Digital Insurance contacted insurance professionals to comment on cybersecurity trends for 2025.
The experts suggest generative AI, regulations and cyber insurance will all play a role in cybersecurity next year.
Responses have been lightly edited for clarity.
Steve Durbin, Chief Executive, Information Security Forum
Rolling into 2025, we expect increasingly sophisticated cyber incidents, especially in the area of AI-fueled phishing and synthetic media (deepfake) campaigns leading to higher probability of ransomware recovery efforts. Organizations will increasingly prioritize cyber resilience, prioritize business continuity planning and policies that will include surviving cyberattacks without readily available access to computer systems and networks.
Expect a sharper focus on embedding meaningful risk mitigations in the corporate DNA including crucial threat preparedness measures needed to attain peace of mind and operational stability for countering the general malaise felt in boardrooms and on Main Street against a backdrop of continuing geopolitical unrest.
Michelle Drolet, CEO of Towerwall
In 2025, businesses accepting credit card or digital wallet payments will need to meet the PCI DSS 4.0 compliance requirements by March or risk hefty fines and penalties.
Key measures include deploying web application firewalls, enhancing anti-phishing tools, implementing multi-factor authentication, using a minimum of 12-character passwords, and leveraging automated log analysis tools like SIEM to safeguard data. These steps will be crucial for protecting customer information and maintaining security integrity.
Paul Handy, global head of cyber, Crawford Global Technical Services
We will see a broadening of differentiation between solutions and products for the large and mid to small cyber markets in 2025, aligned to a greater understanding and approach to managing cyber risk. Almost all larger organizations now have business continuity arrangements that address cyber risk, often including expert retainer solutions, and the main insurance driver for these organizations is the cover available and the cost of risk transfer, rather than on value-added services or embedded tooling to help improve and manage risk.
For the SME space, however, we will continue to see the development of managed risk solutions, and more 'off the shelf' or localized products with stricter terms and imposed response or claims models.
Alvito Vaz, business manager for ID Federation
In 2025, agent-carrier connectivity will continue to get more difficult as carriers continue to implement multi-factor authentication. Today most agents use MFA six or more times each day and that will double as regulatory changes mandate MFA for all external connections.
Agents need to work with carrier partners to have secure connections with operational efficiency.
Richard DePiero, EVP- head of Sompo Pro, Sompo, North America
Despite industry focus on large catastrophic cyber events, 2024 brought quite a few mini catastrophic (mini cats) events and smaller supply chain interruptions, with examples of Change Healthcare, CDK, Crowdstrike, and Snowflake, among others. The loss/claims from these events have been slow to materialize, but as they mature in 2025, they are expected to cause greater losses than anticipated by many.
At the same time, we can expect these mini cat events will continue to occur, particularly impacting insurance portfolios that are concentrated in affected industries.
Andy Logani, chief digital officer at EXL
The evolving landscape of cyber threats and regulatory requirements is pushing organizations to rethink their cybersecurity strategies. CISOs now face heightened expectations, especially with new reporting mandates. Public companies are required to annually report on their cybersecurity risk processes in SEC Form 10-K filings, detailing how they assess, identify, and manage material risks, alongside the board's oversight role. Additionally, the requirement to disclose material cybersecurity incidents within four days via Form 8-K has increased the pressure for faster, more transparent responses to breaches.
As organizations strive to meet these new regulatory demands, Generative AI and Large Language Models (LLMs) are becoming pivotal in addressing cybersecurity challenges. AI will increasingly be used to simulate cyber incidents, identify vulnerabilities, and provide automated incident response guidance, all of which enhance the speed and accuracy of threat mitigation. These innovations are essential in a landscape where faster responses are crucial due to heightened regulatory oversight.
The SEC's regulations have introduced significant challenges for CISOs, particularly in determining the materiality of cyber incidents and ensuring accurate disclosures. Transparency is critical, but this also heightens the risk of legal scrutiny. CISOs now face the possibility of personal liability if privacy violations or cybersecurity failures occur under their watch, underscoring the need for meticulous documentation and robust internal controls. The recent breaches at Uber and SolarWinds are stark reminders of the personal and financial consequences CISOs can face if things go wrong.
