The heads of the NSA, CISA, and their counterparts across the UK, Australia, Canada and New Zealand signed off on a joint statement this week that cuts through the usual intelligence-community hedging. Frontier AI models, they said, will "fundamentally transform both offensive and defensive cyber capabilities." The timeline? "Not years, it is months."
Everyone pricing and placing cyber risk in the US right now should read that twice.
The US cyber market is underwriting as if the threat environment is broadly stable. It isn't. Average premiums are expected to fall a further 11% in 2026 according to SentinelOne, even as Aon recorded a 38% jump in cyber and technology E&O incidents last year and the average global ransomware claim hit approximately $713,000. The FBI's 2025 Internet Crime Complaint Center report logged a 37% rise in AI-assisted business email compromise incidents involving cloned executive voices. The market is getting cheaper as attacks get smarter.
The Five Eyes statement - co-signed by the NSA's David Imbordino and CISA's Nick Andersen alongside their allied counterparts - frames this as a leadership failure as much as a technical one. "Cyber risk can no longer be treated as a purely technical issue," it reads. "This is a core business risk and leadership responsibility." For boards that have been happy to let IT handle it, that's a direct challenge.
The Anthropic dimension adds urgency. The warning came a week after the US government restricted foreign access to Anthropic's most advanced AI models over national security concerns. US Treasury Secretary Scott Bessent had already convened the CEOs of major US banks - Bank of America, Citigroup, Goldman Sachs, Morgan Stanley and Wells Fargo - to discuss AI-driven cyber risks earlier this year. When Treasury is calling bank CEOs into a room about an AI model, the insurance market should be paying attention.
The claims picture is getting worse quietly. Coverage gaps are widening as policy language struggles to keep pace with attack sophistication. More than 40% of cyber claims are currently being denied - primarily due to missing controls and notification failures rather than exclusion clauses, according to SentinelOne. Cheaper premiums are not translating into reliable protection.
Christopher Keegan at Brown & Brown said recently that "the level of sophistication is already there and only growing," and that once a threat actor gains access to an identity, "AI is extremely effective at moving that identity laterally across systems to reach the crown jewels." Jeffrey Gonlin, chief underwriter at Emergence Insurance, put the broader shift more plainly: "It might be that AI just makes everybody a super cyber criminal, and that turbocharges everything."
Caspar Rogers, Senior Broker at Assured, warns insurers may revisit language akin to Chubb's previous Widespread Vulnerability Exclusion to limit aggregated exposure from mass incidents. Tim Johnson, Partner and Head of Insurance at law firm Browne Jacobson, adds a subtler concern: many cyber policies define a hacker as a person - meaning some wordings may simply not pick up an AI attacker, with unintended consequences either way.
On coverage, Ed Ventham of Assured has a direct message for any broker whose clients are wondering whether their policy responds to AI-driven attacks: "As it stands, we have not seen any exclusions brought in for AI - however we would encourage businesses to be asking for AI to be affirmatively covered within their policy to avoid any potential knee-jerk changes from a potential upcoming and heightened risk landscape."
Johnson also points to a broader problem AI attacks will amplify: clients assuming that having a cyber policy means having cyber cover. "Cyber cover is shorthand for a whole load of different cyber-based coverages," he said. With more attacks and more victims, that gap will become harder to ignore, and harder to defend.
The steps the Five Eyes want to see are familiar: reduce attack surfaces, patch faster, fix legacy systems, tighten access controls, test response plans. What's changed is who is asking - and how little time they say there is left.
