We had the opportunity to speak with Matthew Geyman, Managing Director at Intersys, about the evolving cyber threat landscape and the challenges facing the insurance industry.
Could you provide an overview of the cyber threat landscape for insurance companies? What types of attacks are most prevalent, and what makes insurers particularly attractive targets and there any emerging trends?
Two key aspects make insurers prime targets: frequency and severity. Some attacks occur frequently but have varying degrees of impact, while others are less common but can be catastrophic – especially when they attract media attention.
One emerging threat is AI-driven impersonation. A recent case in Hong Kong saw a finance employee tricked into authorising a US$25 million payment via an AI-generated video call. This demonstrates how cybercrime is evolving beyond financial losses to reputational damage. Many companies affected by such breaches prefer to remain unnamed to avoid fallout. In contrast, incidents like the CNA Financial ransomware attack, which cost around US$40 million, becomecautionary tales that erode trust across the industry.
Data from the Operational Risk Consortium (ORIC) underscores these risks, ranking cyber threats as the first most significant emerging risk for medium insurers (£1-£5Bn GWP)
Data from the Operational Risk Consortium (ORIC) underscores these risks, ranking cyber threats as the third most significant emerging risk for medium-to-large insurers. Hacktivism is also on the rise, with attackers targeting insurers for ideological or political reasons rather than financial gain. The recent fibre optic cable attacks exemplify this trend, demonstrating the increasing prevalence of hybrid cyber-physical threats.
Another growing concern is third-party risk. Insurance companies rely heavily on a network of vendors, and attackers are increasingly exploiting weaknesses in supply chains. If a key supplier lacks strong cybersecurity measures, insurers become vulnerable by extension. Ransomware groups, in particular, are adept at identifying and exploiting these weak links.
Even unsuccessful attacks can be damaging. Social engineering remains one of the most persistent threats, as human error is often the weakest link. AI-enhanced phishing, business email compromise (BEC), and sophisticated impersonation scams continue to improve, making employee awareness and training more critical than ever. Cybersecurity isn’t just about technology – it’s about fostering a culture of vigilance and preparedness.
Do you see AI social engineering attacks evolving as both a tool for attackers and defenders?
AI is transforming both offensive and defensive cybersecurity strategies. On the defensive side, AI excels at pattern recognition and anomaly detection, helping organisations identify unusual activity and potential threats. However, for AI to be truly effective, organisations need robust cybersecurity foundations – comprehensive logging, data analysis capabilities, and a layered defence strategy. When these elements are in place, AI-driven tools can enhance security monitoring and incident response significantly.
Conversely, AI is also amplifying cyber threats. Attackers are using AI to automate reconnaissance, refine phishing campaigns, and enhance social engineering techniques. The increasing involvement of nation-state actors further complicates this landscape. These groups often have access to zero-day exploits and advanced capabilities, making them formidable adversaries. Their objectives extend beyond financial gain to reputational and strategic damage. Given the critical role insurers play in managing risk, they must stay ahead of both technological advancements and geopolitical developments that influence cybersecurity threats.
What are the key compliance challenges insurers face? With firms facing penalties following breaches, how is the regulatory landscape evolving, and how are insurers adapting?
Regulation is struggling to keep pace with the rapid evolution of cyber threats. While some argue that gradual regulatory change is beneficial, the reality is that the financial and reputational consequences of a breach often far outweigh regulatory fines. Boards and governance structures must recognize cybersecurity as a critical risk, independent of compliance mandates.
Although some firms have faced penalties for failing to meet compliance standards, these fines are often secondary to the broader damage inflicted by a cyber incident. Effective security should be driven by organisational culture, not just regulatory requirements. If a company prioritisesprofitability over security, no amount of regulation will be sufficient to mitigate risk.
We also see geopolitical factors influencing regulatory approaches. In the U.S for example, regulations tend to favour the protection of large tech firms, whereas European and UK frameworks aim to balance security with commercial growth. This divide adds another layer of complexity for insurers operating across multiple jurisdictions.
Are insurers adequately managing their cyber risk, or do significant gaps remain?
There are certainly gaps. While some insurers have strong cybersecurity frameworks, many still have work to do. One major challenge is the reliance on legacy systems. Many insurers continue to use outdated mainframes for policy and claims management. While these systems benefit from a degree of “security through obscurity,” they become significant risks during digital transformation. Moving from legacy infrastructure to cloud-based solutions introduces vulnerabilities that require careful security assessments and strategic planning.
Cyber risk management cannot be an afterthought in digital transformation initiatives. Insurers must ensure they are not expanding their attack surface without implementing the necessary safeguards.
Looking ahead to 2025 and beyond, what new or evolving cyber threats do you foresee? What steps should insurers take to prepare?
One of the most pressing concerns is the rapid advancement of AI-driven impersonation attacks. Traditionally, business email compromise (BEC) scams were detectable through grammar inconsistencies or awkward phrasing. AI is eliminating these red flags, making phishing and impersonation attempts far more convincing. AI-generated deepfake voice and video content are also evolving at an alarming pace.
Currently, there are still ways to detect AI-generated content, such as inconsistencies in facial movements or hand gestures during video calls. However, these detection methods will soon become obsolete as AI improves. Within the next year, deepfake technology will likely be indistinguishable from reality, posing significant risks for fraud and deception.
Another concern is the increasing randomness of attacks. While some cyberattacks are highly targeted, many remain opportunistic. Cybercriminals, much like marketers, rely on reaching the right individual at the right time with the right message. AI will only enhance this capability, enabling cybercriminals to craft highly personalised and effective social engineering campaigns.
For insurers, the key defence is not just technology but culture. Strong security measures must be reinforced with comprehensive training and awareness programs. The industry must remain proactive, ensuring that employees, executives, and stakeholders are prepared to recognize and respond to increasingly sophisticated threats.
ORIC’s member firm network includes over 40 leading (re)insurers and investment firms, collectively managing over £300bn in gross written premiums and £5bn+ in assets across 65 countries.