The global cyber insurance market is expected to reach $20 billion by 2025. The rise in regulatory pressure is driving organizations to rethink their approach to cyber insurance. With incidents needing to be disclosed more rapidly and accurately, CISOs must ensure that their security practices align with the terms of their insurance policies. This alignment can prevent coverage denials and ensure organizations are financially protected against emerging threats.
One of the most exciting advancements is the ability of Generative AI to simulate sophisticated social engineering attacks, improving insurers' capacity to assess and price risks associated with human vulnerabilities. These simulations can also enhance employee training, raising awareness about common tactics used in phishing and other social engineering schemes. Furthermore, the use of synthetic data to model cyber risks will address the current shortage of historical data, allowing insurers to create more accurate risk models and make better underwriting decisions.
Reshma Budhwani, chief technology security officer, New York Life
In 2025, establishing trust and authenticity for both individuals and digital identities will be increasingly challenging due to advanced AI generating convincing fake audio and video, alongside sophisticated social engineering tactics. This will complicate the detection of deepfakes and the prevention of impersonation and fraud, necessitating organizations to invest in continuous, context-aware identity and transaction validation systems.
In addition, with the rise in frequency and complexity of cyber threats, cyber insurers will likely reassess coverage terms, compelling organizations seeking cyber insurance to adopt resilient practices. These practices might include developing sophisticated incident response plans, investing in advanced cybersecurity technologies, and conducting regular security audits to mitigate risks and ensure compliance with evolving standards.
Furthermore, due to ongoing geopolitical activities, the impact of supply chain disruptions will persist. Companies will need to enhance their supply chain resilience by diversifying suppliers and leveraging technology for better supply chain visibility and risk assessment.
Ben Duffy, vice president, head of North America, KYND
As we look toward 2025, the rise in zero-day vulnerabilities will continue to pose significant exposure risks for cyber insurers, particularly in industries heavily reliant on common software and technology platforms. The increasing frequency and sophistication of these threats underscore the urgent need for real-time data and advanced modeling to accurately assess and manage risk accumulation. Now more than ever, underwriters must evolve their cyber risk management strategy while fostering strong, adaptive collaboration with reinsurers and the insurance-linked securities markets to effectively mitigate potential losses and safeguard their portfolios.
Todd Greenbaum, CEO of Input 1
For too long, cybersecurity has been viewed as a necessary expense. But innovative carriers are rethinking the narrative, turning cybersecurity investments into customer-focused growth opportunities. Real-time threat detection systems are evolving to not only protect customer data but proactively identify and mitigate risks like fraud or identify theft.
Meanwhile blockchain technology is moving from theory to practice, enabling instant claims validation and creating new servicing models that enhance trust. The result? A shift from reactive protection to proactive customer engagement, unlocking fresh revenue streams through premium digital services that meet the demands of a connected world.
Jack Kudale, CEO of Cowbell
Cybersecurity practices are likely to continue emphasizing prevention. The focus is shifting from reactive measures after an attack, including response and recovery, to proactive measures to prevent incidents before they occur.
Cyber insurance players will follow this trend by also focusing on helping to support businesses with insight and education that enables the implementation of better prevention, rather than relying on a responsive approach.
Good practice: Brokers should ask their cyber insurance partners what they offer in terms of cyber risk assessment and mitigation tools. These resources can help their clients strengthen cyber resilience and remain focused on proactive cybersecurity measures.
The exponential growth of AI will inevitably lead to the potential for more AI-generated attacks, with actors currently developing AI tools built for hacking. As AI engines continue to develop, threat actors will become more sophisticated and capable of more complex attacks.
Added to this, the sophistication of the technology's use in AI-based deception is likely to grow. We have already seen stories hit mainstream news, where senior decision-makers have been duped into transferring funds through fabricated representations of video conference call participants. As digitally produced visual representations are constantly improving, businesses need to be more vigilant as deepfakes are becoming harder to spot.
Good practice: Brokers should help their clients understand the shift in sophistication of cyberattacks, and recommend mitigation measures such as cybersecurity awareness training for employees.
Quantum computing is likely to continue to be a significant and topical issue for 2025. However, in cybersecurity, advances in this technology could see us in a situation where current encryption methods are rendered obsolete. At the tipping point when this happens, we will see a rush to develop quantum encryption services.
