The 2025 Protiviti and NC State University Executive Risk Survey confirms what many insurance leaders already suspect: cybersecurity is no longer an isolated operational risk. It has become a defining strategic issue for insurers – affecting capital allocation, customer trust, regulatory compliance, and digital transformation.
Why this risk matters now
Cybercriminal tactics are becoming more sophisticated. Insurers are increasingly vulnerable due to:
- Expanding digital ecosystems
- Greater reliance on third-party tech platforms
- Accelerated adoption of AI and automation tools
These exposures come as regulatory scrutiny intensifies. In the UK, the FCA and PRA are placing greater focus on operational resilience, incident response times, and executive accountability. For insurers, the risk is not only disruption but erosion of trust and increased supervisory attention.
What this means for boards
Boards must now oversee cyber resilience with the same seriousness they apply to solvency or pricing strategy. Key implications include:
- Elevating cyber risk in board reporting frameworks
- Including cyber stress scenarios in capital and business continuity planning
- Ensuring the organisation’s leadership can articulate how a ransomware event would affect customer-facing services
Cybersecurity needs to be embedded into board governance and not left to a technical subcommittee.
Strategic choices for insurers
Insurers face difficult but necessary decisions:
- How fast to digitise in a high-risk environment
- Where to invest limited capital: on efficiency or defence
- How to manage third-party risk without stifling innovation
Insurers will need to balance speed with scrutiny. Every new tool, API, or AI model should be treated not only as an asset but as a potential risk vector.
Steps executives can take now
Based on insights from the report and real-world practices, insurers should consider:
- Linking cyber resilience to core product strategy
Ensure that digital product development includes resilience, not just speed. - Conducting regular cyber simulations across departments
Include non-technical executives in cyber incident drills. - Embedding cyber KPIs into board-level metrics
Examples include response time to breaches, audit remediation closure rates, and vendor risk scores. - Investing in staff-wide cyber awareness
Move beyond compliance training to role-specific threat awareness. - Reviewing exposure to non-affirmative (silent) cyber
Ensure clarity in underwriting and claims processes.
Cybersecurity is not just a technical challenge. It is a test of executive alignment, operational preparedness, and long-term strategy. Insurers that treat it as a central business issue rather than a peripheral IT function will be better positioned to retain trust, meet regulatory expectations, and stay resilient in a digitally volatile world.
thoughts & threads 
Leave a comment