First-line insurers, those directly underwriting policies, are especially vulnerable. Operational downtime does not just mean lost revenue; it can trigger regulatory penalties, reputational damage and a cascade of claims from affected policyholders. Perhaps counterintuitively, this vulnerability is not alleviated but often compounded by the sector's heavily regulated nature. Insurance companies must navigate complex, sometimes contradictory, compliance frameworks whilst simultaneously defending against increasingly sophisticated cyber threats. The challenge is not simply meeting regulatory requirements; it is building genuine resilience that protects both business operations and customer trust.
Like in many other sectors, resilience has become the cornerstone of effective cyber security strategies for insurers. Reducing bounce-back times and minimising operational downtime in the wake of an incident are imperative. Of course, this requires robust crisis management protocols and comprehensive supply chain oversight that many organisations lack, creating more risk in the inevitability of an incident.
Perhaps the most significant evolution in insurance sector cyber security is the recognition that an organisation's security perimeter extends far beyond its own infrastructure. Supply chains in the sector tend to be almost entirely digital, hugely interconnected and interdependent, involving third, fourth and nth parties, each representing potential vulnerability.
“True cyber resilience for insurers means not just mitigating risk internally but also looking outward at the supply chain. To weather cyber incidents effectively, companies must choose suppliers whose cyber maturity aligns with their risk appetite and partner with those suppliers to create a risk-based resilience strategy.”
Dieter Künzli Executive Director, Forvis Mazars, Switzerland
However, one-time evaluation of suppliers is insufficient risk management. With fast-growing technology suppliers, for example, these vendors often expand through aggressive acquisition strategies, rapidly integrating newly purchased companies without fully harmonising cyber security standards. When these integrated products contain vulnerabilities, they expose every client organisation that depends on them – insurers included. A supplier may have passed initial procurement checks with ease but a lack of ongoing third-party risk management, the insurer inherits unnecessary risks.
“Third-party risk management is core to operational resilience because a growing share of attacks now come through the supply chain. As insurers rely on many digital tools, the landscape becomes more complex very quickly, especially when vendors expand through acquisitions and integrate products that may already be vulnerable.”
Ioannis Asaridis Lead of Cyber Services, Forvis Mazars, Switzerland
Larger insurers are beginning to address this through more rigorous vendor assessments and contractual requirements, but crisis management remains a vulnerability across much of the sector. Too often, organisations wait until an incident occurs before developing a comprehensive response plan, by which point it is far too late.
This same principle is also increasingly showing up in mergers and acquisitions in the insurance sector. The cost of integrating two organisations with disparate cyber security maturities and postures can be substantial, not only in terms of technical remediation but also in regulatory compliance and potential exposure to inherited vulnerabilities. Forward-thinking firms are now conducting thorough cyber assessments before completing transactions, making cyber maturity a key factor in transaction values, but this practice is far from universal. The result is a widening gap between market leaders who treat cyber security as a strategic priority and laggards who view it primarily as a compliance checkbox.
In 2026, regulation is often the primary driver for cyber investment and that is no less true for the heavily regulated insurance sector. Beyond the increasing appearance of cyber security specific legislation and directives, in jurisdictions like Switzerland, financial regulations impose stringent requirements on both insurers and banks, with smaller firms increasingly held to the same standards as their larger counterparts. This regulatory pressure drives activity, resulting in cyber security appearing more frequently on-board agendas and where compliance programmes are expanding.
However, regulation establishes minimum standards rather than best practice. Many organisations struggle to move beyond compliance-driven approaches towards genuine risk-based security strategies. Part of this challenge stems from the difficulty of quantifying the value of cyber security programmes in the absence of a major incident. Without a clear baseline or concrete ROI metrics, securing appropriate funding remains an uphill battle.
Still, achieving compliance does not automatically translate to understanding and managing actual threats. The former may reduce compliance risk, but it is the latter that will create true resilience.
Meanwhile, emerging technologies like AI present both opportunities and challenges. AI increasingly supports business operations for insurers, like data analysis and claims management, but requires robust governance frameworks that compliance-led cyber security does not necessarily address. Particularly, given the protected data insurers handle, AI integration should be approached with cyber security at the forefront. With 47% of executives expecting AI to deliver the strongest return on investment (ROI) in 2026 and nearly the same proportion identifying cyber security as a top ROI driver, these two priorities can no longer be treated separately. A dual approach that simultaneously scales AI systems and strengthens cyber security practices will be essential for accelerating digital transformation.
In addition, workforce awareness becomes especially critical as AI adoption expands, as it is no secret that employees are often the biggest cyber vulnerability. When AI is introduced, employee input and interaction become another possible vulnerability for adopting organisations.
“Just like how workforces are educated about phishing emails, they must be educated about AI. The difference is that the education must be unique to each organisation so end users understand what data they can input, how to validate AI outputs and other use case-specific points.”
Director, Forvis Mazars, Netherlands Director
Of course, cyber teams themselves can also leverage AI, particularly in use cases like security operations centres, but larger firms currently demonstrate greater maturity in implementing appropriate controls on these technologies.
As 2026 progresses, the insurance sector faces a critical inflection point. Operational resilience – the ability to detect attacks quickly, respond effectively and recover rapidly – must become a core capability. This requires cyber security investment, not just in technology but in people, processes and crisis management capabilities that span complex supply chains.
The widening gap between cyber security leaders and those left behind will likely have commercial implications, as customers, regulators and partners increasingly demand evidence of robust security practices. The path forward requires insurers to move beyond checkbox compliance towards genuinely risk-based cyber security that acknowledges the interconnected nature of modern insurance operations.
For an industry built on managing risk, the message is clear: it is time to apply that same rigour to creating true cyber resilience.
Insurers hold sensitive data, process highvalue claims and depend on tightly regulated operations, making them attractive targets for cyber criminals seeking maximum leverage.
Digital supply chains involve many interconnected vendors; without continuous monitoring, insurers can inherit new vulnerabilities long after initial procurement checks.
Insurers increasingly use AI to enhance threat detection and security operation, but adoption requires strong governance to prevent new risks.
Our latest study uncovers a business world embracing change, investing in technology and people, and reimagining strategies to stay ahead of disruption and competition. Success now rests on adaptability as much as ambition.
How senior business leaders approach digital transformation technology is reshaping the future of performance, resilience and growth
Cyber security insights to strengthen resilience, drive growth and prepare for what’s next
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.