The security industry has spent years debating whether AI would fundamentally change the threat landscape or just accelerate what was already happening. That debate is largely settled. Research from Gigamon found that AI is now involved in
For the insurance industry, that gap deserves specific attention. Carriers, brokers, and TPAs don't just hold sensitive data – they hold the most monetizable combination of financial, medical and identity data that exists in any single sector. That makes them a priority target, and the evidence suggests most are not as prepared as they should be.
The value chain is built for attackers
The insurance distribution model creates a structural security problem that most carriers have not fully reckoned with. Broker portals, agency management systems and TPA platforms all require credential-based access across a web of third-party relationships, which can be exploited.
Research published in late 2025 found that
The downstream risk compounds quickly. A compromised broker credential does not just expose one firm. Depending on the access model, it can cascade across every carrier relationship that credential touches.
Deepfakes are creating a new category of loss
The threat to insurers is not limited to external credential attacks. AI-generated voice and video impersonation has introduced a distinct category of operational risk that is now producing real financial losses.
Claims handlers, underwriters, and finance teams are the specific targets because they carry authorization authority. They process payments, adjust claims, and act on verbal or video instructions from counterparties they may have never met in person. One documented pattern involves attackers sending deepfake audio to a carrier's finance team purportedly from a senior executive, authorizing an urgent wire transfer.
Swiss Re in 2025 flagged the
There is tension here that the industry needs to confront directly. Cyber underwriters have spent the last two years significantly raising the evidentiary bar for credential governance. Multi-factor authentication is now effectively mandatory across most policies, but the standard has moved beyond its existence to being consistently enforced and documented. Carriers are denying claims where forensic review finds that attested controls were not properly in place at the time of the incident.
That is a defensible underwriting position. The problem is that many carriers are applying this standard to policyholders while running on the same legacy access architectures they are now penalizing.
Genuine readiness in 2026 requires four things: credential lifecycle controls covering provisioning, rotation, and offboarding; documented third-party access audits across broker and TPA relationships; evidence that controls were verifiably in force rather than merely attested to; and a clear process for access revocation when a partner relationship ends.
The work is internal
The insurance industry has done serious, sophisticated work to understand and price cyber risk for others. The actuarial models are mature. The underwriting requirements are tightening in the right direction. What has not kept pace is the same rigor applied internally.
A global cyber insurance market projected to reach
The insurance carriers that close that gap first will be better positioned on every dimension: operational resilience, claims defensibility and the credibility to underwrite the risk they are asking others to manage.