Good practice: Quantum computing technology may be inaccessible for most small and medium-sized businesses. However, these organizations can still enhance data security by adding layers to their existing security practices.
The current geo-political landscape is unstable and features a growing number of overt and covert conflicts. These conflicts are also training grounds for new cyber tools, malware, etc. These emerging tools could be used by other actors against other targets, leading to an influx of new cyber threats.
Coleman Johnson, SVP, chief underwriting officer at The Mutual Group
Cybersecurity and protection for incidents will remain a growing concern for companies of all sizes. Cyber insurance rates are coming down for most companies as the market has stabilized a bit.
Underwriters remain diligent in requiring quality of controls like MFA, EDR, and employee training on issues like social engineering for example. Regulatory scrutiny is ramping up on how companies protect data and their use of AI and biometric data.
As more companies realize the full impact a cyber incident can have on their reputation and business continuity, they won't just want insurance, they'll want a company with top-tier incident response to quickly resolve the issue, get their business back up and running, and minimize any collateral fallout.
John Roberts, general manager - security, Coalition
MSPs and cyber-insureds will start to feel the impact of relaxed underwriting practices during the soft market. Some cyber insurance providers have relaxed their underwriting rules in the soft market to help bolster their GWP. While it may have positive returns in the short-term, insurers who look past a lack of controls avoid important conversations with companies and their MSPs that raise cybersecurity standards. This will lead to more costly incidents because more lax underwriting leads to more lax security practices from their customers.
In 2025, the cyber insurance industry will need to focus on helping businesses get back to cyber basics, including enforcing MFA, instituting email protections, and more.
Tim Francis, enterprise cyber lead at Travelers
It's difficult to predict what might be coming in the future, especially in the always-evolving world of cyberattacks. Criminals are constantly looking for ways to infiltrate a company's computer network, access sensitive data and then monetize those actions. As a cyber insurance carrier, it's our job to be aware of these different methods, especially new ones, and help our customers position themselves for success by reducing their chances of becoming a victim of cybercrime.
Ransomware has been and will continue to be a serious threat to businesses. Recently, more cyber criminals are engaging in double extortion, where they not only encrypt a company's computer system to make it inoperable, but they steal sensitive data and threaten to publicize it, demanding money from the victimized company to make both problems go away.
No matter what the cybersecurity risks are – ransomware, data breach, business email compromise, phishing, smishing, even deep fakes – companies would be wise to work with specialists who can help address any network vulnerabilities. Taking smart, necessary steps will allow any business to be as prepared as possible in the fight against new and existing cyber threats.
Eric Boateng, CISO and head of enterprise cybersecurity, MassMutual
In 2025, we will see pure risk management practices baked into cybersecurity programs to ensure alignment of cyber risk mitigation strategies with business goals, and to protect the organization and its customers from current and external cybersecurity threats.
The convergence of risk management will also allow CISOs to communicate effectively with board members on their company's cyber risk management strategy, while also explaining how this strategy is enabling the business to achieve its objectives.
Just as importantly, cyber risk management will also enable cyber leaders to proactively identify, measure, manage, monitor and report cyber risk on an ongoing basis. A data driven, cyber risk management program will be a next generation approach for strengthening the control environment and staying competitive and cyber resilient in the new year.
Todd Lukens, chief technology and information security officer, Nationwide
With the rapid advancements in AI, threat actors are now able to expedite their tactics, techniques, and procedures, such as developing new code to exploit vulnerabilities.
This evolution in AI technology is also leading to more sophisticated social engineering, deepfakes, digital fraud, and identity compromise, posing significant challenges to cybersecurity.
Rohit Makhijani, principal analyst, Forrester
As cyber threats grow in a highly digitalized and connected world, the insurance industry will sharpen focus on it. They are likely to expand their offerings to include more nuanced, customized cyber security policies, tailored to specific risk profile and industry sectors.
Insurers will also implement advanced cyber risk assessment tools powered by AI.
Mandeep Gosal, VP global professional services, Beazley Security
Identity security is set to play an even more pivotal role in 2025, driven by the proliferation of "reverse identity theft" and exposure of concealed privilege pathways. While Zero Trust principles, centred on identity verification and 'never trust, always verify', have been established for decades, they remain challenging for enterprises to adopt and implement. This is largely due to their complexity and the significant investment required in both technology and training.
