The heads of national cyber security agencies across the Five Eyes nations – Australia, Canada, New Zealand, the UK, and the US – released a coordinated statement on June 23, 2026, arguing that Frontier AI has compressed the window between vulnerability discovery and exploitation to the point where preventive controls alone can no longer serve as the primary basis for assessing whether a cyber risk is acceptable. The weight that underwriters currently place on firewalls, endpoint protection, and access management as indicators of risk quality may need to be recalibrated against a more fundamental question: how quickly can an organisation detect, contain, and recover from a breach that has already occurred?
Catriona Robinson, deputy director general cyber security and head of New Zealand’s National Cyber Security Centre (NCSC), was among the signatories. She described the current environment as one that has shifted faster than most organisations have adapted. “AI is not a future consideration – it is already here. It lowers barriers for malicious actors and increases the speed and complexity of attacks, shrinking the window between vulnerability discovery and exploitation ever more quickly. At the same time, AI offers powerful tools to strengthen defence,” Robinson said. The agencies stated that the timeline for Frontier AI models to surpass current offensive cyber capability benchmarks is measured in months, not years.
The practical consequence of the Five Eyes position for insurance professionals is a shift in the central question of cyber risk assessment. If breaches are anticipated events rather than low-probability scenarios, then detection speed, containment capability, and recovery time carry greater weight as risk indicators than perimeter security measures alone. Robinson was explicit about where responsibility sits. “Breaches will occur but preparedness helps you contain them quickly and prevent escalation into major operational and financial crises,” she said.
The agencies called for a whole-of-organisation response, arguing that boards and executives must be confident that controls will perform under real incident conditions – not merely that those controls exist on paper. Incident response plans, pre-tested recovery procedures, and internal escalation structures become, under this framework, material factors in assessing the likely severity of a claim rather than optional indicators of good practice. The agencies also noted that cyber resilience is integral to business continuity, market confidence, and long-term value – connecting security posture directly to the financial and reputational consequences that activate coverage and drive claims costs.
New Zealand’s own incident data provides immediate local context for the Five Eyes warning. The NCSC’s Q3 2025 quarterly report, published on December 18, 2025, recorded $12.4 million in direct financial losses – a 118% increase from $5.7 million the previous quarter, driven by a concentration of high-value business email compromise incidents. NCSC chief operating officer Mike Jagusch described the mechanism behind the losses. “This quarter, we have received a number of reports of significant financial losses resulting from business email compromises. This is where a bad actor gains access to email accounts and then sends fake invoices or changes payment details to redirect payments to their bank account,” he said.
The same quarter saw 110 incidents escalated for specialist technical review due to potential national significance – a 96% rise from 56 in Q2 2025. Scams and fraud led incident volumes at 446 reports, with phishing and credential harvesting second at 355. Malware-related incidents also rose during the period, with malware-as-a-service platforms lowering the technical barrier for criminals who lack advanced technical skills, contributing to what Jagusch described as a rapidly evolving threat landscape. Simultaneous deterioration across frequency and severity categories – business email compromise driving outsized financial losses while incident volumes rise across malware, phishing, and fraud – is the condition most likely to stress aggregate loss models and put pressure on portfolio-level reserving assumptions. The Q3 data suggests that pressure is already building.
Those domestic trends become more acute when set against the specific risk categories the Five Eyes statement identified – each of which maps onto areas of active concern for underwriters assessing cyber submissions. Legacy infrastructure was described not as a technical inconvenience but as a “strategic liability.” For underwriters, an organisation running unsupported systems represents a known, unmitigated exposure – one that AI-assisted attacks are increasingly capable of identifying and exploiting at scale. That characterisation is likely to sharpen scrutiny of legacy system disclosures at renewal.
Patch management timelines were flagged as a growing area of concern. The agencies noted that AI is shortening the interval between vulnerability disclosure and active exploitation, which reduces the window in which a delayed patch cycle remains within acceptable risk tolerance. This has particular relevance for organisations in sectors such as manufacturing, energy, and critical infrastructure, where operational technology environments often carry long update cycles by design. The Five Eyes statement specifically names operational systems with long update cycles as a risk category – a signal that raises questions about whether standard policy conditions, largely developed for IT environments, adequately address that exposure.
Identity and access controls were identified as a priority, with the agencies recommending regular audits of permissions and strong authentication enforcement across critical systems. These requirements are already common policy prerequisites, but the statement points toward a higher bar for what constitutes adequate implementation. Robinson outlined the actions she urged leaders to take: understanding and assessing risk readiness and accountability; prioritising foundational cyber security practices and controls; empowering cyber leaders with authority and resources; and staying actively engaged as threats and guidance evolve.
The trajectory of NCSC guidance is a development insurance professionals should track directly, given its potential to define what constitutes a reasonable standard of care for organisations managing cyber risk in New Zealand. As the NCSC develops and publishes advice for businesses and government – a stated component of its current AI work programme – that guidance creates a documented baseline against which an organisation’s security posture at the time of a loss could be measured by courts or regulators assessing whether a policyholder’s controls were adequate.
Robinson confirmed the NCSC is running a dedicated programme to address the implications of Frontier AI, including direct engagement with AI model providers and collaboration with industry vendors testing frontier models. “The NCSC is accessing Frontier AI models and is working with providers to understand and inform our response to cyber security risks and provide advice and guidance to New Zealand organisations,” she said.
The programme also includes integration of cyber security requirements into the government’s digital investment and procurement processes from concept through to implementation. As that guidance matures and becomes more widely referenced, the gap between what the NCSC recommends and what a policyholder has actually implemented may become a more prominent feature of claims disputes and coverage assessments – with direct consequences for how insurers investigate losses and assess policyholder conduct after an incident.
For insurers, the gap between prepared and unprepared policyholders is the one to watch – and the Five Eyes agencies were direct about how that gap will develop: those that integrate cyber security into core business strategy will reduce exposure and strengthen resilience, while those that delay will face risk that is both growing and avoidable. As NCSC guidance establishes a more defined standard of care, as patch management and legacy system risks become more acute, and as breach response capability supplants prevention as the primary resilience metric, the distribution of risk within a cyber portfolio is likely to widen. The organisations that have invested in detection, response, and recovery will present a materially different risk profile from those that have not – and for insurers, that divergence has direct implications for how cyber portfolios are constructed, how renewal conversations are framed, and whether current pricing adequately reflects the trajectory of risk in New Zealand.
