher’s 2026 market outlook describes a market that largely stabilized through 2025, with flat pricing for many buyers but sharper scrutiny in sectors with ugly claims experience or systemic exposure. That is not a market under pressure to make reckless bets on flashy tools. It is a market trying to avoid being surprised. (iii.org) The claims data also point away from hype and toward mundane control failures. Triple-I says ransomware drew the most attention but accounted for only 19 percent of reported cyber claims in 2023, while business email compromise and funds transfer fraud made up 56 percent. NetDiligence data in the same release put the average ransomware incident at about $1 million, with business interruption driving roughly half the cost. Coalition, writing last year about AI-shaped threats, described how deepfakes and AI-assisted phishing are pushing social engineering losses into a gray area between cyber and crime coverage. Buyers are left asking less glamorous questions than vendors would like: Which signals can an underwriter trust? Which losses are actually covered? Which controls will still work when the identity layer is gone? (iii.org)