Threat actors will continue to exploit obscure identity pathways that grant privileged access. Cybercriminals are set to shift their focus from endpoints, where visibility has improved, to less monitored areas including network appliances like VPNs and firewalls. Here, visibility is scant, making them prime targets for attack. The exploitation of newly discovered security flaws, known as zero-day vulnerabilities, in these systems is expected to rise sharply, as evidenced by incidents reported by Mandiant in 2023. Additionally, attackers are likely to weaponize known vulnerabilities, referred to as n-days, with greater speed, exploiting these known issues before organizations can patch them.
Increasingly, attackers are combining stolen data and credentials with additional personal information to craft false digital identities. It is vital for organisations to identify the blind spots in their IT environments through understanding their assets, risk posture and potential threats to remove opportunities for malicious actors to cause serious disruption. Businesses that implement pre-emptive, responsive, and adaptive solutions to cyber risk strategies - enhanced through continuous staff training, robust hygiene practices and a re-evaluation of Zero Trust Models – can confidently pursue their strategies without being hindered by unmanaged risks.
Brandon Welch, director of cyber services, Western Region, Beazley Security
As widespread adoption of AI continues to grow in 2025, we can expect to see an increase in privacy and security incidents that are attributable to misconfigured and misunderstood systems.
In a sprint to use AI systems and gain an edge over competitors, organizations will unintentionally open themselves to security incidents and create privacy incidents. Several factors will contribute to these events, including misconfiguration of AI systems and misunderstanding of their actual impact and sensitivity. In addition, we will increasingly see general issues stemming from AI Exceptionalism, such as overestimating AI's capabilities and failure to fully accept or address its limitations.
To combat these issues, organizations must take steps to understand what constitutes an AI problem and, if it is determined that they have one, what level of due diligence and human interaction are required to address the issue. Additionally, organizations should have an AI Focused Incident Response Plan in place that clearly delineates the steps to take when an AI system creates unintended security or privacy issues.
Bob Wice, head of underwriting management, cyber & tech, Beazley
High profile outages arising from a faulty update from CrowdStrike and a ransomware attack on Change Healthcare were a stark reminder in 2024 that a single point of failure can cripple organizations and cause major economic damage, whether the outages are malicious or unintentional. But some of the biggest risks that businesses face in the coming year may well come from within their own organizations if they are not alert to the dangers of tech obsolescence.
While new technologies and capabilities are introduced every day, many companies are still using legacy systems, simply because they still work and replacing them can be costly. But this lack of basic risk management around tech obsolescence is causing more and more problems for companies. Beazley's Risk & Resilience research revealed that 27% of business leaders are concerned about tech obsolescence risk in the face of new technologies (such as AI) and that number is expected to rise in 2025.
Pressure to address risks inherent in legacy systems will also come from external sources. We expect increased regulatory scrutiny concerning end-of-life and end-of-support software and devices including the Office of Civil Rights in the healthcare sector.
Innovation is moving at a rapid pace, and with innovation comes risk. Businesses must develop a plan to protect themselves against these evolving challenges.
Abhishek Madhok, EY Americas insurance cybersecurity leader
A key focus for cyber risk management in the year ahead is managing ecosystem risks. As organizations increasingly rely on technology and critical business services ecosystems, they face challenges due to the lack of visibility into third-party security infrastructure and data flows. Threat actors are exploiting these vulnerabilities and targeting the interconnected network of businesses, including partners, suppliers and customers. To be cyber ready in this environment requires comprehensive planning around recovery and response in the event that one entity is compromised.
Questions that organizations should consider include:
- What is the business risk?
- How do you build resiliency and security around it?
- What is your strategy to protect your business and customers while managing the process with transparency?
Fraud-related losses also continue to grow in the insurance industry. With increased digitization, online fraud conducted through account takeovers and synthetic identities have led to multi-million-dollar losses. While emerging technologies such as AI can facilitate attacks by threat actors, they also present an opportunity to improve the speed and scale of defense. Historically the insurance sector has been slow to modernize. But we're now seeing a move to embrace new technologies. By capitalizing on technological advancements and melding their technology and cyber investments, insurance organizations can significantly strengthen cyber risk posture.
